Solved

Bad Master Browser Returns Broadcast Address for DC

Posted on 2004-03-26
19
1,205 Views
Last Modified: 2013-12-23
Hi,

We've got an NT4 controlled (1 PDC, 1 BDC, name resolution via broadcast) domain with other Windows 2000 Server and Professional workstations which have been working happily for years. This week I've had two system wide failures which I've traced to computers deciding they are master browsers and returning the *broadcast* address for the network (e.g. 192.168.0.255) when queried for the DC.

Fortunately I've got a Samba server on the network which has given me more detailed logging of the problem. It reports that two computers respond to its request for domain info and the invalid information (i.e. the broadcast address) gets returned first in most cases.

Has any body encountered this or could shed any light on the cause?

My tests suggest the bad master browser is running on the XP Pro-laptop of a visitor to the organization, but even if that's the source, what's the cause?

Advice and assistance gratefully received,

Leon
0
Comment
Question by:leonst
  • 8
  • 5
  • 3
  • +1
19 Comments
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
you can disable machines that are problems (or definitely not going to be browse masters like xp machines)
HKLM\system\CCS\services\Browser\parameters
maintainserverlist = no

I have seen some of this when bringing new OS's into the network with an older domain...the other option would be to segment and add wins, or lmhosts

http://support.microsoft.com/default.aspx?scid=kb;en-us;102878
http://support.microsoft.com/default.aspx?scid=kb;en-us;102878
0
 
LVL 3

Expert Comment

by:wei2ali
Comment Utility
It's normal for computers to start broadcasting if they can't find the domain master browser.

The tell-tale detail here is "XP Pro-laptop of a visitor to the organization". The laptop obviously belongs to some other domain/workgroup. Once it's plugged into the network, it tries to find the master browser according to its own network configuration, failing this, it sends a broadcast claiming being the master browser for its own domain/workgroup.

I used to have a client who constantly plug/unplug the laptop to/from the network on the fly, causing a master browser election, but it never was able to flunk the network since I've implemented the "unorthodox" method mentioned in this thred <http://www.experts-exchange.com/Networking/WinNT_Networking/Q_20890647.html> apart from the registry hacks mentioned by Spareticus. Registry hack as is, unfortunately, never totally resolved the broadcast problems in the cases I've seen.

Another option worth exploring is to change your hubs into switches, this will reduce the negative impact of broadcasting on your network.
0
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
his problem isn't the amount of broadcasting, it is that these other machines are taking the role of master browser, and killing his name resolution which is relying on broadcast.
0
 
LVL 1

Author Comment

by:leonst
Comment Utility
That's right spareticus: The XP Pro machine appears to have decided it's the domain master browser (DMB) but when it's queried for the DC it returns 192.168.0.255 (i.e. a broadcast address) instead of 192.168.0.11 which is the address of the DC.

With an existing DMB, why and how would another computer try to take over?

The NT4 member servers also needed rebooting to clear this problem whereas the Windows 2000 servers seemed to just carry on when the rogue computer was removed and the DCs restarted.

More info: when I ran nbtstat -n on the PDC I got:

           NetBIOS Local Name Table

   Name               Type         Status
---------------------------------------------
MYPDC             <00>  UNIQUE      Conflict
MYDOMAIN       <00>  GROUP       Registered
MYPDC             <20>  UNIQUE      Conflict
MYDOMAIN       <1C>  GROUP       Registered
MYPDC             <03>  UNIQUE      Registered
DIRREPLSA      <03>  UNIQUE      Registered
MYPDC             <01>  UNIQUE      Registered
MYDOMAIN       <1B>  UNIQUE      Registered
MYDOMAIN       <1E>  GROUP       Registered
MYDOMAIN       <1D>  UNIQUE      Registered
..__MSBROWSE__.<01>  GROUP       Registered
0
 
LVL 3

Expert Comment

by:wei2ali
Comment Utility
This is getting interesting. From WINS-manager, can you find out who else has registered workstation name of "MyPDC"?
0
 
LVL 1

Author Comment

by:leonst
Comment Utility
No, I'm not using WINS, I'm using broadcast for name resolution.

I really don't think there is a second MYPDC (despite the duplication being listed in the event logs). If I try pinging MYPDC by name from an NT4 server it fails to resolve the name (pinging the IP address works fine). I managed to try pinging from a Windows 2000 server which resolved MYPDC to the broadcast address i.e. 192.168.0.255.
0
 
LVL 3

Expert Comment

by:wei2ali
Comment Utility
Tough. How about clean/reload the NTBIOS cache (ntbtstat -Rr) in the W2k server, see what you get?

I remeber seeing once this kind of situation when a network had both TCP/IP and NETBEUI installed, the solution was to remove NETBUI or reverse the order of protocol binding. Unfortuately I have no documentation on the case :(

I figure you might be reluctant to make structure changes to your existing network, but WINS wouldn't be a bad choice in your situation. Also, if you haven't already, apply ServicePack 6a to both of you DCs. There's a NetBEUI bug in SP4 allowing identity impersenation, you might be hit by the bug?
0
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
did you disable the workstations from being potential browse master?
you will likely need to reboot the PDC also
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:leonst
Comment Utility
This problem did recur and it was the same laptop that was responding as the master brower.

I'm sure spareticus' suggestion will address the problem, but I don't think I'm going to be able to find out why a workstation - ill configured or otherwise - suddenly responds to browser requests.

On this topic: What I haven't been able to get clear in my head is: on a single subnet domain do you get both a master browser and a domain master browser? Or is a DMB a special kind of MB that occurs when you have a domain controller?
0
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
the later os version somehow allows it to win the election

that previous article discusses this to some degree, but to answer your question you will have both
0
 
LVL 1

Author Comment

by:leonst
Comment Utility
Sorry about the haitius.

Spareticus: I don't think it was an election win as the original browsers still thought they were the master browsers (as far as I can tell).

The network has now been stable since I set HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList
to False on the WinXP laptop.
0
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
if you check back to the date when the problem began...you should see events on the server indicating a browser election being forced
i am glad you got the network stable...that can be an extreme pain
0
 
LVL 1

Author Comment

by:leonst
Comment Utility
Whilst I'm grateful to both Spareticus and wei2ali for your contributions I can't really call any points an "answer". But I may have to pick a random comment as an answer so I split this points.

Many thanks for your input!
0
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
i thought the registry entry resolved the issue?  That would be the "answer"
0
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
As I indicated in my last post, i consider my suggestion of using the registry change to have resolved his issue.  I am confused by his thinking that he did not get an answer.  He had a bad response for MB, and now he doesn't.
0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
Comment Utility
PAQed, 250 points refunded.

GhostMod
Community Support Moderator
0
 
LVL 7

Expert Comment

by:spareticus
Comment Utility
quote from author:  The network has now been stable since I set HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList
to False on the WinXP laptop

quote from spareticus:

you can disable machines that are problems (or definitely not going to be browse masters like xp machines)
HKLM\system\CCS\services\Browser\parameters
maintainserverlist = no
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now