Understanding <1E>, <1B>, and other NetBIOS suffixes

Got an NT server that runs TCP/IP? Then try opening up a command line and type

NBTSTAT ­A ipaddress

where ipaddress is the server's IP address. Be sure to use the uppercase A, or it won't work. Screen 1 shows the result. See all those names followed by characters in angle brackets? The characters in the angle brackets are important, and exactly why they're important is my topic for this month.

Screen 1 is a dump of all of the NetBIOS names on a server in my enterprise. Look in your Windows Internet Name Service (WINS) server, and ask it to show your WINS database. You'll see something similar to Screen 2. Although NetBIOS names might look odd, they tell quite a bit about a computer.

But first, what is a NetBIOS name? You probably know it as a machine name. One example of a NetBIOS name is the name that you give each computer. Another type of NetBIOS name is the name of a workgroup or domain. In Screen 1, you're looking at a dump of the NetBIOS name table on a machine named ALDEBARAN. It is the Primary Domain Controller (PDC) on TAURUS, one of our domains. Notice that several NetBIOS names on this computer include ALDEBARAN, some have TAURUS, one is the odd looking __MSBROWSE__, and one includes MARKX.

The two kinds of NetBIOS names are unique names and group names. If you call a computer ALDEBARAN, it must assert that it has the name ALDEBARAN and that no one else has that name; the name must be unique. The Microsoft networking world handles the guarantee of uniqueness when you first start the networking software on a computer, during a process called name registration. When a computer says, "I'm registering the unique name ALDEBARAN," it is also saying, "I know somehow that I'm the only ALDEBARAN on this network." In case you're wondering, that uniqueness is part of WINS's job; WINS makes sure that unique names are indeed unique. If you start up two computers that claim the same machine name, the second computer will not be able to register its machine name and won't be able to do anything on the network. On a network without WINS, computers register their names via broadcasts; when a computer starts up, it broadcasts a name registration, saying in effect, "Hey! If anyone out there is named ALDEBARAN, let me know; otherwise, I'm letting everyone know that I'm ALDEBARAN."

NetBIOS also relies on group names. ALDEBARAN might also be part of a domain named TAURUS, and ALDEBARAN wants to assert in some way that it is a member of TAURUS. You can see in Screen 1 that ALDEBARAN has various unique and group names, and they're all registered.

But what do those names mean? NT networking consists of a lot of separate services and functions--you probably already know that the domain controller function worries about security and the browser service worries about making things visible. For ALDEBARAN to be a part of domain security (which, as the PDC, it must), it must register names that make it recognizable to NETLOGON, the program that governs logons. For ALDEBARAN to participate in browsing, it must register a name or names that make it recognizable to other computers' browser services.

NetBIOS names can be 16 characters long. The last value in the name, the 16th byte, appears in angle brackets and represents a hexadecimal value that various Microsoft networking services append to NetBIOS computer names. (Table 1 lists and defines some common 16th-byte values.) So for example, any computer that agrees to potentially be a browser registers its workgroup name by appending a 16th-byte value of <1E>. To NT, that computer is a potential browser. Now, before I go on, I need to explain two things: First, the computer doesn't really register a name with the angle brackets in it; it registers the name followed by a hexadecimal 1E--the angle brackets are just a convenient and easy-to-write convention. Second, you register workgroup name rather than domain name because browsing functions such as Network Neighborhood are built around workgroups, not domains. You never browse a domain; you browse a workgroup. Whenever you create a domain, however, NT automatically creates a workgroup of the same name, and that's why you see TAURUS's registered workgroup name as TAURUS<1E>.

Let's get back to this <1E> name. To control whether your computer agrees to be a potential browser, set the Registry entry MaintainServerList to either Auto or Yes. (Find the entry in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\Parameters.) Set the value to No and reboot, and you'll see the <1E> name disappear from your server's NetBIOS name list. Note that workgroupname<1E> is a group name; it can't be a unique name because many machines can be potential browsers.

In each subnet, one machine is anointed the Master Browser; it is identified by a unique name, workgroupname<1D>. Note that ALDEBARAN has registered the group name TAURUS<1E> and the unique name TAURUS<1D>. To the other computers, these names mean this computer is one of many potential browsers for the workgroup TAURUS, and this computer is the master browser for the TAURUS machines on this subnet.

But all the master browsers in a network's subnets must be able to share information, so one master browser becomes the Domain Master Browser, the head bull moose of browsers in a workgroup. (It's called Domain Master Browser, but it's really a workgroup master browser.) That machine registers the name <01><00>__MSBROWSE__<00><01>, and you see in Screen 1 that ALDEBARAN has registered that name as well. Why is it a group name rather than a unique name? Because each workgroup will have its own Domain Master Browser. On my network, for example, we have five domains. Each domain elects a Domain Master Browser, hence we have five <01><00>__MSBROWSE__<00><01> machines. So, MSBROWSE must be a group name.

Domains also use group names. All domain controllers, both primary and backup, register the group name domainname<1C>. The PDC registers a unique name, domainname<1B>. You can see those names in Screen 1--TAURUS<1C> (group name) and TAURUS<1B> (unique name).

I said earlier that one way to think of a NetBIOS name is as the machine name that you give a networked computer. That unique NetBIOS name is the computer's name with a <00> suffix. A machine declares what workgroup it is a member of by registering a group NetBIOS name workgroupname<00>. Microsoft describes these names as being owned by the redirector or workstation service. In Screen 1, you see the unique name ALDEBARAN<00> identifying the machine, and the group name TAURUS<00> identifying the workgroup.

On a Microsoft network, you can send someone a realtime message, as in

net send john01 "please log off"

A part of Microsoft networking, messenger service, accomplishes this task, and the messenger service wants names of its own registered. You can identify those names by the <03> suffix. Not only does ALDEBARAN have a registered messenger service name, but so does MARKX, the name of the user who was logged on to ALDEBARAN at the time. You can send network alerts and messages either to a machine or a user--

net send markx "please log off"

and

net send aldebaran "please log off"


work equally well.

But notice that MARKX<03> is a unique name. Microsoft networking lets you log on as many times as you like to as many machines as you like. So what happens when MARKX logs on at another machine and the machine tries to register unique name MARKX<03>? It fails. But that's no big deal; this situation probably happens to you a dozen times a day, and your computer never complains about it. Failing to register the name means that if you're simultaneously logged on to several machines, you won't necessarily receive any NET SENDs or network alerts sent to your name at the machine where you're currently sitting.

That description covers all the lines in Screen 1 except for ALDEBARAN<20>. The suffix <20> identifies ALDEBARAN as a server, a machine that can share files. You'll see other suffixes on your computers if you run NBTSTAT--RAS servers have <06>, RAS clients have <21>, the Network Monitor uses and , and NetDDE uses <1F>. I hope these explanations make WINS output a little more readable.

Before I Go...
I put together a tool that you might find useful if you're studying for your Microsoft Certified System Engineer (MCSE) exams. It's a Visual Basic program that simulates Microsoft's certification exams. You download the program that administers the exam and a reservoir of exam questions. The tester program will then randomly generate tests for you. You can use these tests to review topics that you'll see on the exam and to practice managing your test time. The program and questions are available for free on my Web site, http://www.mmco.com. Many MCSE preparation sample testers simply tell you which questions you got wrong, not why you got them wrong. My program includes a reference field for each question, with pointers to more information on the subject. I wrote this program and am giving it away because MCSE certification is a necessary evil in this business.

You can help, too. Got a good question for the test? Email me with a question and four or five possible answers (at least one of which is correct). If I include your question in the reservoir, I'll credit you in the reference field. We're preparing NT Server, NT Workstation, and TCP/IP question reservoirs, so if you have a great question, send it off to us and help us help more folks get certified!

TABLE 1: 16th-Byte Character Values for NetBIOS Names
Unique Names
16th Byte Description
<00> workstation service name
<03> messenger service name
<1B> domain master browser name
<06> RAS server service
<1F> NetDDE service
<20> server service name
<21> RAS client
network monitor agent
network monitor utility
Group Names
16th Byte Description
<1C> domain group name
<1D> master browser name
<1E> Normal group name
_MSBROWSE_, domain master browser
Table adapted from Microsoft Windows NT Server Resource Kit for NT 4.0.