Understanding <1E>, <1B>, and other NetBIOS suffixes
Got an NT server that runs TCP/IP? Then try opening up a command line and
type
NBTSTAT A ipaddress
where ipaddress is the server's IP address. Be sure to use the
uppercase A, or it won't work. Screen 1 shows the result. See all those names
followed by characters in angle brackets? The characters in the angle brackets
are important, and exactly why they're important is my topic for this month.
Screen 1 is a dump of all of the NetBIOS names on a server in my enterprise.
Look in your Windows Internet Name Service (WINS) server, and ask it to show
your WINS database. You'll see something similar to Screen 2. Although NetBIOS
names might look odd, they tell quite a bit about a computer.
But first, what is a NetBIOS name? You probably know it as a machine name.
One example of a NetBIOS name is the name that you give each computer. Another
type of NetBIOS name is the name of a workgroup or domain. In Screen 1, you're
looking at a dump of the NetBIOS name table on a machine named ALDEBARAN. It is
the Primary Domain Controller (PDC) on TAURUS, one of our domains. Notice that
several NetBIOS names on this computer include ALDEBARAN, some have TAURUS, one
is the odd looking __MSBROWSE__, and one includes MARKX.
The two kinds of NetBIOS names are unique names and group names. If you call
a computer ALDEBARAN, it must assert that it has the name ALDEBARAN and that no
one else has that name; the name must be unique. The Microsoft networking world
handles the guarantee of uniqueness when you first start the networking software
on a computer, during a process called name registration. When a computer says,
"I'm registering the unique name ALDEBARAN," it is also saying, "I
know somehow that I'm the only ALDEBARAN on this network." In case you're
wondering, that uniqueness is part of WINS's job; WINS makes sure that unique
names are indeed unique. If you start up two computers that claim the same
machine name, the second computer will not be able to register its machine name
and won't be able to do anything on the network. On a network without WINS,
computers register their names via broadcasts; when a computer starts up, it
broadcasts a name registration, saying in effect, "Hey! If anyone out there
is named ALDEBARAN, let me know; otherwise, I'm letting everyone know that I'm
ALDEBARAN."
NetBIOS also relies on group names. ALDEBARAN might also be part of a
domain named TAURUS, and ALDEBARAN wants to assert in some way that it is a
member of TAURUS. You can see in Screen 1 that ALDEBARAN has various unique and
group names, and they're all registered.
But what do those names mean? NT networking consists of a lot of separate
services and functions--you probably already know that the domain controller
function worries about security and the browser service worries about making
things visible. For ALDEBARAN to be a part of domain security (which, as the
PDC, it must), it must register names that make it recognizable to NETLOGON, the
program that governs logons. For ALDEBARAN to participate in browsing, it must
register a name or names that make it recognizable to other computers' browser
services.
NetBIOS names can be 16 characters long. The last value in the name, the
16th byte, appears in angle brackets and represents a hexadecimal value that
various Microsoft networking services append to NetBIOS computer names. (Table 1
lists and defines some common 16th-byte values.) So for example, any computer
that agrees to potentially be a browser registers its workgroup name by
appending a 16th-byte value of <1E>. To NT, that computer is a potential
browser. Now, before I go on, I need to explain two things: First, the computer
doesn't really register a name with the angle brackets in it; it registers the
name followed by a hexadecimal 1E--the angle brackets are just a convenient and
easy-to-write convention. Second, you register workgroup name rather
than domain name because browsing functions such as Network Neighborhood
are built around workgroups, not domains. You never browse a domain; you browse
a workgroup. Whenever you create a domain, however, NT automatically creates a
workgroup of the same name, and that's why you see TAURUS's registered workgroup
name as TAURUS<1E>.
Let's get back to this <1E> name. To control whether your computer
agrees to be a potential browser, set the Registry entry MaintainServerList to
either Auto or Yes. (Find the entry in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\Parameters.) Set
the value to No and reboot, and you'll see the <1E> name disappear from
your server's NetBIOS name list. Note that workgroupname<1E> is a
group name; it can't be a unique name because many machines can be potential
browsers.
In each subnet, one machine is anointed the Master Browser; it is
identified by a unique name, workgroupname<1D>. Note that
ALDEBARAN has registered the group name TAURUS<1E> and the unique name
TAURUS<1D>. To the other computers, these names mean this computer is one
of many potential browsers for the workgroup TAURUS, and this computer is the
master browser for the TAURUS machines on this subnet.
But all the master browsers in a network's subnets must be able to share
information, so one master browser becomes the Domain Master Browser, the head
bull moose of browsers in a workgroup. (It's called Domain Master Browser, but
it's really a workgroup master browser.) That machine registers the name <01><00>__MSBROWSE__<00><01>,
and you see in Screen 1 that ALDEBARAN has registered that name as well. Why is
it a group name rather than a unique name? Because each workgroup will have its
own Domain Master Browser. On my network, for example, we have five domains.
Each domain elects a Domain Master Browser, hence we have five <01><00>__MSBROWSE__<00><01>
machines. So, MSBROWSE must be a group name.
Previous
Register
