Name resolution order in Windows 7

Discussion in 'DNS Server' started by Valdas Adomaitis, Nov 29, 2009.

  1. Hello,

    As i've read name resolution should take place in this orded:

    1. DNS
    2. LLMNR
    3. netBIOS

    I disabled netBIOS and IPV6 ( so that it could not resolve), flushed DNS
    resolver cache and tried to ping localy available server with just a name,
    not FQDN.
    When i look at the traffic in wireshark DNS query does not even take place,
    instead LLMNR multicast, using IPv4 takes place.
    Is this change (from what i read in certification book) normal or am I
    missing something?
    If I ping machine name with a trailing dot at the end DNS query succeeds.
     
    Valdas Adomaitis, Nov 29, 2009
    #1
    1. Advertisements

  2. Yes this is default.

    I would like to point out that I believe this is the 3rd, or possibly 4th
    thread (did you start another thread?), and that usually we try to keep a
    discussion into one related thread, otherwise it makes it difficult for
    others to contribute or double efforts if an idea or solution is posted in
    another thread that a contributor may have missed reading it.

    However, the following is my personal blog on it that I have not yet
    publicly published. I hope you find it useful and shed some light.

    ==================================================================
    ==================================================================
    DNS & WINS Resolution Process, Computer Browser Service, NetBIOS and
    disabling NetBIOS, and Direct Hosted SMB (DirectSMB)

    Keep in mind, Win2000 and newer machines uses the DNS (hostname) process
    FIRST before the NetBIOS resolution process. If it does not get resolved
    using the DNS process, then it uses theh NetBIOS process. Legacy clients use
    the NetBIOS process FIRST, and if it doesn't get resolved using NetBIOS, it
    uses the DNS process.

    If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it
    a bit, and it also depends on what Node it's in. H-Node is default, but can
    be changed. There are four NetBIOS Nodes:

    B-Node - Broadcast ONLY
    P-Node - NBNS (Netbios Nameserver) or WINS ONLY
    M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
    H-Node - Mixed NBNS and Broadcast, but uses WINS FIRST.

    E.g. If you ping "machinename" on a Win2000 or newer machine, it will
    attempt to use DNS FIRST:

    1. Checks it's own name.
    2. Local cache.
    3. HOSTS file
    4. It will then suffix the Search Suffix configured on the machine, then
    query DNS
    5. WINS
    6. Broadcast
    7. LMHOSTS

    Legacy machines (pre-Windows 2000) use NetBIOS first.

    If NetBIOS is disabled, which only disabled the NBT transport and interface,
    TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000
    or newer. If both the direct hosted and NBT interfaces are enabled, both
    methods are tried at the same time and the first to respond is used. This
    allows Windows to function properly with operating systems that do not
    support direct hosting of SMB traffic.

    Related Links:

    NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c
    Client:
    http://support.microsoft.com/kb/169141/EN-US/

    Name Resolution Process in detail:
    http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html

    Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a
    means of name resolution. ... This means that direct-hosted SMB's cannot be
    disabled in Windows without disabling ...
    http://support.microsoft.com/kb/204279

    ======

    Browser service without WINS across subnets

    It appears to say that if all machines are Windows 2000 and newer, (nothing
    older), AD provides NetBIOS resolution for all clients. But it doesn't say
    how it goes about doing that. It goes on saying that the backup browsers and
    master browsers for each segment over a WAN communicate to the PDC, which is
    the browse master for a domain, over UDP 138, means that AD has a role in
    this, but is not specific. My feeling is AD is using DirectSMB over 445, but
    not sure. I cannot find anything on the mechanism. I'm one to want to know
    and learn of the background functions of anything. Oh well...

    Description of the Microsoft Computer Browser Service
    http://support.microsoft.com/kb/188001

    Common causes and solutions of browser Event ID 8021 and Event ID 8032 on
    domain master browsers
    http://support.microsoft.com/kb/135404

    Troubleshooting the Microsoft Computer Browser Service
    support.microsoft.com/kb/188305

    New Networking Features in Windows Server 2008 and Windows Vista (Scroll
    down and read the “Computer Browse Service” section and its mention that the
    Computer Browser needs to be running on the PDC Emulator of a domain)::
    http://technet.microsoft.com/en-us/library/bb726965.aspx

    Windows 2008 - Appendix C – Computer Browser Service
    http://technet.microsoft.com/en-us/library/bb726989.aspx

    ======

    Disabling the Browser service, NetBIOS

    Just be careful on what you disable. The effects of disabling certain
    services depend on the operating system version and its role. Disabling a
    necessary service may disable certain necessary functions on a machine.

    1. You can disable this service on a machine in a domain environment. It
    dictates whether it participates with becoming an eligible master browser on
    a subnet. To understand what that means, requires some reading.

    Description of the Microsoft Computer Browser Service
    http://support.microsoft.com/kb/188001

    What's the Microsoft Computer Browser Service?
    Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer
    Browser ... Malicious User Can Shut Down Computer Browser Service:
    www.petri.co.il/whats_the_microsoft_computer_browser_service.htm

    Computer Browser Service
    http://www.theeldergeek.com/computer_browser.htm

    2. Leave that running. You need it. It works for all versions of NTLM.

    NTLM Security Support Provider.
    NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response
    and NTLM version 2 authentication ...
    http://msdn.microsoft.com/en-us/library/ms925943.aspx

    3. If you disable the TCP NetBIOS Helper, you will not be able to map any
    drives or printers using NetBIOS names or FQDN.

    "Network Location Cannot be Reached" Error Message When You Try to ... To
    resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join
    the domain. To start the NetBIOS Helper Service, follow these steps:
    http://support.microsoft.com/kb/329866

    4. One big advise - do not disable the DHCP Client service on any
    server, whether the machine is a DHCP client or statically configured.
    Somewhat of a misnomer, this service performs Dynamic DNS registration
    and is tied in with the client resolver service. If disabled on a DC,
    you'll get a slew of errors, and no DNS queries will get resolved.

    No DNS Name Resolution If DHCP Client Service Is Not Running. When you try
    to resolve a host name using Domain Name Service (DNS), the attempt is
    unsuccessful. Communication by Internet Protocol (IP) address (even to ...
    http://support.microsoft.com/kb/268674

    - Ace Fekay
    ==================================================================
    ==================================================================

    ==================================================================
    ==================================================================
    DNS & WINS Resolution Process

    Keep in mind, Win2000 and newer machines uses the DNS (hostname) process
    FIRST before the NetBIOS resolution process. If it does not get resolved
    using the DNS process, then it uses theh NetBIOS process. Legacy clients use
    the NetBIOS process FIRST, and if it doesn't get resolved using NetBIOS, it
    uses the DNS process.

    If you are using an NBNS (NetBIOS Nameserver, such as WINS), that changes it
    a bit, and it also depends on what Node it's in. H-Node is default, but can
    be changed. There are four NetBIOS Nodes:

    B-Node - Broadcast ONLY
    P-Node - NBNS (Netbios Nameserver) or WINS ONLY
    M-Node- Mixed NBNS and Broadcast, but uses Broadcast FIRST.
    H-Node - Mixed NBNS and Broadcast, but uses WINS FIRST.

    E.g. If you ping "machinename" on a Win2000 or newer machine, it will
    attempt to use DNS FIRST:

    1. Checks it's own name.
    2. Local cache.
    3. HOSTS file
    4. It will then suffix the Search Suffix configured on the machine, then
    query DNS
    5. WINS
    6. Broadcast
    7. LMHOSTS

    Legacy machines (pre-Windows 2000) use NetBIOS first.

    If NetBIOS is disabled, which only disabled the NBT transport and interface,
    TCP will still use DirectSMB (also called Direct Hosted SMB) in Windows 2000
    or newer. If both the direct hosted and NBT interfaces are enabled, both
    methods are tried at the same time and the first to respond is used. This
    allows Windows to function properly with operating systems that do not
    support direct hosting of SMB traffic.

    Related Links:

    NetBIOS and Hostname resolution for Microsoft Client and LAN Manager 2.2c
    Client:
    http://support.microsoft.com/kb/169141/EN-US/

    Name Resolution Process in detail:
    http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html

    Direct hosting of SMB over TCP/IPRemoving WINS and NetBIOS broadcast as a
    means of name resolution. ... This means that direct-hosted SMB's cannot be
    disabled in Windows without disabling ...
    http://support.microsoft.com/kb/204279

    ======

    Browser service without WINS across subnets

    It appears to say that if all machines are Windows 2000 and newer, (nothing
    older), AD provides NetBIOS resolution for all clients. But it doesn't say
    how it goes about doing that. It goes on saying that the backup browsers and
    master browsers for each segment over a WAN communicate to the PDC, which is
    the browse master for a domain, over UDP 138, means that AD has a role in
    this, but is not specific. My feeling is AD is using DirectSMB over 445, but
    not sure. I cannot find anything on the mechanism. I'm one to want to know
    and learn of the background functions of anything. Oh well...

    Description of the Microsoft Computer Browser Service
    http://support.microsoft.com/kb/188001

    Common causes and solutions of browser Event ID 8021 and Event ID 8032 on
    domain master browsers
    http://support.microsoft.com/kb/135404

    Troubleshooting the Microsoft Computer Browser Service
    support.microsoft.com/kb/188305

    New Networking Features in Windows Server 2008 and Windows Vista (Scroll
    down and read the “Computer Browse Service” section and its mention that the
    Computer Browser needs to be running on the PDC Emulator of a domain)::
    http://technet.microsoft.com/en-us/library/bb726965.aspx

    Windows 2008 - Appendix C – Computer Browser Service
    http://technet.microsoft.com/en-us/library/bb726989.aspx

    ======

    Disabling the Browser service, NetBIOS

    Just be careful on what you disable. The effects of disabling certain
    services depend on the operating system version and its role. Disabling a
    necessary service may disable certain necessary functions on a machine.

    1. You can disable this service on a machine in a domain environment. It
    dictates whether it participates with becoming an eligible master browser on
    a subnet. To understand what that means, requires some reading.

    Description of the Microsoft Computer Browser Service
    http://support.microsoft.com/kb/188001

    What's the Microsoft Computer Browser Service?
    Disable NetBIOS in W2K/XP/2003 · Hide a Server from the Microsoft Computer
    Browser ... Malicious User Can Shut Down Computer Browser Service:
    www.petri.co.il/whats_the_microsoft_computer_browser_service.htm

    Computer Browser Service
    http://www.theeldergeek.com/computer_browser.htm

    2. Leave that running. You need it. It works for all versions of NTLM.

    NTLM Security Support Provider.
    NTLM SSP is based on Microsoft Windows NT® LAN Manager challenge/response
    and NTLM version 2 authentication ...
    http://msdn.microsoft.com/en-us/library/ms925943.aspx

    3. If you disable the TCP NetBIOS Helper, you will not be able to map any
    drives or printers using NetBIOS names or FQDN.

    "Network Location Cannot be Reached" Error Message When You Try to ... To
    resolve this issue, start the TCP/IP NetBIOS Helper Service, and then join
    the domain. To start the NetBIOS Helper Service, follow these steps:
    http://support.microsoft.com/kb/329866

    4. One big advise - do not disable the DHCP Client service on any
    server, whether the machine is a DHCP client or statically configured.
    Somewhat of a misnomer, this service performs Dynamic DNS registration
    and is tied in with the client resolver service. If disabled on a DC,
    you'll get a slew of errors, and no DNS queries will get resolved.

    No DNS Name Resolution If DHCP Client Service Is Not Running. When you try
    to resolve a host name using Domain Name Service (DNS), the attempt is
    unsuccessful. Communication by Internet Protocol (IP) address (even to ...
    http://support.microsoft.com/kb/268674
    ==================================================================
    ==================================================================
     
    Ace Fekay [MCT], Nov 29, 2009
    #2
    1. Advertisements

  3. Valdas,

    Here's a complete blog on the resolution process. I hope it helps. I may
    have some stuff missing, but in light of your questions, I tried to assemble
    my notes on it for you, as well as others that may questions on it.

    DNS & WINS Resolution Process, Client Side Resolver Algorithm, Computer
    Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), What
    happens if one DC is down, does the client logon to another DC, and DNS
    Forwarders algorithm
    http://msmvps.com/blogs/acefekay/ar...n-to-another-dc-and-dns-forwarders-algor.aspx


    Ace
     
    Ace Fekay [MCT], Nov 29, 2009
    #3
  4. Hello Ace Fekay [MCT],

    The link doesn't open a webpage if i use it, either fomr the nesreader directly
    or with copying to notepad to control it for empty spaces and then using it.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Nov 29, 2009
    #4
  5. Sorry about the double post with same content.
    I thought closed the first one.
     
    Valdas Adomaitis, Nov 29, 2009
    #5
  6. Unfortunately with newsgroup postings, once they are posted, they are posted
    for good. If posting using the web forums, even if there is a 'close'
    option, keep in mind, the posts in the forum are sent/pulled from the
    newsgroup server, which expire after 90 days, but some sites out there will
    keep it for years allowing others to respond to.

    Ace
     
    Ace Fekay [MCT], Nov 29, 2009
    #6
  7. Yea, same here. It must be the length of the title. The way the MS MVPS site
    creates links, it is based on the subject. I tried to make the subject all
    encompassing, but it made the URL very long.

    I deleted it and created a new which I verified the link is working:

    DNS, WINS & the Client Side Resolver, NetBIOS, Browser Service, Disabling
    NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down, Does a Client
    logon to Another DC, and DNS Forwarders Algorithm
    http://msmvps.com/blogs/acefekay/ar...-another-dc-and-dns-forwarders-algorithm.aspx

    Thanks, Meinolf for catching that. :)

    Cheers!

    Ace
     
    Ace Fekay [MCT], Nov 30, 2009
    #7

  8. Well, you're right. I was using that phrase as a generalization, but more
    specifically the Microsoft public technical newsgroups are pulled by many
    and retained, however, the postings in the Microsoft public newsgroups
    expire in 90 days, while forums and other newservers that pull from here
    keep them for much longer periods, if not indefinitely.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 20, 2010
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.