MRxSmb error 8003: the Ghost Computer

I've been getting for a while these errors on a Windows 2003 domain
controller, stating a certain machine believes it's the master browser for
the domain, and forcing an election; the errors are recurring, and I'd like
to track them down.

I've looked around for a while, and the main reasons for this error seem to
be 1) routers improperly forwarding UDP packets and/or broadcasts, and 2) a
wrong subnet mask on the client computer that's causing the error.

The cause can't be 1), because the network is flat and there isn't any
router around (apart from the default gateway); so it must be 2).

The problem: I have the NetBIOS name of the computer that's causing troubles
(it's reported in the error event), but I don't have its IP address; the
machine doesn't appear to be active on the network, as this name can't be
resolved using NetBIOS; it isn't registered in our DNS, neither it is in our
WINS servers; it also isn't a domain member, altough it looks like it's
using a workgroup name identical to the domain's NetBIOS name.

If we had the machine's IP address, we could track it on our switches... but
we don't have it. We think this could be some test machine (maybe virtual),
which is being started and stopped often, and isn't active anymore when we
try investigating the errors.

How can we find this computer?

Any suggestion is welcome.


Massimo

Hi, I'm a collegue of Massimo.

"Ace Fekay [MVP Direcrtory Services]" wrote:
> What I suggested is to put a DC on that subnet, which eliminated the errors.

The problem is that we don't know the subnet (no ip, no subnet).

> It could also be a machine that is being booted, then shut down. IMaybe a
> laptop? Mayeb a wireless laptop? f it is not in WINS, it may not have a WINS
> entry in it's IP properties. Did you or someone else ever have a test
> machine up that named the workgroup the same as your domain?

Maybe, we don't know. Our network is pretty large.

> It could also be a joined machine. Is there an entry in the Computers Container in
> AD for it?

No.


Two questions:

1) Is it possible to make the system log register the IP instead of the
netbios name?
2) What does it mean the "{7AD13997-56F6-4693" part in the error message?

"The master browser has received a server announcement from the computer
MACCHINA1 that believes that it is the master browser for the domain on
transport NetBT_Tcpip_{7AD13997-56F6-4693. The master browser is stopping or
an election is being forced."

Thank you in advance.

"fdb" <(E-Mail Removed)> ha scritto nel messaggio
news:4BD37F8A-AAD6-4687-A2D6-(E-Mail Removed)...

> Hi, I'm a collegue of Massimo.

:-)

> "Ace Fekay [MVP Direcrtory Services]" wrote:

I'm using Outlook Express to access the Microsoft public newsserver
news.microsoft.com, and this message never appeared there (in both groups
the original one was posted to). What happened to it?!?

>> What I suggested is to put a DC on that subnet, which eliminated
>> the errors.
>
> The problem is that we don't know the subnet (no ip, no subnet).

Also, it's quite difficult this could be caused by a subnet problem, as the
network is flat and there are no subnets other than the main one (there are
some DMZs, but firewall policies are quite strict and anything NetBIOS
related just can't go through them).

> 2) What does it mean the "{7AD13997-56F6-4693" part in the
> error message?
>
> "The master browser has received a server announcement from the
> computer MACCHINA1 that believes that it is the master browser for
> the domain on transport NetBT_Tcpip_{7AD13997-56F6-4693.
> The master browser is stopping or an election is being forced."

That's Windows' internal ID for the network interface where the error was
detected; in this case, it refers to the server's LAN connection (its only
one).


Massimo

In news:(E-Mail Removed),
Massimo <(E-Mail Removed)> requesting assistance, typed the following:
>
> I'm using Outlook Express to access the Microsoft public newsserver
> news.microsoft.com, and this message never appeared there (in both
> groups the original one was posted to). What happened to it?!?
>
>>> What I suggested is to put a DC on that subnet, which eliminated
>>> the errors.
>>
>> The problem is that we don't know the subnet (no ip, no subnet).
>
> Also, it's quite difficult this could be caused by a subnet problem,
> as the network is flat and there are no subnets other than the main
> one (there are some DMZs, but firewall policies are quite strict and
> anything NetBIOS related just can't go through them).
>
>> 2) What does it mean the "{7AD13997-56F6-4693" part in the
>> error message?
>>
>> "The master browser has received a server announcement from the
>> computer MACCHINA1 that believes that it is the master browser for
>> the domain on transport NetBT_Tcpip_{7AD13997-56F6-4693.
>> The master browser is stopping or an election is being forced."
>
> That's Windows' internal ID for the network interface where the error
> was detected; in this case, it refers to the server's LAN connection
> (its only one).
>
>
> Massimo

Sometimes Outlook Express is not always efficient with enumerating a news
server in a server farm. I have the same problems at times. :-)

If the subnet is not known, I would look at subnets that do not have a DC.
If it is in a DMZ, it maybe over there trying to force an election, this is
of course in a routed (non-NAT) environment. Otherwise a net scan to capture
traffic about the time it occurs to see if you can determine an unknown MAC
address, then go into your switch to determine which port it's connected to.

As for the 7AD13997-56F6-4693 string, not entirely sure. I can't remember
teh EventID number of this error, but you can go to eventid.net to get their
take on it too.

Ace

"Ace Fekay [MVP Direcrtory Services]" <(E-Mail Removed)> ha
scritto nel messaggio
news:8CD54580-418E-4748-9B40-(E-Mail Removed)...


> Sometimes Outlook Express is not always efficient with enumerating a
> news server in a server farm. I have the same problems at times. :-)

That doesn't seem to be a client problem... I've tried downloading message
headers again, but your first reply just doesn't appear on the news server
(altough it shows up in the web interface at
http://www.microsoft.com/communities).

> If the subnet is not known, I would look at subnets that do not have a DC.

There *aren't* subnets, there. There's just only one big 10.x network with a
16 bit netmask and a default gateway. Nothing else. No VLANs, no routers,
nothing. The DMZs can be reached through the default gateway, but we can't
even RDP or SMB to the servers there, and there isn't any chance NetBIOS is
going through those firewalls. So the problem must be somewhere in the LAN.

I think there could be some machine with a wrong subnet mask around here,
bigger than our 16 bit one, and also a wrong network address; something like
10.y/255.0.0.0. This way, that machine could send packets to our computers,
but none of them would be able to reply (or send anything to it on its own).
This would explain why that computer can send NetBIOS datagrams to our
domain controller, but we are unable to find it. I'll try giving a biggere
subnet mask to one computer and seeing if the unknown computer's name can be
resolved.

> As for the 7AD13997-56F6-4693 string, not entirely sure.

That's the string Windows uses internally to identify the network interface;
it can be seen in HKLM\System\CurrentControlSet\Control\Network and
HKLM\System\CurrentControlSet\Services\TcpIp.


Massimo

I believe that if a machine "plugged into your network" has a different
subnet mask than the rest of your network, it will not be able to
communicate with any machine on your network at all. Filter the event log
on your DC to determine when this problem first started and when it ended,
and do let us know if it is still happening! This is a curious issue and
would like to help you resolve it.

"Spin" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)...


> I believe that if a machine "plugged into your network" has a different
> subnet mask than the rest of your network, it will not be able to
> communicate with any machine on your network at all.

It could, if the two addresses are "similar" enough.

> Filter the event log on your DC to determine when this problem first
> started and when it ended, and do let us know if it is still happening!
> This is a curious issue and would like to help you resolve it.

Turned out it was actually a Linux machine with a buggy/misconfigured Samba;
the network configuration was absolutely correct, but Samba tried to become
master browser every hour, even if the domain controller won the election
all the times. Maybe it just had rebellious feelings? :-)

I wasn't unable to track this from the Windows event logs: they didn't
reported the machine's IP address, only its name; and the machine wasn't
properly answering NetBIOS queries (or maybe it was firewalled), so it
didn't show up on the network.

I had to do some packet sniffing with Network Monitor at the time the issue
popped up (it happened roughly every hour); I could have left Network
Monitor running all the time, but this was quite unappropriate for a very
busy domain controller. In the trace, finally the packets showed up with
their source IP address, and we were able to look it up on the network.

It would be very helpful if future versions of the Windows event log tracked
the source IP address for events like this one.


Massimo

Massimo thanks for the reply!