How to locate a rogue Workgroup in Computer Browser

We have Computer Browser running on three domain controllers, and
disabled on the rest the LAN. Each WAN and non domain workgroup
has several machines running Computer Browser.

For a while now I've noticed a rogue workgroup named "RACTREND"
showup. I'm not certain if this is something one of our ex-employees
added manually or if there really is a RACTREND out there. net view /
domain ractrend gives no results (system error 53). Packet sniffing
for hours at a time, I see nothing "contains RACTREND". BROWSTAT
view doesn't give any info - mostly access is denied errors when
enumerating RACTREND. Note that I can enumerate our domains.

How do I discover where this is coming from?

(E-Mail Removed) wrote:
> We have Computer Browser running on three domain controllers, and
> disabled on the rest the LAN. Each WAN and non domain workgroup
> has several machines running Computer Browser.
>
> For a while now I've noticed a rogue workgroup named "RACTREND"
> showup. I'm not certain if this is something one of our ex-employees
> added manually or if there really is a RACTREND out there. net view
> / domain ractrend gives no results (system error 53). Packet
> sniffing for hours at a time, I see nothing "contains RACTREND".
> BROWSTAT view doesn't give any info - mostly access is denied errors
> when enumerating RACTREND. Note that I can enumerate our domains.
>
> How do I discover where this is coming from?

Most likely - if someone has plugged in a laptop configured for a workgroup
called RACTREND, that name will show up in the browse list (even after they
unplug/disconnect) for a while.

Not sure what "....each WAN and non-domain workgroup" means.....why do you
have workgroups at all?

> Not sure what "....each WAN and non-domain workgroup" means.....why do you
> have workgroups at all?

We have some machines that are in their own networks, not part of the
domain.

(E-Mail Removed) wrote:
>> Not sure what "....each WAN and non-domain workgroup" means.....why
>> do you have workgroups at all?
>
> We have some machines that are in their own networks, not part of the
> domain.

What's the reason for that?

> What's the reason for that?

Because they are special use with remote access. We don't want the
machines to have any rights on the domain, nor visa versa. We don't
want GPO nor NT4 domain policy objects to apply to these. We want
them isolated.

I don't think it's a laptop, as we have all laptops blocked from our
network. We have NAC to allow only permitted devices on our
network. I think this is workgroup is a left over from a network we
linked to ours during a company purchase, which has since been
replaced. The person who did the integration is no longer with us.
I'm thinking this network might not actually physically exist, but is
manually added and thus remains. I just don't know how to locate it.
Normally packet sniffing solves these problems, but the only packets
I've yet to see with RACTREND come from the server hosting the
computer browser service.

I found it. RACTREND is the default workgroup for a KVM over IP
device from MegaRac. This is an odd device. I often see it send
ICMP traffic from IP addreses which are not assigned to it to other IP
addresses that are not RFC 1918, though unassigned. There is no
place in the device to specify the workgroup/domain.