• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 834
  • Last Modified:

Constant NetBT error in Windows XP Event Viewer

Hi Everyone,

We recently installed a new Windows XP file server and keep getting a message in event viewer.  The name and IP under "xxxxx" keeps showing up as every other workstation on the network.  For example, it shows up in the event log as Workstation 1 and it's IP and then a seperate event for Workstation 2 and it's IP, etc.  I've checked the common results on Google and haven't been able to pin-point the problem.  All workstations, included the WinXP file server, are set to DHCP which is assigned by the router.  All are on the same workgroup.  Here is the message:
--------------------------------------------
The name xxxxxx could not be registered on the Interface with IP address *NEW MACHINE'S IP*. The machine with the IP address xx.xx.xx.xx did not allow the name to be claimed by this machine.      
---------------------------------------------

Oddly enough, the network works.  The workstations can all see this machine and browse it's shares, however it keeps racking up tons of these events constantly.  I imagine it's slowing the machine down.  It doens't seem as responsive as it should be for it's specs.  Any help?  Thanks!
0
Jsmply
Asked:
Jsmply
  • 36
  • 15
  • 9
  • +2
3 Solutions
 
Michael_MCDSTCommented:
I admittedly do not have a deep knowledge of the way to resolve your problem but would like to offer what I could find in the hope that I can assist you. Please see the following links here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_24072189.html
http://www.eventid.net/display.asp?eventid=4321&eventno=1822&source=NetBT&phase=1
http://www.smartcomputing.com/techsupport/detail.aspx?guid=&ErrorID=21721

Good luck and I wish that I could offer more :)
0
 
JsmplyAuthor Commented:
Thanks.  Haven't been able to narrow it down yet.  I've looked at a lot of the responses but none seem to fit thus far.  Anyone else got any input?
0
 
Michael OrtegaSales & Systems EngineerCommented:
Almost sounds like a NetBIOS issue related to multiple computers fighting over being the Master Browser. Make sure that you don't have more than one Master Browser on your network. It's supposed to be an election process process and 1 machine takes the role, but peer to peers can be a bit inconsistent with this. You can actually just have your filerserver act as the master browser and force all other systems to not be by disabling the feature through the registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters IsDomainMaster=FALSE
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
JsmplyAuthor Commented:
So change that registry key on all the machines that are NOT the XP fileserver/host machine?  Will that disable you from being able to reach shares on the other workstations if they exist?  

Also, if by chance the server machine (that will be the only master browser) is turned off, what will occur to the other machines?
0
 
knightrdCommented:
Was this machine renamed? One quick idea is to run a quick "nbtstat -R" on some of the machines that are generating the error.
0
 
JsmplyAuthor Commented:
Well only one machine is generating the error (the new XP file server) but the old server was renamed to be a normal workstation when the new server (which is the one that gets these errors) was donated.  The new machine is the only one getting them.  
0
 
knightrdCommented:
What I was thinking was that if you run the nbtstat -R command on the client computers, it might cause them to stop sending information that is generating the error on the new server.
0
 
JsmplyAuthor Commented:
Will try now.  Thanks
0
 
Michael OrtegaSales & Systems EngineerCommented:
You would want to make the reg change on all computers execpt the fileserver (which would act ask your master browser). It would not prevent any of the client computers from accessing shares on the fileserver or on each other. It just forces the peer to peer network to keep one cached record of all computer names on the network stored on the fileserver. This prevents 2 or more machines from competing as the master browser and causing resolution or netbios registration conflicts.

MO
0
 
JsmplyAuthor Commented:
nbtstat -R didn't do the trick.  The server still throws the errors when it restarts.  I haven't tried the master browser yet.
0
 
JsmplyAuthor Commented:
I think the issue is with the server machine.  I've turned the other machines off and rebooted the server and the server still throws those errors about two of the workstations.  
0
 
Michael OrtegaSales & Systems EngineerCommented:
Could be an A/V issue. Have you tried disabling A/V?

MO
0
 
JsmplyAuthor Commented:
It's norton internet security.  I could try it, it's usually a pain to get to disable though.  Will try now.
0
 
JsmplyAuthor Commented:
Tried disabling each of it's 234924 features now for 15 minutes and restarting.  It seems the easiest way to trigger the event is upon a restart of the server machine.  After that, it shows up spuradically every few minutes or so.
0
 
Michael OrtegaSales & Systems EngineerCommented:
I never recommend putting anything product "Internet Security" on a machine that is sharing resources. I would remove Norton IS with the Norton Removal Tool and put just play old Norton Antivirus 2010 on it.

MO
0
 
JsmplyAuthor Commented:
Any idea if the licenses interchangeable?  Like i said, this is a charity client and there budget is very small for tech purchases.  They got NIS donated.
0
 
JsmplyAuthor Commented:
Interesting, checked one of the workstations throwing the error.  IsDomainMaster is already set to false?  Is it by default?
0
 
JsmplyAuthor Commented:
Running out of ideas.  I even tried changing the name of one of the workstations to a new name and rebooted it.  Sure enough, now the server machine throws the error in the log with the new machine name.  So it is picking it up from the workstations.

Now remember, this XP file server replaced a different machine on the network and was given the same name (and the previous XP file server was changed to a different name as well).  Any chance the workstations are referencing the old machine somewhere in the registry?
0
 
JsmplyAuthor Commented:
That might have done it!   I followed the tip here http://www.tomsguide.com/us/how-to-xp-share-fix,review-215-7.html and changed the "Maintain Server List" key to "No" on the workstations that are not the XP FileServer machine and restarted and no errors so far!  I didn't make the "Maintain Server List" key say "Yes" on the main XP machine, I just left it to auto as the cited website didn't say to make it say "Yes."  I assume if the others are set to "No" then "Auto" elects this machine?

Only odd thing is in NIS now the network map shows all the Pc's as "NEW PC" instead of by their names.  However, the network seems to be up!  Might close this out.  Thanks!  Going to restart all machines and check!
0
 
JsmplyAuthor Commented:
::Bangs head::

Upon restart, the errors are back.  If the other workstations are set to "no" and you restart the server.  Who picks up as master browser?  Truly running out of ideas.
0
 
Michael OrtegaSales & Systems EngineerCommented:
The fileserver is the only one left to make the election so it would elect itself as the master browser. All other machines have no say if it's turned off in the registry. Sorry, my previous post I pointed you to the wrong registry key. I meant to point you to the one that you found in the link you used.

MO
0
 
JsmplyAuthor Commented:
Thanks. Still can't find an answer though. But workstations were set to "No" for the maintainserverlist key. I used nbstat to verify the xp server machine is now the master browser. Oddly, I also noticed the xp server machine had a different workgroup name. Not sure how we overlooked that. Regardless they now match but that didn't help either.

If its noteworthy, the errors come every 10 minutes, and always come in pairs (one referencing each workstation).
0
 
knightrdCommented:
I'm a little curious about one thing. From what I understand you basically had an XP machine that was the server, but you decided to make a different or more powerful machine the XP server.

By any chance have you looked back in the logs on both the new and old machine to verify when the error started? I'm just asking because it's bad to assume things and although you've done a lot I want to make sure that you've definitely done this.

I have some other ideas - maybe a little bit unusual ideas.... but here goes:

If you just happen to find out that it was in fact happening on the old server then it might be your switch or router. Perhaps it would require a firmware update. If the firmware is updated, you could try changing the duplex settings on your NIC's. You can check them by going to:

Start > Run > type in "control sysdm.cpl" > click OK (or just right click My Computer and click "Properties"
Click the Hardware tab
Click Device Manager
Expand your "Network adapters" category and double click on the primary NIC of the machine
You should have an "Advanced" tab or a tab that lists various advanced settings available to the NIC, the settings available can vary from machine to machine, but you should having something like "Speed & Duplex" or "Duplex".

So the Duplex settings tend to be set to "Auto", but sometimes changing them to a different setting can help. I've run into a few situations where I had to bump a computer down to 10Mbps. It may even list some settings as Half Duplex or Full Duplex. What these basically mean:

1) Half Duplex mode - the NIC can only communicate in one direction at a time (upload or download, but not both)
2) Full Duplex mode - the NIC can communicate in both directions at the same time (upload and download concurrently)

Legacy Ethernet is Half Duplex and there's a possibility that it is more compatible. If you only have access to Auto / 100 Mbps / 10 Mbps, just go with 10 Mbps to see what that does. Heck if the hardware is recent, you probably have a Gbps setting. If so it might be overloading the switch or trying to communicate too fast compared to the rest of the machines.

Let me know your thoughts... it's possible that none of this will help.
0
 
JsmplyAuthor Commented:
Thanks. The error I believe started on the new machine, not the old one. You are right, the newer more powerful machine was made the "server" but with the same unc name so the workstations would not have to be re-done. I'm wondering if someplace somewhere the other workstations are referencing the old machine as "server" for the PC name.  The shares and printers were brought straight over in the registry from the old server machine to the new one. That's what spawned this thought.
0
 
JsmplyAuthor Commented:
Okay, I have a possibly relevant update.  I was at a totally different location today who happens to have the same ISP provided router (Netopia) and they were getting the same errors in the event log.  I'm starting to wonder if it could be router related???  

If that's the case, the only question now is why at the site in question in this thread, it only shows up on the new machine (that is the file server)?  Could it be specific enough something in the NIC driver gets tripped by the router?  Weird . . .
0
 
JsmplyAuthor Commented:
I was curious about the AV on that other machine (in a different office, totally different network) that was throwing the same error with that same router/ISP combination.  It is also Norton, but it's not NIS.  It's just plain old Norton Anti-Virus.  Hmmm . . . the plot thickens worse.
0
 
dnebraskiCommented:
Does your server have more than one network card in use?
0
 
JsmplyAuthor Commented:
Nope, just a single NIC in use.
0
 
dnebraskiCommented:
What's the exact error code you are getting in the event viewer?
0
 
JsmplyAuthor Commented:
The actual error code is Event ID 4321.  I've googled it EXTENSIVELY and although there are a lot of similiar messages, most of the time it's on a DC and none of the responses I've seen have helped (as you can see from all my responses above).

The error occurs every 10 minutes consistently filling the system event log.  It occurs for ANY WORKSTATION THAT IS CURRENTLY TURNED OUT, just with a different workstation name and IP address.  They occur at the same time.  Meaning, every ten minutes, whichever of the other three workstations are on throw this error.  If all three other workstations are on, the event log gets three entires every 10 minutes.
 
Again, the only other thing worth pointing out is that this XP machine that acts as the server was installed as a replacement for a previous XP machine that acted as the server.  The shares were all imported from the registry in the old file server into the new one.  I'm wondering if by chance, something someplace is referencing something different that these workstations are seeing?  At this point, I've tried everything and so have the other professionals on here, to no end.  It doesn't seem to effect the ability of the shares to work, but it's literally flooding the event log every 10 mintues all day, so that can't be a good thing.  

Event 4321

The name *INSERT-WORKSTATION-NAME-1-2-OR-3-HERE* could not be registered on the Interface with IP address *SERVER-MACHINE-WITH-THESE-ERRORS-IP-ADDRESS*. The machine with the IP address *INSERT-WORKSTATION-NAME-1-2-OR-3-IP ADDRESS*  did not allow the name to be claimed by this machine.      

Open in new window

0
 
knightrdCommented:
At this point the only thing I can think of, that hasn't been mentioned, is a packet sniffer such as Wireshark or Ethereal. There's definitely some learning curve involved, but it will probably make it a little bit easier if you shut down unneeded network applications running on the packet sniffing machine.
0
 
knightrdCommented:
Here's a reference for the NetBIOS information you can capture with Wireshark:

http://www.wireshark.org/docs/dfref/n/netbios.html

You might have to dig into the NetBT protocol a bit to figure out what is going on. At least with a packet sniffer you should get a better idea of the source of the problem.

If that sounds too complicated, how many computers are using thie XP machine as a server? I'm thinking that it's a small workgroup because of the file sharing limitations of XP. Have you considered renaming the server and creating new mappings on the client machines?
0
 
JsmplyAuthor Commented:
I've thought about doing that (renaming the server).  I'm not sure if it would help though, not sure where the issue is really coming from . . . if it's the face the old machines are referencing a name that belonged to a different machine or what it is.  Wouldn't adding a new workstation to the network and seeing if it throws errors for that do the same thing?  I have a freshly formatted workstation that didn't exist on that network with the old server.  
0
 
knightrdCommented:
The million dollar question is where is the issue coming from. That's why I suggested the packet sniffer idea. Your idea is fine, but it may not give a definitive answer . It's equally valid to try your idea and it makes sense to go through more simple steps if they are an option.

I've been reading over the NetBT RFC's (http://www.ietf.org/rfc/rfc1001.txthttp://www.ietf.org/rfc/rfc1002.txt) and it's a pretty funky standard.  What we know is that at least one thing definitely changed, which is that the server was replaced by another machine. However, this tends to be negated by the fact that you have another location with the exact model of router at the problem location AND both locations have similar errors.

You said that you believe the errors started because of the new machine, but that doesn't explain why the other location would have the same type of events in the event log. I'm just wondering what would happen if you swapped out the router for another router or switch, just temporarily, to see if it changes the events in the event log. A network device like a router or switch can conceivably cause strange errors due to problems with the firmware.

I also don't see anything in the discussion that proves the error didn't exist before. I've re-read the notes, please feel free to correct me if I'm wrong. The only way to know for sure would be examine the logs from the former server. I don't know if that machine is still available with the original data or not.
0
 
JsmplyAuthor Commented:
Okay new information (and answers to your questions):

1. I just installed a new workstation on the network, mapped network drives to the server, installed network apps, etc.  The server machine does NOT log this error for this new workatstion.  That makes me wonder . . . could there be something on the old workstations that existed on the network with the "old server machine" that could be causing it to be confused with the new machine there?  

2. We did install a new router from the ISP, same exact errors.

3. The situation at the other site is a mute point I believe.  While it DID occur there, it was just random and happened once in several weeks.  It happens on this machine every 10 minutes.

4. We tried changing the AV software and going back to the Windows firewall on the machines, no dice there either.  
0
 
knightrdCommented:
In that case I would say that you need to look at those client machines. Have you tried anything like running the "netsh winsock reset" command? I didn't see it in the suggestions above. From my past use of the command I think you need to reinstall your firewall product if you run the command... be forewarned. The reason being is that it will probably silently disable the firewall behind the scenes, although the firewall product may appear to be working.

http://support.microsoft.com/kb/299357

There is a Microsoft FixIt tool in there that basically does the same thing as the "netsh winsock reset" command. Back in the old days it was pretty common to have to delete all protocols from the network adapters and enable or install them again.
0
 
JsmplyAuthor Commented:
Haven't tried that one yet.  We are using windows xp firwall on those machines.  Will it need to be reinstalled?
0
 
knightrdCommented:
No, in that cause toggling it off/on should suffice.
0
 
JsmplyAuthor Commented:
So just run that command from a command prompt on the workstations in question?  Will it disable there internet connection?  I ask because since this is a charity client, unless we have a major problem we do all work on there machines remotely via LMI.  
0
 
JsmplyAuthor Commented:
Also, I looked at the link you sent.  It seems to mention the following commands though, not the Winsock command?

netsh int ip reset c:\resetlog.txt
netsh int ip reset resetlog.txt
0
 
knightrdCommented:
It won't kill the network stack in any case I've ever run into. No special steps have to be taken to enable networking again. It does require a reboot which you'll need to do via the Start menu or the shutdown command, so you'll have to allow time for rebooting and LMI to load.

Just to test it I used LMI to reboot an XP Pro fax server machine that is almost never used by one of my clients. No problems.
0
 
JsmplyAuthor Commented:
So hold on, after the command is issued, will it kill the internet connection prior to the reboot?  If so, wouldn't it need to be rebooted on-site?

Or do you mean you tested the command and then rebooting on a clients machine?
0
 
knightrdCommented:
My goof. "netsh winsock reset catalog" is what I use when there are connectivity problems, usually from malware. It won't hurt the machine, but that is the one that screws up the LSP's... and requires reactivation of the firewall product.

The "netsh int ip reset resetlog.txt" is a related command, but that is what I should've typed. I did one command, rebooted, then did the other, rebooted, and LMI is fine.
0
 
knightrdCommented:
I did everything remotely. Nothing happens automatically as far as disconnect or reboot. The changes don't take effect until the machine is rebooted.
0
 
JsmplyAuthor Commented:
Okay great.  So should I run those two commands seperately, or just run the MS tool?
0
 
knightrdCommented:
I believe in testing things one thing at a time as much as possible. The FixIt tool is just handy because those relatively recent additions to Microsoft's Support site automate a lot of things. In this case either way is fine, but I like the handy downloads for the more complicated fixes (like resetting the print spoolers) because some fixes require modifying 20 registry keys and that's error prone.
0
 
JsmplyAuthor Commented:
Just ran the MS file on two workstations to test.  We were able to restart it okay, but still throwing the errors in the "server machine" event viewer.  =\
0
 
dnebraskiCommented:
What is evident from the error code is that for some reason your network thinks it has multiple machines with the same name, and that is what's being reported in the error code. I suggest you take the server off line and boot up all workstationsone at a time. Look at the system logs in the workstations to see if there are event id:4321 there.  You may have a bad switch, port or cable somewhere.   Let me know what you find. BTW, how exactly are you connected to the remote site location?
0
 
JsmplyAuthor Commented:
Just to clarify, the individual workstations do NOT throw this code in their event viewers.  That is the strange thing.  The "server machine" is the only one logging these errors.  Does that help at all?

Remote connection is via LMI
0
 
knightrdCommented:
I'm still recommending trying to rename the server and reconnect the shares.
0
 
dnebraskiCommented:
I think I know the answer already, but the machine you call server isn't acting as a WINS server?
0
 
knightrdCommented:
Windows XP can't act as a WINS server.
0
 
dnebraskiCommented:
I agree there is no service, but you could have an IP stack mistakenly configured with WINS enabled. Just a thought.
0
 
JsmplyAuthor Commented:
Hi Everyone,

Okay here is an update.  Tried renaming the XP server machine.  It still threw the error in the event log under the new name.  Since it did not solve the error, we changed it back to the original name as for some reason the machine ran slow and the Windows firewall came up as disabled and unable to start when the name was changed.  

Wins is not enabled on the server machine.  

Again something that may be noteworthy, we have had that new workstation on the network for a few days now and it has mapped network drives to the server machine like all the others . . . but nothing is getting logged on the server machines error log referencing this new workstation.  We also tried turning OFF one of the workstations that gets referenced in the error log on the server machine, and sure enough those errors stopped for that machine (until we turned it back on).  So anotherwords, the server gets a separate error (all every 10 minutes) for any of the original workstations on the network when they are turned on.  If they are turned off or the new workstation is on, the server logs no error events referencing them.

Wouldn't that lead me to believe the cause might be stemming from the workstations someplace?  Even though there error logs are clean.  ?
0
 
dnebraskiCommented:
On what part of your network is the new workstation located? Try, turning off one of the problem computers, and then rename the new problem free workstation the same as the one you just turned off.
If you get errors the problem is the shared peer server, but if you don't the problem is in the workstation.
0
 
JsmplyAuthor Commented:
Okay, I can try that after hours.  However, I did try renaming one of the old workstations (that is referenced in the event viewer on the peer server) and the peer server then throws the same error but with the new name for the old workstation.  Would that do the same thing (but in reverse)?

One thing I noticed, when logging into a renamed machine via LogMeIn, it shows "Computer Name:  newname" but then it shows "Connecting as: oldname\username"  

Is that relevent at all? Is there someplace else it could be pullling a name from that needs to be updated other than a simple right click on my computer, go to computer name, and click change?  
0
 
dnebraskiCommented:
I think you 've proven your error is related to something other than the machine netbios name and to netbios itself.  I've seen this error on multihomed servers where you have two network cards connecting a domain controller to two different lan segments. There is a netbios broadcast that gets duplicated on the two segments and the browse master logs it.

It really didn't slow the system down much. It just filled the log with the 4321 enties.

If everything else is working alright, you might just have to get used to seeing those enties and turn your focus and energy to more important work. Sorry I couldn't be more help.
0
 
JsmplyAuthor Commented:
Thanks.  Anyone have any ideas of where we can look on the other workstations before giving up?  It literally fills the event log.  
0
 
knightrdCommented:
Maybe look at some of the accounts and groups on the server and on some of the computers. See if there are any strange references there.
0
 
JsmplyAuthor Commented:
What are you thinking to look for exactly?  Just looks like the normal users under user accounts in control panel.  
0
 
JsmplyAuthor Commented:
Well we will know soon enough if it's OS related.  This machine is getting formatted and turned into a Windows 7 Pro machine in the next 48 hours.  I'll postback with the results then and close this out!
0
 
dnebraskiCommented:
I'm not certain changing OS will do the trick since the errors you are experiencing, I have seen on Mutlti-homed NT 4.0, Windows 2000 server and 2003 server. It's related to TCP netbios discovery broadcasts/ messages. You could try turning off netbios, but that could cause other issues depending on the type of software and services you run. Good luck on the upgrade. Let me know if it works.
0
 
JsmplyAuthor Commented:
Thanks everyone.  Upgrading the OS did the trick!  It actually wasn't an upgrade, but a clean install.  The enviroment hasnt' changed and as a Windows 7 machine it was given the same name as the Win XP file share machine was given.  For whatever reason, those errors don't show up anymore and everyone is getting along just fine in the network.  I wish we would have had an answer, but either way we are happy with the result.  Thanks again for everyone following.  If anyone ever sovles this, post the answer here for educational purposes!
0
 
JsmplyAuthor Commented:
How should we handle the points on this one?  Can I divide them up among everyone trying to help, or is it better to not accept a solution?
0
 
dnebraskiCommented:
Thanks for the update. It's nice to know you can move on. Hurray for Windows 7! I'll take a few points, I'm trying to get a free subscription.
0
 
JsmplyAuthor Commented:
Divided the points up among all those who stuck with the thread.  Thanks everyone!
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 36
  • 15
  • 9
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now