Solved

track down the location of a machine advertising a domain or workgroup

Posted on 2008-06-24
6
195 Views
Last Modified: 2010-04-21
Under Microsoft Windows Network I can see a Domain or Workgroup listed that shouldn't be. I can't access it. I would like to track it down. How do I go about finding what machine is advertising this?
0
Comment
Question by:jjc_mn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 4

Accepted Solution

by:
raymondzwarts earned 500 total points
ID: 21859659
Use a packet capturing tool (like wireshark) to see who is broadcasting as master browser for the specific domain/workgroup. The packets will show up as Windows Browser Protocol and Server Message Block protocol packets.

The Packets will contain the Workgroup/Domain name and the source IP is the PC/Laptop/Server announcing the rougue domain/workgroup.

The broadcast is limited to the layer 2 subnet that the pc is on. But if you are using WINS or likewise systems in Active Directory it might take some more time to find the culprit.

Regards,
Raymond Zwarts
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21859953
You should be able to get some information from a command line. Use DomainABC as an example domain name:
  nbtstat  -a  DomainABC
Should return a NetBIOS name list which should include a few entries such as:
ComputerName  <00>  UNIQUE
DomainABC         <00>   GROUP
It will also include the MAC address

Then ping the computer name:
     ping ComputerName
and it should return the IP address

Just a start. but it may help if you know the computer name ,MAC, and IP
If you do not get a response from the nbtstat command, or ping, it may be that the machine was temporarily connected to the network, and is no longer present. If that is the case the entry should disappear after a day or so.
0
 

Author Comment

by:jjc_mn
ID: 21867270
nbtstat -a DoaminABC doesn't work.  Is the example correct?

I haven't had a change to try wireshark yet.

0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 21867338
I assume you changed DomainABC to the domain name you are seeing. If it doesn't work it may have a firewall blocking the necessary ports, or possibly more likely it is no longer connected to the network.
0
 

Author Comment

by:jjc_mn
ID: 21867983
I did change the name. I didn't add any slashes, just the name. Does that matter. I am doing this at a workstation, not on a server. There should be no firewall and I do see them in the GUI  Under Microsoft Windows Network.

Can you past an example?
0
 

Author Closing Comment

by:jjc_mn
ID: 31470290
Thanks
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question