Dropping Netbios over TCP?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I have a Win2k pc with two network cards (NIC's). The first NIC is used to
connect me to the Internet through a DSL router. I have it setup to receive
it's IP address/DNS info automatically. It receives an IP address in the
range 192.168.1.x. The automatically assigned default gateway for this NIC
is always 192.168.1.1 and the automatically assigned DNS server is always
192.168.1.2. My internet connection through this NIC works perfectly.

The second network card is used to connect me to my office LAN. I have
assigned it a static IP address of 192.168.3.1 (where all of the pc's on the
LAN also have static IP addresses in the 192.168.3.x range). I did not
assign a default gateway or DNS server for this NIC because I want the other
NIC to be used for getting on the internet.

Anyway, when I start this pc, I run the following command in a .bat file to
map a drive letter (w:) to a share on my 192.168.3.x LAN...

net use w: \\MyServer\MyShare /user:MyServer\netuser password /persistent:NO

....MyServer is another PC on my 192.168.3.x LAN. This command works, but
the log file in my software firewall shows that this command generates both a
DNS query to my DNS server (192.168.1.2) and some netbios traffic.

Please correct me if I am wrong, but what I think is happening is this...My
'net use' command causes the pc to try to resolve the name \\MyServer. It
tries to use DNS, but this can't work because the DNS server (192.168.1.2)
knows nothing about my 192.168.3.x LAN. This causes it to fall back on
netbios for name resolution.

If I am correct in my description of what is happening, then my question is
this....I thought I read somewhere that netbios name resolution in not
necessary in a purely Win2k/XP environment (which mine is). Should I be able
to do away with it in this situation? Is there anything I can do to allow
DNS to resolve names on my 192.168.3.x LAN if I still want to be able to use
the 192.168.1.x NIC to get on the internet?

Any advice will be much appreciated.

Thanks,
Paul
 
Yea, Win2k/XP do not "need" Netbios, But they do need a method of name
resolution for YOUR network. If not Netbios then What do they use to find
resources on Your LAN?
 
Try this:

Right click My Network Places and select Properties. Click Advanced and
select Advanced Settings. Move the Local Area Connection for the NIC with
IP address of 192.168.3.1 to the top of the binding order.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
 
Thanks Doug...I moved the LAN connection for the 192.168.3.1 NIC up in the
binding order, but I still get the DNS query in the log. If I disable
Netbios over TCP/IP, my 'net use' command no longer works.

Yor posed the question earlier, but I don't know the answer....Do you know
of anything I can do (hosts file maybe?) that would allow DNS to resolve
names on my 192.168.3.x LAN so that I could disable Netbios over TCP/IP?
 
Since you have static IP addresses on the LAN, an lmhosts file should work.
Use Notepad to edit the lmhosts.sam file in C:\WINNT\System32\Drivers\etc,
and save it as lmhosts. Double check to make sure it is not saved as
lmhosts.txt.

Do not test this by using the ping command. Ping, http, etc are winsock
based and Windows will first look to hosts files and DNS for name
resolution. For UNC drive mappings and all other non-winsock name
resolution requestsWindows will try NetBIOS name resolution first and an
lmhosts file entry should prevent the need for a DNS query. Also, with an
lmhosts file you can use the #PRE tag to load the names into the name cache
at startup.

If the lmhosts file does not work, run ipconfig /all on the multihomed
machine and report back with the NetBIOS node type for each adapter. Node
type affects name resolution order and may account for your problem.

As a last resort, change the script to \\IPaddressof MyServer\MyShare

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
 
Making that change to the lmhosts did cut down on the number of outbound DNS
entries resulting in my log file from my 'net use' command, but I still
always seemed to get one. Changing my 'net use' script to reference the IP
address instead of the computer name totally eliminated any DNS entries I was
getting in my firewall log.

Now at least I'm not asking DNS to do something it can't do. Just out of
curiosity, I tried disabling Netbios over TCP/IP thinking that maybe I
wouldn't need it now that I am referencing the IP address instead of the
computer name. This made my 'net use' command not work at all. I got system
error 51 - "The remote computer is not accessible". Does this mean that the
'net use' command absolutely requires NetBios over TCP/IP? Or is there a way
to get it to work without it?

You had asked the node type reported by ipconfig /all. I checked and it is
listed as 'hybrid' under Win2k IP configuration. This setting appears to be
listed once for the computer as a whole and not under the settings for each
individual adaptor.

Thanks again for all your help,
Paul
 
Yes - net use requires NetBIOS, or more precisely TCP Port 139. However, I
don't think you need NetBios to connect by IP address if you simply enter
\\ipaddress\sharename in the run box.

Maybe you cannot change node type on a per adapter basis - I thought there
was a way to do this, but I guess not because node type is configured in the
NetBT parameters key.

In any case, you should be able to disable file and printer sharing and
NetBios on the Local Area Connection for the router adapter while leaving it
enabled on the LAN connection. But I don't know whether this would solve
the problem.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
 
Yes - net use requires NetBIOS, or more precisely TCP Port 139. However, I
don't think you need NetBios to connect by IP address if you simply enter
\\ipaddress\sharename in the run box >

So if I want to keep using 'net use', I have to keep NetBIOS over TCP/IP
enabled. The only reason I am using 'net use' is this...

I only have a peer to peer network - no domain, just a workgroup. I have
one pc called \\MyServer that I use as a file server. Being this pc has an
internet connection, I was concerned about security. I removed permission to
\\MyServer\MyShare from the built-in 'Everyone' group, but then users on my
LAN were not able to access the share. To get around this, I created a local
account called 'netuser' on \\MyServer and granted this account permissions
on the share. When anyone on my LAN wants to access this share, I want them
to access it using this \\MyServer\netuser account. I didn't, however, want
them to have to enter credentials to access this share every time they
restarted their pc's. The best thing I could come up with is to create the
..bat file and put it in the startup folder...

net use w: \\MyServer\MyShare /user:MyServer\netuser password

....this works fine, but it requires that I keep NetBIOS over TCP/IP enabled.
I don't have a specific reason why I want to disable NetBIOS. I'm just
trying to see if I can make my LAN as simple and secure as possble, and
hopefully learn a little while I'm at it. You have been unbelievably helpful
already. If you have any opinion as to whether what I am trying to do makes
sense, or if there is a better way to go about this without getting a real
server and setting up a domain, I would greatly appreciate hearing it.

Thanks again,
Paul
 
Better - or at least different way:

1. Re-enable the Everyone group on MyShare.

2. On MyServer go to: Administrative Tools/Local Security Policy. Expand
Local Policies and click on User Rights Assignment.

3. In the right pane double click on Access this computer from the network.

4. Clear the check box for the Everyone and the Users group. Use the Add
button to add the specific user accounts that you want to have network
access to the computer.

The result is that only the users/groups which appear in this User Right
assignment will be able to access the network shares and they can do so
without having to enter their user name or password. On any given share,
you can use the share permissions to deny access to any of the users who
have the network access right.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
 
Back
Top