Windows NT Name Resolution
We need to resolve high level names to MAC addresses on our TCP/IP networks.
Introduction
In 1983, Sytek Corp. developed the NetBIOS (Basic Input\Output System) for IBM to allow applications to communicate over a network. NetBIOS has been a staple of Microsoft OS since then.
Windows NT relies on NetBIOS as the sole means of communication between services (printing, alerts, file sharing, browsing) over the network. Clients and servers find each other by looking for NetBIOS names, also referred to as computer names.
TCP/IP protocol refers to network computers by IP addresses, but the operating system stills relies upon NetBIOS. TCP/IP doesn’t have a clue what to do with a NetBIOS name, so some method of resolving IP addresses to NetBIOS names is required. This translation is known as NetBIOS name resolution. This introduces additional troubleshooting overhead. Many of our network problems stem from some type of name resolution error.
NetBIOS is made up of an API (Application Programming Interface), and a protocol named NetBEUI:
NetBIOS supports the following three protocols:
- NetBEUI – Does not cache name resolution info. If a reconnection needs to occur, another broadcast is sent. This is the chattiest network protocol and is not routable
- NetBIOS over NWLink – Uses broadcasts to find hosts but does cache the result. IPX addresses contain MAC addresses
- NetBIOS over TCP/IP – uses various options to resolve MAC addresses to NetBIOS names to include:
Name Service Queries.
RAM Cache.
Flat Table (Hosts file).
Network Broadcasts.
Let’s focus our attention on NetBIOS over TCP/IP (NetBT)
NetBIOS Names:
A NetBIOS name is a 16 character name used to identify a resource on the network. The first 15 characters uniquely identify each host on the network, and the sixteenth character identifies the service that is runningon the host. If the computer name is shorter than 15 characters, it is padded with blanks. Some examples of the 16th character are:
|
Sixteenth Character |
Description |
|
[20h] |
Server service |
|
[00h] |
Workstation service |
|
[03h] |
Messenger service |
Windows NT computers identify themselves on the network with a network name as well as an IP address. When a Windows NT machine boots up, a process ofName Registration, Release, and Discovery is begun.
Let’s take a closer look at these steps:
Name Registration:
When a computer boots up, it registers its NetBIOS name with the name server. If another computer already has the same name, the new host will not be able to register its name.
Name Discovery:
The name server handles discovery. When a server wants to communicate with another TCP/IP host, a name query packet is sent to the WINS server for resolution. The name server responds be sending a positive query response, and the appropriate address info.
Name Release:
Name release occurs whenever you stop a NetBIOS application or service. The NetBIOS name is released and made available for another computer to use.
NetBIOS Name Resolution methods:
Windows has several options to conduct Name Resolution-
Local Broadcast:
This is a broadcast for the IP address of the NetBIOS name. It is like screaming on the network to find a host. Limiting broadcasts should be one of you goals as a network administrator
LMHOSTS file:
This resolution method is specific to a Microsoft network. LMHOSTS is alocal flat file that maps NetBIOS names to the IP address of Windows computers on a network. If this method fails, a local broadcast will be used. The LMHOSTS is located in WINNT\SYSTEM32\DRIVERS\ETC directory.
Windows Internet Name Server (WINS):
Microsoft’s Name Server is called WINS. WINS provides dynamic mapping of NetBIOS names to IP addresses by using a database. You must configure clients to query WINS. You can do this through DHCP. Using WINS enhances communication and browsing. If you check the LMHOSTS box in WINS Server, you can combine WINS and LMHOSTS.
Domain Name System (DNS):
DNS is a client server database that maintains mappings of hostnames to IP addresses in a non dynamic fashion. The Internet uses DNS to resolve FQDN to IP addresses. You can configure DNS to use WINS. This technology will become increasingly important with NT 5.0 and succeeding operating systems.
NetBIOS Name Resolution with a Name Server:
- WINS is the preferred way of resolving NetBIOS names to IP addresses especially in a routed network. Unlike DHCP, WINS does not rely upon broadcasts to locate the server. Clients are configured with the static IP address of the name server. Here are the steps used to resolve a NetBIOS name request.
- When the client issues a NET USE command, the NetBIOS name cache is checked first. If the NetBIOS name has been resolved recently, it is used for this command and no network connections are established.
- If the name cannot be resolved with the name cache, the NetBIOS name is sent to the WINS via a Directed Send (no broadcast). Since the IP address of the WINS server is configured in the client, this request can pass across a router.
- Windows NT clients will attempt three times to contact the NetBIOS name server. If there is no response, the client will contact a secondary server, if one is configured.
- When the NetBIOS name is resolved, it is returned to the source host.
- Once the NetBIOS name is resolved to an IP address, the source host uses ARP to resolve the IP address to a MAC address.
 |
 |
 |
 |
 |
