mystery rogue browser master on subnet

  • Thread starter Thread starter The AceyMan
  • Start date Start date
T

The AceyMan

Our network is: Windows Server 2003 functional level, using 3 DC's,
two are running DNS. No local WINS installed, but WINS is available
as a network service from an upstream server.

While trouble shooting some DNS issues, I found that the 'PDC'
(FSMO/GC) was not the browser master on the network segment that all
the DC's are on.

What's worse is that I cannot ID the host that has taken the role.

The NETBIOS name that is returned when I do: browstat status <domain>
has no match in DNS. I cannot browse with \\NAME or ping it.

Browstat also shows it as the registered PDC.

Result of: browstat getpdc 1 domain

PDC: FMI1D5201C8EE5E

Result of: browstat status 1 domain

Status for domain MYDOMAIN on transport
\Device\NetBT_Tcpip_{6CD201CE-A2B8-4AC9-B97D-B56304443CC5}
Browsing is active on domain.
Master browser name is: FMI1D5201C8EE5E
Could not connect to registry, error = 53 Unable to determine
build of browser master: 53
Unable to determine server information for browser master: 53
3 backup servers retrieved from master FMI1D5201C8EE5E
\\SERVER1
\\SERVER2
\\SERVER3
Unable to retrieve server list from FMI1D5201C8EE5E: 53


This mystery host did appear in an nbstat -n at one point:

FMI1D5201C8EE5E<20> UNIQUE Registered


So -- how do I find what/where this mystery browser master is?

I even looked through every visible domain/workgroup in My Network
Places / Microsoft Windows Network, but didn't see any names that
matched what browstat tells me.

I'm almost suspecting its a OSx or Linux samba box, but I really don't
know. Alternately, is there any way to force my GC/DC to be the
browser master for this network segment or at least get my clients to
ignore what this mystery host is doing?

Thanks in advance for any tips.

--The AceyMan
 
Our network is: Windows Server 2003 functional level, using 3
DC's, two are running DNS. No local WINS installed, but WINS is
available as a network service from an upstream server.

While trouble shooting some DNS issues, I found that the 'PDC'
(FSMO/GC) was not the browser master on the network segment that
all the DC's are on.

What's worse is that I cannot ID the host that has taken the role.

The NETBIOS name that is returned when I do: browstat status
<domain> has no match in DNS. I cannot browse with \\NAME or ping
it.

Browstat also shows it as the registered PDC.
Click to expand...
[...]

One computer with a firewall in place can cause problems like this.
Sometimes the following procedure works for me:

1) Force a new browser election on the domain with the command:
browstat el <ifce> <domain>

2) Do periodic "browstat gm <ifce> <domain>" commands over the next
10-15 minutes hoping that a legit browse master shows up. If it
does, then

3) Do a "browstat vw <ifce> \\<master> 0x40000000"
This should list all devices on your local subnet. Look for the
"MBR" status. If you see more than one of these in the list, then
one of the machines is your problem machine.

---------

Another way to find the browse master is to scan your subnet for all
active devices then issue the following command for each IP address
that is active (note capital A):

nbtstat -A <ip address>

If you see a return with the line "..__MSBROWSE__" than that machine
thinks it is a browse master.
 
Dear Group, John-

After spending another few hours on this, I found out who this
"mystery" browswer master was -- its our PDC (FSMO,GC,DC)

So no wonder its showing as the browser master and PDC. But why it is
regestering that crazy NetBIOS name, I have no idea. And that there
was an error when I did: browstat status DOMAIN

Unable to determine server information for browser master: 53

indicated something wasn't right.

I figured out that the strange name is being registered to the NetBIOS
field <20> which according to the doc's is the handle for the "Server
Service". Now I understand why I was seeing what I was seeing, but I
still don't know why this name is bound to the server service, nor how
to change it.

I ended up stopping the browser on the PDC, and stopped the "Server"
service, and then using the browstat elect to force an election. One
of the other DCs became master. Then I bounced the PDC cleanly, and
after it came back up and there was a re-election,

browstat getpdc <if> <domain>

and

browstat status <domain>

both are right (aka, what I expect.)

Oddly, if I do an

nbtstat -A <ip of PDC>

that bizarre name for the server service is still registered. At
least now it's not hurting me, so I have time to figure out where it's
getting that name from.

If anyone knows how to manually rename or change the registered
NetBIOS name for that service, feel free to help with a follow up
post.

Props to John for giving me something to work with.

Oh, and nbtstat and browstat are a NT admins best friend :-)

--AceyMan




Our network is: Windows Server 2003 functional level, using 3
DC's, two are running DNS. No local WINS installed, but WINS is
available as a network service from an upstream server.

While trouble shooting some DNS issues, I found that the 'PDC'
(FSMO/GC) was not the browser master on the network segment that
all the DC's are on.

What's worse is that I cannot ID the host that has taken the role.

The NETBIOS name that is returned when I do: browstat status
<domain> has no match in DNS. I cannot browse with \\NAME or ping
it.

Browstat also shows it as the registered PDC.
Click to expand...
[...]

One computer with a firewall in place can cause problems like this.
Sometimes the following procedure works for me:

1) Force a new browser election on the domain with the command:
browstat el <ifce> <domain>

2) Do periodic "browstat gm <ifce> <domain>" commands over the next
10-15 minutes hoping that a legit browse master shows up. If it
does, then

3) Do a "browstat vw <ifce> \\<master> 0x40000000"
This should list all devices on your local subnet. Look for the
"MBR" status. If you see more than one of these in the list, then
one of the machines is your problem machine.

---------

Another way to find the browse master is to scan your subnet for all
active devices then issue the following command for each IP address
that is active (note capital A):

nbtstat -A <ip address>

If you see a return with the line "..__MSBROWSE__" than that machine
thinks it is a browse master.
Click to expand...
 
Back
Top