[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Stop XP workstations from trying to be MASTER BROWSER?

Posted on 2007-09-28
13
Medium Priority
?
1,212 Views
Last Modified: 2012-06-27
Recently I have experienced some workstations becoming master browsers.  This began after I put them behind a firewall to prevent their network traffic from broadcasting on the primary LAN subnet (they are developing network code).  I suspect that the firewall is blocking NetBios traffic in some form.  Anyway, I have tried changing the registry key from Auto to FALSE for MaintainServerList on one workstation as a test.  This stops the problem, but even though my WINS is running on two servers, browsing on those workstations becomes extremely slow - 10 secs to find the domain, another 10 to get the server list.  I know users will not like this since they are used to fast browsing (35 users).  Should I expect it to be this slow? Or is there some other config I need to check.  WINS looks fine - is running and registrations are correct.  BROWSTAT shows the PDC as MASTER and other servers as backups.  Oh - I also tried shutting down the browser service instead of the registry change with identical results.  Thanks --Dale
0
Comment
Question by:dvanaken
13 Comments
 
LVL 6

Expert Comment

by:entcee
ID: 19978600
You can disable the browser service.

Go to Start and select Administrative Tools or (Settings, Control Panels, then Administrative Tools). Select Services. Right-click on Computer Browser and select Properties. Change Startup Type to Disabled. Click Stop and OK.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19978709
In case it doesn't go without saying, be sure to =test= entcee's recommendation before deploying it en masse, as you may have some applications or services that depend on that services being running.
0
 

Author Comment

by:dvanaken
ID: 19979179
Thanks - but - see my post - when I shut down the browser service (or set the DWORD to FALSE) I get the very slow browsing response on the wkstations which I can't pass on the the users.  Is this slow behaviour to be expected? I only have 35 users.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 85

Expert Comment

by:oBdA
ID: 19987021
When using NetBIOS, you will need (at least) one Master Browser (not to be confused with the Domain Master Browser) *per* *subnet*. Having a WINS server alone isn't enough. Since you seem to have at least two subnets, likely one with your servers and another one for your desktops, you'll have the PDC Emulator as Domain Master Browser in your server network, any other DCs will be Backup browsers, other domain members will be potential browsers.
In your desktop subnet, if there are 35 machines, you'll have/need one master browser and one backup browser. There's usually no need to disable the browser service on machines that aren't multi-homed.

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/?kbid=188001
0
 

Author Comment

by:dvanaken
ID: 19988130
Thanks - I have one subnet on my LAN which includes my servers and the desktops.  I have one other subnet hidden behind a router. Router WAN address makes is a member of my primary subnet.    I am trying to find the reason for the very slow workstation broswing when that workstation has browsing service turned off or MaintainServerList=FALSE.  Does this indicate a problem elsewhere on the LAN?   I'd like to be able to stop any or all workstations from asserting a master browser election but can't do it if this slow behaviour is the cost.  Thanks -Dale
0
 
LVL 85

Expert Comment

by:oBdA
ID: 19988233
Now, where, how, and why exactly is that firewall installed? Sorry, but you lost me here.
If the workstations can't access the domain master browser because of the firewall (that is, if NetBIOS traffic to the DC is blocked), then of course a browser election will be forced, because when a machine uses NeBIOS, it needs a master browser, even if it is itself. (From the link above: "If there is not a domain controller present on a given network segment, then an election process is started that chooses a master browser and backup browser from the computers on the segment [...]".) There's no point in using NetBIOS in your network if at the same time you're blocking NetBIOS by a firewall.
NetBIOS requires UDP ports 137/138 and TCP port 139 to function.

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/?kbid=832017

Troubleshooting the Microsoft Computer Browser Service
http://support.microsoft.com/?kbid=188305

Information on Browser Operation
http://support.microsoft.com/?kbid=102878
0
 

Author Comment

by:dvanaken
ID: 20029641
I am in a network hardware/software development environment. The firewall is used to temporarily isolate a development project from my primary LAN so that broadcast traffic on the equipment being developed does not impact others.  It's functioning like a router.  It's apparently blocking NetBios traffic so the workstations behind it are trying to become the master browser.  I can solve this for now by opening up the firewall to pass netbios traffic both directions, but I was considering a network wide prohibition against workstations forcing an election as a general rule (using group policies).  When testing this on a sinlge workstation, I noticed the very slow response when a workstation has the browser service disabled, etc.  Let me restate my question , and I'll try to break it down.  (1) Do I need to worry about imposing this restriction on workstations this or is this generally not a problem, and (2) if I should (or reasonably CAN) disable workstations from trying to become a master, is it expected to see this very slow browsing?  I know my users will never accept that delay.  I hope this makes more sense.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 20029737
To answer both at once: No, I've never seen a network where it was necessary to manipulate the browser service in a major way.
The only machines that should *never* become a browser are multi-homed machines.
The problems you're experiencing should stop once the NetBIOS traffic can pass again.
Any specific reason why you don't just put the development machines into a real subnet, thus containing the development broadcasts automatically?
0
 

Author Comment

by:dvanaken
ID: 20030085
Thanks - I have a very simple LAN environment - one subnet, one DHCP scope, etc.  I am using unmanaged switches.  I guess I'm not clear on the steps to create a "real" subnet given this configuration - I would not want to destabilize or further complicate the existing environment - but I'm open to any suggestions! --Dale
0
 
LVL 85

Expert Comment

by:oBdA
ID: 20030632
Usually with a hardware router, or through a W2k3 machine with 2 NICs and RRAS.
Then again: are you really producing that much broadcast traffic with 35 clients that it's noticeable?
How did you determine that it's broadcast traffic that slows down your network, and where is it coming from?
0
 

Author Comment

by:dvanaken
ID: 20030851
I am placing software developers on this subnet. They are working on network code - very much "under development".  We have had the LAN slow to a halt from excessive broadcasts and that surfaced the need for some isolation.  The hardware router option you are suggesting is exactly what I am doing with the firewall.  The WAN side of the firewall is on the company LAN, and it is serving dynamic addresses etc to the clients behind it, as well as acting as a default gateway to access LAN/WAN resources.  This essentially creates a "real" subnet unless I'm missing something. Am I?
--Dale
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 20037103
Seems like you've placed a NAT router between the two networks; then it's not a "real" subnet, as only the clients in the development net can initiate communication, and can lead (not only) to problems with browsing: "To signal the PDC to retrieve the list collected by this master browser, the master browser sends the PDC a directed master announcement frame over User Datagram Protocol (UDP) port 138. This signals the PDC to immediately connect to the master browser and retrieve its list."
Forwarding the NetBIOS ports back to a machine in the development LAN won't work either, as any browser there will announce itself with its own IP address, not the WAN address of the NAT router.
You'd need a "real" router for it to be a real subnet and for your name resolution to work reliably (sorry, hardware is not really my area of expertise, so I can't recommend anything with a clean conscience).
0
 

Author Comment

by:dvanaken
ID: 20039852
A few days ago I opened up the NetBIOS ports on the router/firewall and I have not had any browser election issues so far.  I think I'll keep an eye on this - I just had a managed switch delivered - maybe I can set up VLANs and do the isolation that way.  In any case, thanks for your persistent help - I appreciate it.  --Dale
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question