Knowing the Angles of NetBIOS Suffixes

Understanding <1E>, <1B>, and other NetBIOS suffixes

Got an NT server that runs TCP/IP? Then try opening up a command line andtype

where ipaddress is the server's IP address. Be sure to use theuppercase A, or it won't work. Screen 1 shows the result. See all those namesfollowed by characters in angle brackets? The characters in the angle bracketsare important, and exactly why they're important is my topic for this month.

Screen 1 is a dump of all of the NetBIOS names on a server in my enterprise.Look in your Windows Internet Name Service (WINS) server, and ask it to showyour WINS database. You'll see something similar to Screen 2. Although NetBIOSnames might look odd, they tell quite a bit about a computer.

But first, what is a NetBIOS name? You probably know it as a machine name.One example of a NetBIOS name is the name that you give each computer. Anothertype of NetBIOS name is the name of a workgroup or domain. In Screen 1, you'relooking at a dump of the NetBIOS name table on a machine named ALDEBARAN. It isthe Primary Domain Controller (PDC) on TAURUS, one of our domains. Notice thatseveral NetBIOS names on this computer include ALDEBARAN, some have TAURUS, oneis the odd looking __MSBROWSE__, and one includes MARKX.

The two kinds of NetBIOS names are unique names and group names. If you calla computer ALDEBARAN, it must assert that it has the name ALDEBARAN and that noone else has that name; the name must be unique. The Microsoft networking worldhandles the guarantee of uniqueness when you first start the networking softwareon a computer, during a process called name registration. When a computer says,"I'm registering the unique name ALDEBARAN," it is also saying, "Iknow somehow that I'm the only ALDEBARAN on this network." In case you'rewondering, that uniqueness is part of WINS's job; WINS makes sure that uniquenames are indeed unique. If you start up two computers that claim the samemachine name, the second computer will not be able to register its machine nameand won't be able to do anything on the network. On a network without WINS,computers register their names via broadcasts; when a computer starts up, itbroadcasts a name registration, saying in effect, "Hey! If anyone out thereis named ALDEBARAN, let me know; otherwise, I'm letting everyone know that I'mALDEBARAN."

NetBIOS also relies on group names. ALDEBARAN might also be part of adomain named TAURUS, and ALDEBARAN wants to assert in some way that it is amember of TAURUS. You can see in Screen 1 that ALDEBARAN has various unique andgroup names, and they're all registered.

But what do those names mean? NT networking consists of a lot of separateservices and functions--you probably already know that the domain controllerfunction worries about security and the browser service worries about makingthings visible. For ALDEBARAN to be a part of domain security (which, as thePDC, it must), it must register names that make it recognizable to NETLOGON, theprogram that governs logons. For ALDEBARAN to participate in browsing, it mustregister a name or names that make it recognizable to other computers' browserservices.

NetBIOS names can be 16 characters long. The last value in the name, the16th byte, appears in angle brackets and represents a hexadecimal value thatvarious Microsoft networking services append to NetBIOS computer names. (Table 1lists and defines some common 16th-byte values.) So for example, any computerthat agrees to potentially be a browser registers its workgroup name byappending a 16th-byte value of <1E>. To NT, that computer is a potentialbrowser. Now, before I go on, I need to explain two things: First, the computerdoesn't really register a name with the angle brackets in it; it registers thename followed by a hexadecimal 1E--the angle brackets are just a convenient andeasy-to-write convention. Second, you register workgroup name ratherthan domain name because browsing functions such as Network Neighborhoodare built around workgroups, not domains. You never browse a domain; you browsea workgroup. Whenever you create a domain, however, NT automatically creates aworkgroup of the same name, and that's why you see TAURUS's registered workgroupname as TAURUS<1E>.

Let's get back to this <1E> name. To control whether your computeragrees to be a potential browser, set the Registry entry MaintainServerList toeither Auto or Yes. (Find the entry inHKEY_LOCAL_MACHINESystemCurrentControlSetServicesBrowserParameters.) Setthe value to No and reboot, and you'll see the <1E> name disappear fromyour server's NetBIOS name list. Note that workgroupname<1E> is agroup name; it can't be a unique name because many machines can be potentialbrowsers.

In each subnet, one machine is anointed the Master Browser; it isidentified by a unique name, workgroupname<1D>. Note thatALDEBARAN has registered the group name TAURUS<1E> and the unique nameTAURUS<1D>. To the other computers, these names mean this computer is oneof many potential browsers for the workgroup TAURUS, and this computer is themaster browser for the TAURUS machines on this subnet.

But all the master browsers in a network's subnets must be able to shareinformation, so one master browser becomes the Domain Master Browser, the headbull moose of browsers in a workgroup. (It's called Domain Master Browser, butit's really a workgroup master browser.) That machine registers the name <01><00>__MSBROWSE__<00><01>,and you see in Screen 1 that ALDEBARAN has registered that name as well. Why isit a group name rather than a unique name? Because each workgroup will have itsown Domain Master Browser. On my network, for example, we have five domains.Each domain elects a Domain Master Browser, hence we have five <01><00>__MSBROWSE__<00><01>machines. So, MSBROWSE must be a group name.

Domains also use group names. All domain controllers, both primary andbackup, register the group name domainname<1C>. The PDC registersa unique name, domainname<1B>. You can see those names in Screen1--TAURUS<1C> (group name) and TAURUS<1B> (unique name).

I said earlier that one way to think of a NetBIOS name is as the machinename that you give a networked computer. That unique NetBIOS name is thecomputer's name with a <00> suffix. A machine declares what workgroup itis a member of by registering a group NetBIOS name workgroupname<00>.Microsoft describes these names as being owned by the redirector or workstationservice. In Screen 1, you see the unique name ALDEBARAN<00> identifyingthe machine, and the group name TAURUS<00> identifying the workgroup.

On a Microsoft network, you can send someone a realtime message, as in

A part of Microsoft networking, messenger service, accomplishes this task,and the messenger service wants names of its own registered. You can identifythose names by the <03> suffix. Not only does ALDEBARAN have a registeredmessenger service name, but so does MARKX, the name of the user who was loggedon to ALDEBARAN at the time. You can send network alerts and messages either toa machine or a user--

and

work equally well.

But notice that MARKX<03> is a unique name. Microsoft networking letsyou log on as many times as you like to as many machines as you like. So whathappens when MARKX logs on at another machine and the machine tries to registerunique name MARKX<03>? It fails. But that's no big deal; this situationprobably happens to you a dozen times a day, and your computer never complainsabout it. Failing to register the name means that if you're simultaneouslylogged on to several machines, you won't necessarily receive any NET SENDs ornetwork alerts sent to your name at the machine where you're currently sitting.

That description covers all the lines in Screen 1 except for ALDEBARAN<20>. The suffix <20> identifies ALDEBARAN as a server, a machinethat can share files. You'll see other suffixes on your computers if you runNBTSTAT--RAS servers have <06>, RAS clients have <21>, the NetworkMonitor uses and , and NetDDE uses <1F>. I hope theseexplanations make WINS output a little more readable.

Before I Go...
I put together a tool that you might find useful if you're studying for yourMicrosoft Certified System Engineer (MCSE) exams. It's a Visual Basic programthat simulates Microsoft's certification exams. You download the program thatadministers the exam and a reservoir of exam questions. The tester program willthen randomly generate tests for you. You can use these tests to review topicsthat you'll see on the exam and to practice managing your test time. The programand questions are available for free on my Web site, http://www.mmco.com. ManyMCSE preparation sample testers simply tell you which questions you got wrong,not why you got them wrong. My program includes a reference field for eachquestion, with pointers to more information on the subject. I wrote this programand am giving it away because MCSE certification is a necessary evil in thisbusiness.

You can help, too. Got a good question for the test? Email me with aquestion and four or five possible answers (at least one of which is correct).If I include your question in the reservoir, I'll credit you in the referencefield. We're preparing NT Server, NT Workstation, and TCP/IP questionreservoirs, so if you have a great question, send it off to us and help us helpmore folks get certified!