UNC connection with DNS
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
in Off-Topic
I would like to phase out Netbios in our enviroment for security and performance reasons. In our test lab the two side effects I have is not being able to use network neighborhood (which i expected), but I can also no longer connect using UNC paths to file shares. Is there a way to resolve using DNS or is it always going to use port 139. I thought CIFS allowed for DNS for name discovery.
This is an all XP/2003 enviroment
Thanks!
This is an all XP/2003 enviroment
Thanks!
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□Can't you use the FQDN?
i.e.\\computername.domainname.com\share -
blargoe Member Posts: 4,174 ■■■■■■■■■□Are you able to connect to unc paths using \\fqdn\sharename?IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
gojericho0 Member Posts: 1,059 ■■■□□□□□□□No, which i thought was wierd as well. Going to take a packet capture to see whats going on. Also, we are only a single domain and we should be appending the domain suffix as well. I'll reply after the sniff. Thanks for the help
-
gojericho0 Member Posts: 1,059 ■■■□□□□□□□Ok, capture is showing successful DNS resolution, but then it tries to connect to the remote machine on port 80??? I'm trying to connect using the following
Start -> Run
\\Computer1\C$ -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Disable NetBIOS over TCP/IP.Disabling NetBT
Windows 2000 file and print sharing components uses NetBIOS over TCP/IP to communicate with prior versions of Windows and other non-Microsoft clients. However, the Windows 2000 file and print sharing components (the redirector and server) now support direct hosting for communicating with other computers running Windows 2000. With direct hosting, DNS is used for name resolution. No NetBIOS name resolution (WINS or broadcast) is used and no NetBIOS sessions are established.
By default, both NetBIOS and direct hosting are enabled, and both are tried in parallel when a new connection is established. The first to succeed in connecting is used for any attempt. NetBIOS support can be disabled to force all traffic to use direct hosting.
To disable NetBIOS support
1. From Network and Dial-up Connections , select the connection you want to modify, and then right-click Properties .
2. Select Internet Protocol (TCP/IP) , and then click Properties .
3. Click Advanced .
4. Select the WINS Address tab.
5. Select Disable NetBIOS over TCP/IP .
Or you may want to set up DFS.All things are possible, only believe. -
gojericho0 Member Posts: 1,059 ■■■□□□□□□□Hey sprkymrk,
I currently have netbios disabled in the lab, and for some reason it the direct connection attempts to connect to the remote PC using http on port 80. We are eventually going to be using DFS exclusively, I just thought I might be able to phase out netbios sooner without have DFS implemented yet. -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□the direct connection attempts to connect to the remote PC using http on port 80
I'm fairly certain you need to set up DFS. You have disabled the function of browsing the network via NetBIOS, but the shares are still shared out using NetBIOS sharing techniques.
However, I've never been where you are going so can't say for certain.All things are possible, only believe. -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Found this, not sure if it means what I think it means (bolded portion):
http://technet2.microsoft.com/windowsserver/en/library/2f4f2924-f6a8-44e2-9b1e-c752e736faff1033.mspx?mfr=trueDisabling NetBIOS over TCP/IP
With computers running Windows Server 2003 operating systems, you can disable NetBIOS over TCP/IP (NetBT) for each network connection. This feature is intended for computers that only use DNS name registration and resolution techniques and communicate by using the Client for Microsoft Networks and the File and Print Sharing for Microsoft Networks components with other computers where NetBT is disabled. Examples of disabling NetBT include computers in specialized or secured roles for your network, such as an edge proxy server or bastion host in a firewall environment, where NetBT support is not required or desired.
The following are considerations for disabling NetBT on computers running Windows Server 2003 operating systems:
• The computer no longer listens for traffic to the NetBIOS datagram service at User Datagram Protocol (UDP) port 138, the NetBIOS name service at UDP port 137, and the NetBIOS session service at Transmission Control Protocol (TCP) port 139.
• TCP/IP-based connections that use the Client for Microsoft Networks and the File and Print Sharing for Microsoft Networks components are only possible to other computers that have NetBT disabled. This affects the ability to browse the network to see network computers and to connect to file shares and network printers.
• NetBIOS name resolution techniques such as WINS, local subnet broadcasts, and the Lmhosts file are no longer used. All name resolution occurs through DNS queries and the Hosts file.
• If the computer needs to participate in WINS as a client, it must have NetBT enabled on at least one network connection.
• If a server running Windows Server 2003 needs to run the WINS service, it must have NetBT enabled on at least one private network connection.
For example, consider disabling NetBT if you have a server computer that has a connection to a private network and a connection to an external network, such as the Internet. In this case, NetBT is not required for the Internet connection. By disabling NetBT on only the Internet connection, the dual-homed computer continues to function as either a WINS server or client for the internal network, and WINS clients are still serviced for connections made by using other physical network adapters installed on the computer.
You can disable NetBT on the WINS tab in the properties of the TCP/IP protocol. For more information, see Configure TCP/IP to use WINS. You can also disable NetBT through DHCP by using a Microsoft vendor-specific DHCP option. For more information, see "Dynamic Host Configuration Protocol" at the Microsoft Resource Kits Web site.All things are possible, only believe. -
gojericho0 Member Posts: 1,059 ■■■□□□□□□□Thanks guys. Looks like I'll just have to wait until we get our DFS setup. Appreciate the help and the links.
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Quick question, because I still have not found anything that says you must use DFS when you disable NBT.
What are you doing for DNS? It should be hosted on your DC with host records for all your clients. If you are using an ISP or other DNS server it won't work. According to everything I have read, instead of using NBT (135-139) it should go right to SMB directly over TCP (port 445).
You didn't disable File and Print Sharing did you?All things are possible, only believe. -
undomiel Member Posts: 2,818It doesn't look like a DNS issue to me but more of a problem in your lab setup. We aren't using DFS here (yet) but you should be able to access shares by UNC with DNS resolution. I ran a few tests and packet captures here and if NBT is set to default it defaults to using port 139 but with it disabled it then went over to using port 445 for SMB. No requests were sent out by port 80. It makes me wonder if explorer is trying to be a web browser for some quirky reason? What happens if you attempt to map a drive from the command line net use X: \\COMPUTER\share and then access it?
EDIT update:
Try disabling the WebClient service on the machine and then try to access via UNC.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
gojericho0 Member Posts: 1,059 ■■■□□□□□□□OK guys heres an update...meant to post yesterday, but was swamped.
The name resolution part of NETBIOS was disabled via DHCP options and names were successfully being resolved to IPs and connections took place using TCP/445. The problem was occurring when I disabled the TCP/IP Netbios helper service.
I thought this service was just used for name resolution, but apparently the application is also used for establishing connections with the SMB/CIFS protocol .
Bottom line is that I can configure our DHCP options to disable Nebios for name resolution (so i can get rid of the WINS boxes), but will still have to have the TCP/IP Netbios helper service running locally on the client machines until we have DFS up and running.
Thanks for everyones input