cnfuzzd wrote: netbios is not native to the tcp/ip stack, is it?
cnfuzzd wrote: netbios is required for forest-level stuff, like creating trusts etc.
Yes (at least in Windows), that's what allows you to do things like browse for computers through network neighborhood. At least, I consider that to be part of the stack. Maybe it is technically considered to be separate, but enabled by default.
The NetBIOS API allows applications on separate computers to communicate over a local area network. In modern networks, it normally runs over TCP/IP (NetBIOS over TCP/IP, or NBT), giving each computer in the network both a NetBIOS name and an IP address corresponding to a (possibly different) host name. Older operating systems ran NetBIOS over IPX/SPX or IEEE 802.2 (NBF). NetBIOS provides services related to the session layer of the OSI model.
No, that's DNS. You can disable NetBIOS if you don't need people to do things like browse for computers and/or have any legacy applications that depend on it.
Amazingly, NetBIOS is actually still used in the trust creation process -- even though Microsoft has officially "deprecated" NetBIOS in versions of Windows from 2000 on. Here's a simple illustration. Install Windows Server 2003 on two machines as standalone servers. Use dcpromo (or Manage Your Server) to install Active Directory on one of them, using test.local as the DNS name of the forest root domain. As you walk through this process, dcpromo will automatically suggest TEST as the NetBIOS name for the new domain, and accept this default. Then promote the second machine and try to create a second forest whose root domain is named test.com. Notice when you do this the wizard automatically suggests TEST0 as the NetBIOS name for the second domain so there won't be any NetBIOS name conflict with the first domain -- even though the two domains are in different forests. Once you're done you can use Active Directory Domains and Trusts in either forest to create a two-way transitive forest trust between the two forests as desired. Now try it again, but this time after installing Windows Server 2003 on your machines disable NetBIOS on them as follows: open Local Area Connection, double-click on Internet Protocol (TCP/IP), click Advanced, go to the WINS tab, and select the Disable NetBIOS over TCP/IP option (you don't have to reboot for the change to take effect). Now continue as before, creating the forest root domain test.local for the first forest. But now when you try to create the forest root domain test.com for the second forest, the second machine can't use NetBIOS to detect that another domain is already using TEST for its NetBIOS name and so you end up with two forests, test.local and test.com, both of which have forest root domains whose NetBIOS name is TEST. Before you try to get the two domains to trust each other, you have to allow them to somehow resolve each other's names. Since NetBIOS is disabled, you must use DNS to do this. The simplest way is to configure conditional forwarding on the test.local domain controller so it forwards all name resolution requests to the test.com domain controller, and vice versa (both machines are also DNS servers since they are the first domain controllers in their respective forests). Once you've done this extra step, go ahead and try establishing a forest trust (or even an external trust) between the two domains. You can't -- the process fails with an error message even though it walks you through all the steps of the wizard and the domains resolve each other. And enabling NetBIOS at this point on the machines doesn't help either; the problem is the two domains have identical NetBIOS names. So you're stuck and will have to reinstall one of the domains from scratch, for even the domain rename tool (rendom.exe) won't let you rename the forest root domain.
