Microsoft KB Archive/172227

= Network Address Translators (NATs) can block Netlogon traffic =

Article ID: 172227

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Workstation 3.5
 * Microsoft Windows NT Workstation 3.51
 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Workstation 3.1
 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q172227



SYMPTOMS
When you have a Network Address Translator (NAT) that separates a Windows NT domain controller from its domain members or other trusted domains, Netlogon communication may fail. You will still be able to successfully redirect a drive across the NAT, and browse across the NAT, but logon attempts and trusts may fail. For example, when a client tries to log on to the domain across the NAT, the client may receive an error message similar to the following:

A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.

When you attempt to establish a trust relationship between domains, you may receive an error message similar to the following:

Could not find domain controller for this domain.

Note The error messages and conditions may differ from the above, but it will always be Netlogon communications that fail.



CAUSE
Your NAT is not translating the source IP address from the NetBIOS header in your network traffic.



RESOLUTION
To successfully implement a Windows NT domain structure using a NAT, the NAT will have to translate the addresses in NetBIOS datagram headers. Consult the vendor of your NAT device for information on this issue.

Note Correct translation of the NETBIOS protocol is not needed membership for Windows 2000 and later operating system versions in Active Directory Domains, because for the domain function the member is using DNS for name resolution.



MORE INFORMATION
NATs are used in IP networks to translate addresses from one network to another. For example, if an internal network used one of the non-routable private network IDs from RFC1597, such as 10.0.0.0, you could use a NAT to translate these addresses into a public IP address and route them to the Internet. When a packet comes back to the NAT, it retranslates the address back to the private address of the originating host.

If you send a NetBIOS datagram, as Netlogon does, the NetBIOS header contains the source IP address. The reply to this NetBIOS datagram will be sent directly to this IP address that is found in the NetBIOS header as defined in RFC1002, section 4.4. If the NAT only translates addresses in the IP header, and not in the NetBIOS header, the packet may be sent to the wrong address. In this example, the packet would be sent back to the computer on the 10.0.0.0 network, which is a private address and not routeable.

The following NetBIOS headers contain an Owner IP address field which may require translation:

NetBIOS Name Management

 * Name Registration/Refresh/Release Request


 * Name Registration/Refresh/Release Response


 * Positive Name Query Response

NetBIOS Datagram

 * Datagram Service Header


 * Directed and Broadcast Datagram


 * Datagram Error Packet

NetBIOS datagrams are used for the following purposes:
 * Locating a logon server


 * Sending a logon request


 * Performing domain synchronization


 * Browser host name announcements


 * Browser workgroup/domain announcements


 * NetBIOS Master Browser Existence and Election Packets


 * NET SEND /d: "Message"

The third-party products discussed here are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability.

