to WINS or not to WINS

[Jaz]

Should I run WINS alongside AD for the sake of surfing Net Neighborhood
through the client VPN connections?

After much googling and reading here I haven't found a difinitve guide
to our MS-centric environment.

I just joined this group, who's servers were already setup and who are
using MS VPN to get onto their Active Directy domain from home. My
first weekend I needed to login thru the VPN (oh joy) and found I could
surf the whole network very smoothly.

The second time I could not, due to my having shutdown while in transit.
The first time I hibernated so host cache was nicely populated, but not
the second time, though I could still get to comapany servers/hosts by
their IP addresses.

The question is therefore: To WINS or not to WINS; and if WINS, then to
use WINS client or to point to WINS server via lmhosts; if Not WINS then
to use lmhosts or hosts... those are the questions.

If I use a simple lmhosts (or hosts) with only the names of the main
servers, then the riff-raff (those users who map each others shared
drives) will complain. What's more, I'll need to redistribute new
lmhosts files everytime I add a server or someone decides their disk
share is an important resource.

If I use fancy stuff in lmhosts... well would somebody please point me
to nice guide (vs the typical MS we-invented-the-internet, wordy fluff).

And what about WINS? Should I run a WINS server and setup the MS VPN
client TCP-IP properties to point to it? Will that cause brain damage
when the VPN isn't active and the laptop is not on the office LAN?

PS, we're also using ISA server 2000 (I know, I know, I'm going to hell
for this), but if there's anything tied in to AD or VPN then I'm yet to
discover it.

Thanks in advance!
Jaz

 

[sonny]

great presentation with the question... i wish i was authoritative enough to
simply answer all your questions... however i am just a mere it tech.

i use wins for the sake of browsing via VPN... i run a vpn through my
watchgaurds so it's a little different.... but, i would not reccommend using
lmhosts/hosts tables... mainly for the sake of having to change them each
time a server enters the domain...

what i did was just install and setup the WINS across my WAN using the basic
push/pull between DC's... this way the servers can talk and replicate the
names for use during vpn usage.

i did the real basic setup using persistant connections for push replication
partners as well as persistant for pull... also i run the pull replication
on startup of the service... slap the interval renewal to something like 5-6
days and let it fly.

good luck with your setup.

Sonny

 

[Guest]

you only need wins for backwards compatability in a 2k enviro/domain ie: if you have 9.x or nt 4 machines then run wins other wise, save the cpu, bandwidth and ram by not running the service

 

[Scott Harding - MS MVP]

Well not enitrely true. There are applications that can use Netbios names
and WINS can help. Are you using the correct DNS server upon logging into
the VPN. In reality WINS does very little on striclty windows 2000 and up
domain environment but little things can be helped along by WINS and
browsing is certainly one of them.

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

you only need wins for backwards compatability in a 2k enviro/domain ie:

if you have 9.x or nt 4 machines then run wins other wise, save the cpu,
bandwidth and ram by not running the service

 

[Jaz]

Ahh, but mine is a stickier wicket! (so as to not top-post, see below)

great presentation with the question... i wish i was authoritative enough to
simply answer all your questions... however i am just a mere it tech.

i use wins for the sake of browsing via VPN... i run a vpn through my
watchgaurds so it's a little different.... but, i would not reccommend using
lmhosts/hosts tables... mainly for the sake of having to change them each
time a server enters the domain...

what i did was just install and setup the WINS across my WAN using the basic
push/pull between DC's... this way the servers can talk and replicate the
names for use during vpn usage.

i did the real basic setup using persistant connections for push replication
partners as well as persistant for pull... also i run the pull replication
on startup of the service... slap the interval renewal to something like 5-6
days and let it fly.

good luck with your setup.

Sonny

Ahh, but mine is a stickier wicket!

You have but users on a LAN, whereas I have users on as many LANs!

With remote VPN clients (not a site-to-site tunnel) the situations are many:

1: Users on corporate LAN w/ AD -- will WINS muck things up?
(I assume not)

2: User takes laptop home, Reboots, no VPN...
Q - Will TCP/IP properties set to use WINS effect more than
just the VPN connection? (e.g. if they plop their pc on their
home broadband network with no intention to connect to the
corporate LAN; they be annoyed by some "WINS server unavailable"
message?

3: User takes laptop home, Un-Hibernates (no reboot), no VPN...
This works fine. Can surf out local broadband fine.

4: User takes laptop home, Un-Hibernates, connects to VPN...
Again, this works fine, because host cache is populated.

5: User takes laptop home, Reboots, connects to VPN...
Can only get to corporate LAN systems by IP address...
Not sure if Internet trafic is routed through VPN (tho by
tracert doesn't appear so)

So, as services like WINS are added connectivity is improved, but at
some point I expect to start seeing things like Internet traffic routed
over the VPN (if it isn't already).

What I haven't been able to find is nice simple recipe for this
configuration. I've checked M$ support, JSI, and a wealth of other sites
that try to be good resource on these kind of subjects.

Again, any tips, pointers, URLs/links, or advice is very welcome and
appreciated.

Jaz

 

[Jaz]

Well not enitrely true. There are applications that can use Netbios names
and WINS can help. Are you using the correct DNS server upon logging into
the VPN. In reality WINS does very little on striclty windows 2000 and up
domain environment but little things can be helped along by WINS and
browsing is certainly one of them.

Yes, Browsing. If it were only Browsing that WINS would provide to my
Win2K/XP VPN clients... then I would scream 'Eureka!

Well, to be specific... the other day I needed to work from home and
after rebooting I couldn't get to my Exchange server (and couldn't
change the setting because when I tried opening Properties, the darn
thing insisted on contacting Exchange to get info... it was a
chicken/egg situation!) and Outlook web access (ironically) would only
work through Mozilla (IE was missing a snapin/plugin or some dohicky)

This is when I decided that my years of suffering with failure to
Windows-Browse through SonicWALL, Cisco, etc. VPNs were to come to an
end here and now. I would finally post :^)

Jaz

 

[Jaz]

Well not enitrely true. There are applications that can use Netbios names
and WINS can help. Are you using the correct DNS server upon logging into
the VPN. In reality WINS does very little on striclty windows 2000 and up
domain environment but little things can be helped along by WINS and
browsing is certainly one of them.

Yes, Browsing. If it were only Browsing that WINS would provide to my
Win2K/XP VPN clients... then I would scream 'Eureka!

Well, to be specific... the other day I needed to work from home and
after rebooting I couldn't get to my Exchange server (and couldn't
change the setting because when I tried opening Properties, the darn
thing insisted on contacting Exchange to get info... it was a
chicken/egg situation!) and Outlook web access (ironically) would only
work through Mozilla (IE was missing a snapin/plugin or some dohicky)

This is when I decided that my years of suffering with failure to
Windows-Browse through SonicWALL, Cisco, etc. VPNs were to come to an
end here and now. I would finally post :^)

Jaz

 

[Jaz]

Ahh, but mine is a stickier wicket! (so as to not top-post, see below)

great presentation with the question... i wish i was authoritative enough to
simply answer all your questions... however i am just a mere it tech.

i use wins for the sake of browsing via VPN... i run a vpn through my
watchgaurds so it's a little different.... but, i would not reccommend using
lmhosts/hosts tables... mainly for the sake of having to change them each
time a server enters the domain...

what i did was just install and setup the WINS across my WAN using the basic
push/pull between DC's... this way the servers can talk and replicate the
names for use during vpn usage.

i did the real basic setup using persistant connections for push replication
partners as well as persistant for pull... also i run the pull replication
on startup of the service... slap the interval renewal to something like 5-6
days and let it fly.

good luck with your setup.

Sonny

Ahh, but mine is a stickier wicket!

You have but users on a LAN, whereas I have users on as many LANs!

With remote VPN clients (not a site-to-site tunnel) the situations are many:

1: Users on corporate LAN w/ AD -- will WINS muck things up?
(I assume not)

2: User takes laptop home, Reboots, no VPN...
Q - Will TCP/IP properties set to use WINS effect more than
just the VPN connection? (e.g. if they plop their pc on their
home broadband network with no intention to connect to the
corporate LAN; they be annoyed by some "WINS server unavailable"
message?

3: User takes laptop home, Un-Hibernates (no reboot), no VPN...
This works fine. Can surf out local broadband fine.

4: User takes laptop home, Un-Hibernates, connects to VPN...
Again, this works fine, because host cache is populated.

5: User takes laptop home, Reboots, connects to VPN...
Can only get to corporate LAN systems by IP address...
Not sure if Internet trafic is routed through VPN (tho by
tracert doesn't appear so)

So, as services like WINS are added connectivity is improved, but at
some point I expect to start seeing things like Internet traffic routed
over the VPN (if it isn't already).

What I haven't been able to find is nice simple recipe for this
configuration. I've checked M$ support, JSI, and a wealth of other sites
that try to be good resource on these kind of subjects.

Again, any tips, pointers, URLs/links, or advice is very welcome and
appreciated.

Jaz

 

[Bill Grant]

The basic problem is that the lists you see in NN are built by
broadcasts. Routers and WAN links block these, so they don't work for dialup
RAS or VPN clients.

It isn't just a matter of installing WINS. WINS will let you find LAN
machines by name rather than using IP addresses, but you should be able to
do that already through DNS. To get NN populated without broadcasts requires
access to the browse masters built by the browser service.

WINS is required to enable browsing a segmented network. It gives the
browser service a means to contact browsers across routers and WAN links. It
lets you see a network-wide browse list in a segmented network. The browser
service builds the lists, WINS provides the links. See KB 150800 .

The situation is different for a dialup client. If it is on a local LAN,
it already has a local browse list which doesn't merge with the remote one
just because you connect to it. If it is a standalone machine dialling in,
it doesn't add itself to the browse list (no broadcasts) and it usually
doesn't see the LAN browse list either. The best you can hope for is that it
will be able to see the LAN browse list. This will only happen if it uses
the right domain name and can find the domain master browser.

If the client has the correct domain name, it will try to get the browse
list by sending a name server request for the Netbios special name
<domainname 1B> . This is where WINS comes in. WINS can resolve this name
to the domain master browser's IP address, and the client will get the
domain browse list.

So the brief answer is that it won't work without WINS, but just setting
up WINS won't mean that it automatically works.

Bill Grant
MVP - Networking

 

[Herb Martin]

Should I run WINS alongside AD for the sake of surfing Net Neighborhood
through the client VPN connections?

If you want browsing to work across routers then Yes.
If you want to support legacy clients or applications (using NetBIOS) across
routers, Yes.
You may also need WINS for EXTERNAL trusts to work, even between Win2000+
domains.
(Domain and Shortcut trusts don't have this problem; they are within a
single forest.)
If you use NetBIOS and wish to reduce or eliminate broadcasts, Yes.

Note: Browsing is a NetBIOS "legacy application."

You don't need WINS with only one subnet since broadcasts do the job.

 

[shope]

Yes

the other posters seem to know more about the microsoft background to this,
so i will leave the explanations on how it is meant to work to them.

i do spend time troubleshooting networks with WINs in use, so i have a
couple of suggestions.

1. if you want to survive a server failure you need 2 WINS servers.
2. conversely if you want a simple to operate WINs system, you dont want
lots of WINS servers - most of the name problems with working WINS servers i
see happen when the WINS servers get out of sync.
3 microsoft wrote a paper about WINS design which you want if you are doing
a big WINS system design, it should still be on their web site somewhere - i
think it suggests that you limit a WINS server to 10k clients....
4 the best way to implement WINS is to configure the user clients via DHCP -
but dont forget the other stuff such as servers and network attached
printers.
5 You need WINS to be used consistantly across your network unless you want
to cause more problems than you are solving.

If you want browsing to work across routers then Yes.
If you want to support legacy clients or applications (using NetBIOS) across
routers, Yes.
You may also need WINS for EXTERNAL trusts to work, even between Win2000+
domains.
(Domain and Shortcut trusts don't have this problem; they are within a
single forest.)
If you use NetBIOS and wish to reduce or eliminate broadcasts, Yes.

Note: Browsing is a NetBIOS "legacy application."

You don't need WINS with only one subnet since broadcasts do the job.

however you can set up each PC to use WINS by default if it can access the
WINs server, and fall back to using broadcasts if not.

this allows for 1 central WINS server, but your users who might have home
networks they want to use, or if you have a multisite WAN, and the WAN link
breaks.

 

[John Koswalski]

Just to, make sure I understand correctly: If on a subnet the clients their
browser service can contact the Domain master browser the browser service
will not use broadcasts?
Mainly the reason why I se WINS evrywhere is for the browsing in network
neighbourhood and the software that uses netbios. They tell me to setup
WINS to prevent the browsing but If I understand you correctly in a 1 or
subnet office with acouple of 100 hosts if the can talk to the (domain)
master browser they won't use braodcast right? So we could just get rid of
WINS?

 

[Herb Martin]

i do spend time troubleshooting networks with WINs in use, so i have a
couple of suggestions.

1. if you want to survive a server failure you need 2 WINS servers.

Good point -- and all clients need to register in the same WINS "database".
(Not necessarily the same "server" but with the same server or with servers
set up to replicate.)

"Clients" here, include what we normally think of as "servers" -- including
usually the WINS server itself -- unless the servers are WINS clients they
will never register themselves and be resolvable by ordinary clients or
each other.

3 microsoft wrote a paper about WINS design which you want if you are doing
a big WINS system design, it should still be on their web site somewhere - i
think it suggests that you limit a WINS server to 10k clients....

It's a silly recommendation. No one seriously does it this way (except on
the MCSE exam.)

In real life you place the WINS servers based on the local networks and
WAN lines which connect them. If you really had 10,000 machines in a
single location, you would add WINS servers based on the pattern of
usage and by measuring actual performance and considering fault tolerance
needs.

4 the best way to implement WINS is to configure the user clients via DHCP -
but dont forget the other stuff such as servers and network attached
printers.

Remember to set up the machines with FIXED IP, especially those that
are thought of a "servers" (see above.) It's a common mistake to leave out
the servers.

however you can set up each PC to use WINS by default if it can access the
WINs server, and fall back to using broadcasts if not.

Sure, and that is the default, but with one subnet there is seldom a reason
for a WINS server.