Solution for Windows cross-subnet browsing issue in mid-2016

Hello all-

this is a follow-up to my original post in which I discussed how to setup cross-subnet browsing so that all computers come up in “Network” or “Network Neighborhood”.

For the last few months, my “Network” browse list has disappeared and would ONLY show computers from my LAN subnet.  My remote (VPN-to-VPN) network subnet disappeared from my “Network” computer list.

After >>MUCH<< research I have found the problem and will present the solution.

The problem is due to the Microsoft Windows Update (for both desktop and server OS’s) KB3161949  (read about it here).

Part of the effect of this update was to “harden” the NETBIOS service and prevent NETBIOS data from being sent between subnets.

 

THE SOLUTION:

Two ways of handling this.

  1. You can remove this specific hotfix
  2. You can add a registry setting to override it.

(YOUR CHOICE)

To REMOVE the hotfix:

On SERVERS:  Go to Control Panel, Uninstall a program, View Installed Updates… Remove 3161949.  You’ll need to reboot.  After rebooting, go check for windows updates again (MANUALLY)  3161949 will pop up.  Right click and HIDE UPDATE.

On Desktops:  Same process as above – HOWEVER – Depending on which version of windows, which OS Rollup you are on, 3161949 might not show up.  If you cannot remove 3161949, simply add the registry key below.

–OPTIONAL METHOD–

Involves a registry key addition, then you need to reboot the machine.

SUBKEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value Name: AllowNBToInternet
Type: Dword
Value: 1

 

** REMEMBER TO REBOOT after you do either the uninstall or registry key.

** It will take 5-60 minutes for the Network browse lists to refresh

*** MOST IMPORTANT ***

You MUST do this on your domain servers (Master Browsers) on each side of the subnet.  For example, I have for domain servers, two on each side.  I did this procedure on both, then rebooted all four domain servers.

Then I did this on my Windows 10 Pro workstation (via registry key) and rebooted.

When I checked my computer 30 minutes later, all machines were showing up in the browse list under “Network” in Windows 10.

** ADDITIONAL NOTE:  Just for the heck of it, you might as while put that registry key onto all your domain servers.  Even though I had uninstalled 3161949 from all 4 of my domain servers (and hidden that update), one of my DC’s re-applied that patch and rebooted, thereby messing up my Network list again.  So I just went and put that reg key onto all 4 DC’s just in case they get that update somehow in the future.

** NOTE: Do this at your own risk.  I’m not responsible for your network security.  You have to make the decision on what’s more important to you here.  Being able to see the entire cross-subnet network, or security.  I can’t speak as to how this increases or decreases your security risk.

Let me know if any questions…

6 comments

  • Pingback: All computers do not show up under Network Neighborhood across subnets Windows 2008 Server and Windows 2012 Server | Amixa Blog - Professional Web Site Design Experts

  • Cathy Mann

    Since this is a security update to resolve vulnerabilities in Microsoft Windows, do these resolutions open your network back up to those vulnerabilities?

  • As always, do any changes at your own risk. I am simply solving an issue with cross-subnet network browsing. I cannot speak as to how this increases a security risk on your network. You can do the 3161949 patch and then set the registry key to permit the network to be visible, that way you at least still have the patch in place, but I cannot tell you or make any guarantees about security risks if you do this.

  • R Schumann

    AWG… Great post -AND- finding…

    I have been fighting this issue for nearly the past 2 months now! I was excited to come across your post – so much, that I had to believe this was going to be the solution. Sadly, after following your suggestions, neither side of a Windows 2012 R2 site-to-site VPN is still not discovering & displaying servers & workstations from the other branch office – this, after approximately 6 hours after applying the registry setting fix.

    I applied the registry key, double-checked the file & print sharing to ensure it was turned on, checked my firewall ports for NetBIOS ports 1137,138,139 and even 445. I’m running AD DS, DHCP, DNS & RRAS & WINS on both of my PDC’s – 1 on each subnet in each office. Both sites are on different subnets (i.e. 10.1.10.x & 10.1.11.x). I bounced all the boxes -AND- applied the same registry fix to my Windows 10 Pro laptop- all to no avail.

    I have a stable, bi-directional site-to-site demand-dial persistent connection between the two sites. AD DS is replicating with no issue. DNS is conducting zone transfers without issue. I can open up a server at one branch office using it’s IP Address, but attempting to do so using a FQDN hostname doesn’t cut it. I stood up WINS servers on each PDC as well just for ‘good measure’. I’m grasping at straws now.

    This should NOT be this difficult. But I wanted to provide some feedback to the community that, although your findings and solution seemed to describe my situation to the ‘T’, it’s unfortunately not the complete solution – at least for my environment.

    I’ll keep plugging away and when I resolve my issue, I’ll post my findings here as well, since I believe your solution is, more than likely, THEE root cause of this behavior. (I just happen to have other issues to solve).

  • R Schumann

    AWG – I missed the typo in for port ‘1137’. Should be ‘137’. Please correct for me. Thx

  • mohammed Ghouse

    thank you man for posting this resolution, i have been looking for this long time.

Leave a Reply

Your email address will not be published. Required fields are marked *