Question regarding Netbios

[Guest]

We just put one of our new projects at work under our main directory. The project is on its own seperate IP subnet and what is driving me crazy is how they can browse our Domain Controllers on another subnet? This seems wierd to me, I was under the impression that NetBios was unable to communicate through routers. Does anyone know how I can keep the users from seeing the Domain Controllers and our mail server

TIA
Phillip

 

[Cary Shultz [A.D. MVP]]

Phillip,

NetBIOS is stopped by the router. You would need a WINS Server ( or
equivalent ) on each Subnet. That is the point of a Master Segment Browser
( each subnet ) and a Domain Master Browser ( entire domain ).

Cary

We just put one of our new projects at work under our main directory. The

project is on its own seperate IP subnet and what is driving me crazy is how
they can browse our Domain Controllers on another subnet? This seems wierd
to me, I was under the impression that NetBios was unable to communicate
through routers. Does anyone know how I can keep the users from seeing the
Domain Controllers and our mail server?

 

[Herb Martin]

Phillip,

NetBIOS is stopped by the router. You would need a WINS Server ( or
equivalent ) on each Subnet. That is the point of a Master Segment Browser
( each subnet ) and a Domain Master Browser ( entire domain ).

What Cary said plus....

NetBIOS broadcasts are stopped by the routers by default.

Some routers may have been told to pass them but that isn't
likely today (it was common in the 1990's on local LANs.)

If the two Domain Master Browsers "find" each other, through
broadcasts, LMHosts entries, or by being registered in the same
WINS database they will exchange browse lists by default.

It can be disable on a per domain basis (but I haven't seen that
dialog setting since NT days.)

 

[Dave Shaw [MVP]]

To be entirely precise, NetBIOS is not stopped by routers - only NetBIOS
broadcasts are. Most broadcasts, including NetBIOS broadcasts are blocked,
by default, at router interfaces because router interfaces consitute the
limits of "broadcast domains" - generally understood to be IP subnets.
NetBIOS name discovery is dependant initially upon broadcast. However, once
name discovery has been accomplished, NetBIOS Session traffic (TCP port 139)
can traverse router ports without problem.

To browse a resource requires the Browser Service to be able to span IP
subnets. In Windows Server domains, the DCs function as Master Browsers of
thier subnet - meaning, each browser client on that subnet is known to the
Master Browser by means of local broadcasts on UDP port 137 which do not
traverse the router. However, Master Browsers do maintain knowledge of all
other domain controllers (WINS is one way to ensure they have this
information) and, as a result, are able to pass thier local browse lists to
the Domain Master Browser (The PDC role holder) via TCP port 139. The
Domain Master Browser then merges the lists it recieves from all the Master
Browsers in all the subnets and sends the complete list back to them. That
way, when Browser client queries a Browser server for a list of resources,
it gets the list of *all* resources, regardless of routers.

There are two commonly used methods for traversing router interfaces with
NetBios name services:
- Open UDP port 137 on the router - effectively creating a NetBIOS
broadcast domain with more than one subnet. Name discover broadcasts will
then span multiple subnets.
- Install WINS somewhere and make all IP hosts WINS clients as well.
Since all WINS clients will register their names and services to the WINS
server via directed datagram, the WINS server will have knowledge of all
WINS clients regardless of subnet location.

You can do a number of things to prevent users from browsing your servers -
but I suppose the question is, what risk are you running by them browsing?
If you have appropriately secured the servers, they won't be able to get to
anything of importance.

-ds

 

[Cary Shultz [A.D. MVP]]

Dave,

Thank you for the clarification. This is what happens when I try to give
short answers. I left out two important words: broadcasts and typically.
My first sentence should have read "NetBIOS broadcasts are typically stopped
by the router.".

Cary

 

[Guest]

Thank you! All of your posts were very informative and have helped me better understand NetBios and how it deals with routers

Phillip