MRxSmb error 8003: the Ghost Computer

[Guest Massimo]

I've been getting for a while these errors on a Windows 2003 domain

controller, stating a certain machine believes it's the master browser for

the domain, and forcing an election; the errors are recurring, and I'd like

to track them down.

 

I've looked around for a while, and the main reasons for this error seem to

be 1) routers improperly forwarding UDP packets and/or broadcasts, and 2) a

wrong subnet mask on the client computer that's causing the error.

 

The cause can't be 1), because the network is flat and there isn't any

router around (apart from the default gateway); so it must be 2).

 

The problem: I have the NetBIOS name of the computer that's causing troubles

(it's reported in the error event), but I don't have its IP address; the

machine doesn't appear to be active on the network, as this name can't be

resolved using NetBIOS; it isn't registered in our DNS, neither it is in our

WINS servers; it also isn't a domain member, altough it looks like it's

using a workgroup name identical to the domain's NetBIOS name.

 

If we had the machine's IP address, we could track it on our switches... but

we don't have it. We think this could be some test machine (maybe virtual),

which is being started and stopped often, and isn't active anymore when we

try investigating the errors.

 

How can we find this computer?

 

Any suggestion is welcome.

 

 

Massimo

[Guest fdb]

Re: MRxSmb error 8003: the Ghost Computer

 

Hi, I'm a collegue of Massimo.

 

"Ace Fekay [MVP Direcrtory Services]" wrote:

> What I suggested is to put a DC on that subnet, which eliminated the errors.

 

The problem is that we don't know the subnet (no ip, no subnet).

> It could also be a machine that is being booted, then shut down. IMaybe a

> laptop? Mayeb a wireless laptop? f it is not in WINS, it may not have a WINS

> entry in it's IP properties. Did you or someone else ever have a test

> machine up that named the workgroup the same as your domain?

 

Maybe, we don't know. Our network is pretty large.

> It could also be a joined machine. Is there an entry in the Computers Container in

> AD for it?

 

No.

 

 

Two questions:

 

1) Is it possible to make the system log register the IP instead of the

netbios name?

2) What does it mean the "{7AD13997-56F6-4693" part in the error message?

 

"The master browser has received a server announcement from the computer

MACCHINA1 that believes that it is the master browser for the domain on

transport NetBT_Tcpip_{7AD13997-56F6-4693. The master browser is stopping or

an election is being forced."

 

Thank you in advance.

[Guest Massimo]

Re: MRxSmb error 8003: the Ghost Computer

 

"fdb" <fdb@discussions.microsoft.com> ha scritto nel messaggio

news:4BD37F8A-AAD6-4687-A2D6-1B0A6BAC84AA@microsoft.com...

> Hi, I'm a collegue of Massimo.

 

:-)

> "Ace Fekay [MVP Direcrtory Services]" wrote:

 

I'm using Outlook Express to access the Microsoft public newsserver

news.microsoft.com, and this message never appeared there (in both groups

the original one was posted to). What happened to it?!?

>> What I suggested is to put a DC on that subnet, which eliminated

>> the errors.

>

> The problem is that we don't know the subnet (no ip, no subnet).

 

Also, it's quite difficult this could be caused by a subnet problem, as the

network is flat and there are no subnets other than the main one (there are

some DMZs, but firewall policies are quite strict and anything NetBIOS

related just can't go through them).

> 2) What does it mean the "{7AD13997-56F6-4693" part in the

> error message?

>

> "The master browser has received a server announcement from the

> computer MACCHINA1 that believes that it is the master browser for

> the domain on transport NetBT_Tcpip_{7AD13997-56F6-4693.

> The master browser is stopping or an election is being forced."

 

That's Windows' internal ID for the network interface where the error was

detected; in this case, it refers to the server's LAN connection (its only

one).

 

 

Massimo

[Guest Ace Fekay [MVP Direcrtory Services]]

Re: MRxSmb error 8003: the Ghost Computer

 

In news:ONx9BGUCJHA.1628@TK2MSFTNGP03.phx.gbl,

Massimo <barone@mclink.it> requesting assistance, typed the following:

>

> I'm using Outlook Express to access the Microsoft public newsserver

> news.microsoft.com, and this message never appeared there (in both

> groups the original one was posted to). What happened to it?!?

>

>>> What I suggested is to put a DC on that subnet, which eliminated

>>> the errors.

>>

>> The problem is that we don't know the subnet (no ip, no subnet).

>

> Also, it's quite difficult this could be caused by a subnet problem,

> as the network is flat and there are no subnets other than the main

> one (there are some DMZs, but firewall policies are quite strict and

> anything NetBIOS related just can't go through them).

>

>> 2) What does it mean the "{7AD13997-56F6-4693" part in the

>> error message?

>>

>> "The master browser has received a server announcement from the

>> computer MACCHINA1 that believes that it is the master browser for

>> the domain on transport NetBT_Tcpip_{7AD13997-56F6-4693.

>> The master browser is stopping or an election is being forced."

>

> That's Windows' internal ID for the network interface where the error

> was detected; in this case, it refers to the server's LAN connection

> (its only one).

>

>

> Massimo

 

Sometimes Outlook Express is not always efficient with enumerating a news

server in a server farm. I have the same problems at times. :-)

 

If the subnet is not known, I would look at subnets that do not have a DC.

If it is in a DMZ, it maybe over there trying to force an election, this is

of course in a routed (non-NAT) environment. Otherwise a net scan to capture

traffic about the time it occurs to see if you can determine an unknown MAC

address, then go into your switch to determine which port it's connected to.

 

As for the 7AD13997-56F6-4693 string, not entirely sure. I can't remember

teh EventID number of this error, but you can go to eventid.net to get their

take on it too.

 

Ace

[Guest Massimo]

Re: MRxSmb error 8003: the Ghost Computer

 

"Ace Fekay [MVP Direcrtory Services]" <firstnamelastname@hotmail.com> ha

scritto nel messaggio

news:8CD54580-418E-4748-9B40-13E7B8BE10FC@microsoft.com...

 

> Sometimes Outlook Express is not always efficient with enumerating a

> news server in a server farm. I have the same problems at times. :-)

 

That doesn't seem to be a client problem... I've tried downloading message

headers again, but your first reply just doesn't appear on the news server

(altough it shows up in the web interface at

http://www.microsoft.com/communities).

> If the subnet is not known, I would look at subnets that do not have a DC.

 

There *aren't* subnets, there. There's just only one big 10.x network with a

16 bit netmask and a default gateway. Nothing else. No VLANs, no routers,

nothing. The DMZs can be reached through the default gateway, but we can't

even RDP or SMB to the servers there, and there isn't any chance NetBIOS is

going through those firewalls. So the problem must be somewhere in the LAN.

 

I think there could be some machine with a wrong subnet mask around here,

bigger than our 16 bit one, and also a wrong network address; something like

10.y/255.0.0.0. This way, that machine could send packets to our computers,

but none of them would be able to reply (or send anything to it on its own).

This would explain why that computer can send NetBIOS datagrams to our

domain controller, but we are unable to find it. I'll try giving a biggere

subnet mask to one computer and seeing if the unknown computer's name can be

resolved.

> As for the 7AD13997-56F6-4693 string, not entirely sure.

 

That's the string Windows uses internally to identify the network interface;

it can be seen in HKLM\System\CurrentControlSet\Control\Network and

HKLM\System\CurrentControlSet\Services\TcpIp.

 

 

Massimo

[Guest Spin]

Re: MRxSmb error 8003: the Ghost Computer

 

I believe that if a machine "plugged into your network" has a different

subnet mask than the rest of your network, it will not be able to

communicate with any machine on your network at all. Filter the event log

on your DC to determine when this problem first started and when it ended,

and do let us know if it is still happening! This is a curious issue and

would like to help you resolve it.

[Guest Massimo]

Re: MRxSmb error 8003: the Ghost Computer

 

"Spin" <Spin@invalid.com> ha scritto nel messaggio

news:6i2m0dFom0nlU1@mid.individual.net...

 

> I believe that if a machine "plugged into your network" has a different

> subnet mask than the rest of your network, it will not be able to

> communicate with any machine on your network at all.

 

It could, if the two addresses are "similar" enough.

> Filter the event log on your DC to determine when this problem first

> started and when it ended, and do let us know if it is still happening!

> This is a curious issue and would like to help you resolve it.

 

Turned out it was actually a Linux machine with a buggy/misconfigured Samba;

the network configuration was absolutely correct, but Samba tried to become

master browser every hour, even if the domain controller won the election

all the times. Maybe it just had rebellious feelings? :-)

 

I wasn't unable to track this from the Windows event logs: they didn't

reported the machine's IP address, only its name; and the machine wasn't

properly answering NetBIOS queries (or maybe it was firewalled), so it

didn't show up on the network.

 

I had to do some packet sniffing with Network Monitor at the time the issue

popped up (it happened roughly every hour); I could have left Network

Monitor running all the time, but this was quite unappropriate for a very

busy domain controller. In the trace, finally the packets showed up with

their source IP address, and we were able to look it up on the network.

 

It would be very helpful if future versions of the Windows event log tracked

the source IP address for events like this one.

 

 

Massimo

[Guest Spin]

Re: MRxSmb error 8003: the Ghost Computer

 

Massimo thanks for the reply!