Need TCP NetBIOS Helper to Access Active Directory Server

W

Will

On Windows 2000 machines on our network, if you look up the Active Directory
name with:

nslookup corp.mydomain.com

this resolves to the IP address of the Active Directory server. If
however you simply try to access it directly with:

dir \\corp.mydomain.com\sysvol

this fails with a message that the location cannot be resolved.

As soon as you turn on the TCP/IP NetBIOS Helper service, now you are able
to access the AD server using its fully-qualified DNS name. Why in the
world would you need a NetBIOS Helper service to locate an AD server using
its direct DNS name? At very least that creates a security problem
doesn't it? Even with NTLM disabled, does the file service still use some
form of NETBEUI protocol? What specific components within TCP/IP NetBIOS
Helper service do we need here?
 
K

Kevin D. Goodknecht Sr. [MVP]

Will said:
On Windows 2000 machines on our network, if you look up the Active
Directory name with:

nslookup corp.mydomain.com

this resolves to the IP address of the Active Directory server. If
however you simply try to access it directly with:

dir \\corp.mydomain.com\sysvol

this fails with a message that the location cannot be resolved.

As soon as you turn on the TCP/IP NetBIOS Helper service, now you are
able to access the AD server using its fully-qualified DNS name.
Why in the world would you need a NetBIOS Helper service to locate an
AD server using its direct DNS name? At very least that creates a
security problem doesn't it? Even with NTLM disabled, does the file
service still use some form of NETBEUI protocol? What specific
components within TCP/IP NetBIOS Helper service do we need here?
Click to expand...

There are a lot of questions like that, the only answer I can give you is
the TCP/IP NetBIOS helper service is required to access DFS shares. Which
means of course it is required to access Group Policies, since Group
Policies are located in the domain DFS share.
 
W

Will

So what security holes are we creating by running TCP/NETBIOS
Helper on each computer in our domain?
 
K

Kevin D. Goodknecht Sr. [MVP]

Will said:
So what security holes are we creating by running TCP/NETBIOS
Helper on each computer in our domain?
Click to expand...

None that I know of.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

TCP/IP NetBios Helper Service required for server on DNS-only domain 3
Netbios over TCP/IP 11
TCP/IP NetBIOS Helper Service is missing! 5
TCP/IP Netbios Helper - Causes computer to freeze 3
DNS Server and Active Directory 12
Re: "Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client only 1
Netbios names with IP 6
DNS Server with Netbios over TCP/IP disabled? 2

Top