Solved

BROWSING IP SUBNETS USING LMHOSTS

Posted on 1998-03-27
9
957 Views
Last Modified: 2013-12-23
We have a campus TCP/IP Network here. I want to browse between two subnets.

On subnet (subnet A) has an NT PDC, one BDC, an NT Workstation, and 35 W95 Clients.

The other subnet (subnet B), in another domain has a PDC and a W95 machine.

I have set up the LMHOSTS file to have

<ip address> <server name> #PRE #DOM:<DOMAIN NAME>

It is now possible to connect to each machine by using
\\<server name. However, I want to be able to browse each
subnet. You can put 16th char letters in NetBIOS names in the LMHOSTS file...will this enable the browsing? I know I can use WINS, but want to avoid that if possible.

The other problem we have, is that we have IPX on all the NT machines, and yet, when subnet B wants to browse subnet A, I get a small list of machines with IPX installed...excluding the PDC, which has IPX installed! Weird. The reason we really want to use IP, is that it is the only common protocol installed on all the machines.

The browse set up in subnet A is as follows
PDC is Browse Master for IP (it can see whole subnet)

BDC is Broswe Master for IPX (it can see only IPX machines..though not the PDC, I think this is due to Ethernet Frame type, which I am about to check).

A machine "Unknown" is Browse Master for some other variation of IPX (I put this is because thats what the Browman utility fron the Resource Kit reports). Does anyone know the significance of this?

I don't really like the BDC being the browse master for IPX, I would rather both tranports being mastered by the PDC. I can't find a way of telling the browse service to bind to a given protocol. Is the a way of doing this?

We are also having trouble with clients. Say a client has two protocols installed, which browse master will it talk to? The resource kit does not mention this possibility. Should it not talk to both, in order to get a full list of what a client can connet to?

I often find however, that different client utilities give different browse lists! For example, server manager shows all PCs in subnet, but only the domains in the LMHOSTS file in the domain list...On ther other hand, when you use Event Viewer, I can see about a hundered or so domains out there on the campus network! (in other words it must be talking to the IPX browser, or perhaps to both)

What is going on, I thought that BetBIOS applications use NetServerEnumAPI, is Eventviwer using a different or better API call?

In addition, some of our Windows95 machines do not have File and Print Services installed, but do have remote registry installed, but they do not appear in browse lists, my hunch is that they won't so you need a piece of paper to keep track of the PCs you can connect to anyway.

If you think you really understand browsing and what is going on I'd be happy to give 300 points to anyone that could sort out all this hassle and confusion.

If anyone wants more information I will happily send it to them, inculding screen dumps sent as MIME attachments if they want.

Regards

Hywel
0
Comment
Question by:hywel
  • 5
  • 3
9 Comments
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
First of all, you don't bind protocols to the Browser service.  All Browse master does is to provide the clients with the NetBIOS names of the machines that are available on the network.  There is nothing like BDC is talking over IPX and something else on something else.  As far as Win95 boxes are concerned, if File & Print Sharing is disabled there is no way they appear in your Browse lists.  This is because there is no need for them to announce themselves on the network.  Each machine announces itself at regular intervals of time and a BM picks up the announcements and maintains a list.  Each segment of the network has a BM and there is one Domain BM which usually is your PDC.  When you enter an entry in your lmhosts file, all you are doing is avoiding WINS to resolve the IP for a given NetBIOS name.  The best way to achieve what you are trying to do is to use WINS.  Have two WINS servers in the two subnets and let them replicate with each other using PUSH/PULL partnerships.
Good Luck..
Srini.
0
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
One more thing, is that your BM is showing only the domains that are listed in the lmhosts file, is because the domains are cached in when you said #PRE #DOM.  Now, imagine if this is a WINS client for a WINS server which maintains a list of all the domains, then you get all the domains in your NN.
Good luck..
Srini.
0
 

Author Comment

by:hywel
Comment Utility
Srini. There ARE seperate browsers for each Network Transport. Check out the browmon utility. For example, on our network, there are two Browse Masters, one for IPX and one for TCP/IP, and they both have different lists of what they can see.

Also, if you look in the Resource Kit, under the registry entries for the Browser service you will see the folling.


"The parameters that control network bindings for the Browser service are described in NetRules Subkey Entries.
Under the following Registry path, two parameters are found:

HKEY_LOCAL_MACHINE\System
      \CurrentControlSet
            \Services
                  \Browser
                        \Parameters

DGRcvr Entries for the Browser Driver"

Now I've had a look at some of these parameters, and most of them are quite straightforward, except when it comes to binding. I was hoping there would be somebody who could explain this to me.

Regards

Hywel



0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
Why you want to avoid that if possible? WINS would not cost many resources, it is just a dynamic database for IP <--> NetBIOS name mapping. You'd better make two PDC also as the WINS server, then make them as Replication Partbers. It is the best solution for you.

Lmhosts file is for static address mapping for Windows network, you have to maintain all the mappings manually. Since you have 35 clients in one subset, it is hard to keep this goes well.

If so, you certainly do not need IPX/SPX again, only TCP/IP is enough. In addition, you dont need to change any registry setting for this. You know, if it is not very necessary, we'd better do not modify any registry settings.

Also, it is not good to have PDC and BDC running different protocols, because if PDC is failed, no client with only one protocol can reach your BDC.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:hywel
Comment Utility
I know that it is possible to use WINS. But that is not the point, I am trying to establish whether or not putting an
entry for the Master Browser in the lmhosts file will allow browsing from outside the subnet.

The BDC are not running different protocols from the PDC. They are both running IPX and TCPIP. The point I am making is that the PDC binds its browser service to IP, while the BDC binds its browser service to IPX. Now, all clients have IP, so that list is full, however, people from outside the subnet cannot browse the list (I was hoping that an entry in lmhosts for the external network, pointing to the PDC in the subnet would fix this....hence the question, Using Lmhosts to Broswe Subnets).

However, from outside the subnet, it is still possible to browse some of the PCs, this is because as I mentioned, the BDC is using IPX (which will visible outside the subnet). The IPX browser will return a list of all PCs of the subnet that it can see (all other clients that have IPX on).

I already know that using WINS will solve the problem, so that does not answer the question. What I am trying to establish is.

First
   What determines which protocol the browse service binds to and can I specify it. From what I can see, it seems that a given computer cannot be a browse master for two different transports, but it should be possible to tell it which transport it should be a master browser for.

Second
   Since Lmhosts tells the other network to whereto find  the PDC, then if the PDC is a browse master, it should be possible to get a browse list from it....(OK the address of the backup bowser which will give the list if you are being picky!) and avoid setting up WINS.

I am offering 300 points to anyone that "understands" what is going on....not simply suggestions to use WINS. I am quite worried about NT security in general, I want to know what is going on.

The reason I've got interested in lmhosts file is the discovery that NT binds its server service to IP, meaning that if for example, you are connected to the internet, ANYONE who knows the IP address of your machine can connect to it! If you've not disabled the Guest account, your share list will be WORLD READABLE. The moral of the story is get a firewall for a few thousand dollars, or try to undertand whats going on. If I just set up WINS all well and good, except it will just be another level of "giving in" to NT and just "accepting" things and hoping it will all be OK and there are no security holes and so on.

Anyway, thanks for the response, but the question still remains open I'm afraid!

Regards

Hywel

0
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
Simply put, nooooop you can't do it.  When an external PC queries the subnet for a BM, it doesn't look in its LMHOSTS FILE.  LMHOSTS is only used for particular PC NAME-IP mapping.Just because it is able to see the PDC, doesn't mean that the PDC will respond to its query.  PERIOD.  You get these so called 'WEIRD' results 'cuz you are not following the proposed and recommended way of BROWSING.  Browsing factors depend on lots of combinations of Broadcasts, host look up and so on....  If you work on half of these setups, first you don't know what you have enabled to do what and second you see unexpexted results which you can't relate to what you have done.  Results like seeing the Network from one machine with IPX and not able to see the same from a similar machine are because of these misdeeds.  
I am not trying to teach you anything or give you a lecture.  It looks like you know enough about these broadcasting problems already.  I think you can figure out the solution yourself, provided I give this simple and straightforward answer to you... 'No you can't put a BMs ip-name mapping in LMHOSTS to be able to browse its sub-network'.  This doesn't work, 'cuz, in other scenario's you need not have a dedicated BM and any box on the subnet can assume the role.  You just can't go ahead with a LMHOSTS entry in this case.
Anyway.....
good luck,
Srini.
0
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
The other reason why you are able to see the IPX based PCs on the NN is that, by default, IPX packets are routed across the routers ensuring that there is only one Master Browser per domain.  It is not the case for NetBEUI environment.
0
 

Author Comment

by:hywel
Comment Utility
Srini,

OK, thanks for letting me know that you just can't use lmhosts to
browser remote networks, it seems logical, because as you say any
machine can become a BM, so just putting an entry into the lmhosts pointing to PDC won't work.

As for the other points, Windows95 won't appear in the NN as unless FP services are enabled, as you say. I still think this is
a nuisance however. For example, if you enable remote registry editing, you want to be able to browse the network to see the list of machines. If the machine in question has Remote Registry but no FP servies, you can't see it! so you need to maintain a paper list. I think if possible we will migrate to NT, which has a list of machine accounts anyway, and remote registry and FP enabled by default.

I still notice that different client tools, even under NT, give different browse lists. Serverman and Userman only the NN, whereas, Event Viewer allows me to see "the whole network". The may be a reason for this. SM and UM, should only be able to managed trusted domain, hence the only ones appearing. Event viewer on the other hand can be used to monitor any machine, given its name.

As for the binding, I have found a key under current_control_set/services/browser/parameters

DirectHostBinding: REG_MULTI_SZ\Device\NwlnkIpx\Device\NwLnkNb

I guess this tells the machine which protocol the browser will bind to.

Srini, you only submitted this as a comment so I can't give you any points. The question has open for a few days now and nobody else has come close to giving me any satisfactory answers. If you want the points, just submit an "answer" and then I can give them to you.

Thanks for your time

Regards

Hywel
0
 
LVL 5

Accepted Solution

by:
snimmaga earned 300 total points
Comment Utility
OK, here are some more of my thoughts.
Enabling FP services on a 95 box enables the box to show up in NN.  Now, even when you want to REMOTE ADMIN REGISTRY, you have to share the SAM files to someone and this will come under File sharing.  By enabling FP, you are opening the first gate on to the hood.  This is not automatic as is in NT, 'cuz, 95 is strictly a client workstation and SHARING is just an add-on to it.  Where as NT workstation is capable of serving atleast a small group of people.  Moreover, NT by default shows up on Server Manager only if it joins the domain (as a fact, even 95 shows up on SM).  
What you said is exactly right.  Events are opened up freely on any machine in the network.  So, you can watch the logs through the EV for any box.  But, try changing the LOG sizes or other settings, and you should not be able to do this.  Security comes into picture at this point.  Where as SM and UM have specific tasks so the restricted type of view from them.  Probably, SM/UM and EV uses different function parameters when they call ENUM API.
As far as your DIRECTHOSTBINDING is concerned, it is not recommended to change it in the registry.  Again, though it shows up in the BROWSER/PARAMETERS in the registry, this has nothing to do with binding to the BROWSER service.  This binding actually suggests its connection with the SERVER Service.  It is mainly used (DIRECTHOSTBINDING) for WFW clients to connect to NT when they have just IPX/SPX installed.  One good way to disable this is to go to CP+Network applet+Bindings tab.  Choose the SERVER service and disable Server->NWLINK IPX/SPX transport.  OK the screen and reboot.  You will see the registry entry changed too.
Good Luck..
Srini.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now