16

We are a development shop where all 50-odd workstation computers run Windows 7 SP1 and most of our 20-30 servers are Server 2008 R2 or Server 2008 (there are a few scragglers still on Server 2003). We have a flat, single subnet environment where servers and workstations are in the same network. We have DNS servers with dynamic DNS registration enabled and currently we have WINS servers too. In performing some diagnostic Wireshark packet capturing on our network for an different issue, we've seen that there is quite a lot of NetBIOS broadcast noise on our network.

We are looking to disable NetBIOS broadcast by changing the node type of our workstations (and possibly servers) to p-node (or peer only) where WINS will be used as the only name resolution method. We will most likely configure it via the 043 DHCP option to ensure that even non-domain joined clients participate on our network without broadcast. We considered using the Group Policy approach to roll-out the registry key, but this may have detrimental effects on our laptop users when offsite (such as on their home networks).

Here are my questions:

  • will this cause issue with any of the few Windows Server 2003 servers we have left, or for any of our Windows 7 clients or other newer Windows servers?
  • Further to that, is it even advisable to prevent NetBIOS broadcast or should the noise just be ignored as a typical part of the network?
  • We've also considered disabling NetBIOS completely. However, the only way I know of doing so is to disable NetBIOS of TCP/IP. I assume this is the only NetBIOS method left in Windows 7? So disabling this on the NIC (or for the whole PC) disables NetBIOS completely?
  • Will disabling NetBIOS mean that the FQDN/long name (eg, companyname.tld) of the domain need to be used for logon purposes due to the short-name (eg, COMPANYNAME) no longer being available? (ie, username@companyname.tld has to be used instead of COMPANYNAME\username) If this is the case, will Windows still show Logon to: COMPANYNAME or will it show Logon to: companyname.tld.

In summary, we're after some guidance on what is common practice for organisations to do with NetBIOS communications these days and the experiences of others when making changes to NetBIOS network configuration similar to my topology.

I've found the below topic which links to a few others, but I'm still not convinced. I'd like to know the steps people took to 'disabling' or limiting NetBIOS and any shortcomings or advantages of doing so.

NetBIOS "free" network?

Edit:

As per questions; running Active Directory, functionality level 2008, prepped for 2008 R2, soon to be R2 functionality.

And I received a decent "why" question, to which I said:

I'm of the opinion that if it isn't needed, it shouldn't be on. Plus, there is a lot of noise on the network from broadcast resolutions - sure these packets are tiny, but I just was after some clarity on what others (perhaps in bigger organisations) have done regarding NetBIOS.

Community
  • 1
Ashley
  • 650
  • 1
  • 6
  • 15
  • 1
    Are you using Active Directory? You mention GPO but don't specifically state if this is an AD managed network. – SpacemanSpiff Oct 10 '11 at 22:44
  • 1
    That's a lot of words but none of them hint at just why you want to do this. Care to share you reason(s)? – John Gardeniers Oct 11 '11 at 01:27
  • @SpacemanSpiff: Yeah definite Active Directory - I must've accidentally deleted the part where I said I had a 2008 forest and domain functionality level. – Ashley Oct 11 '11 at 07:02
  • @JohnGardeniers I'm of the opinion that if it isn't needed, it shouldn't be on. Plus, there is a lot of noise on the network from broadcast resolutions - sure these packets are tiny, but I just was after some clarity on what others (perhaps in bigger organisations) have done regarding NetBIOS. – Ashley Oct 11 '11 at 07:03

2 Answers2

11

If you don't have any applications that need it, just take down the WINS server and disable NetBIOS over TCP/IP completely, I'd say. Short names still work just fine in a DNS-only network by virtue of search suffixes.

If clients are set to the default NetBIOS setting (enabled except if DHCP says not to), then you can simply set the flag in the DHCP options to disable NetBIOS, under the Microsoft Windows 2000 Options vendor class - set an 0x2 under the 001 Microsoft Disable Netbios Option - see this MS KB for details.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Have you had experience with this being successful in a sizeable organisation? Do you have any suggested methods for testing or scenarios to test before roll-out to all? – Ashley Oct 11 '11 at 07:08
  • @AshleySteel Sure, I've disabled it completely in a 1500 user organization. I'd normally recommend disabling it on one subnet to test, but since you only have one subnet, maybe just disable it manually on a handful of systems and verify that no applications break? – Shane Madden Oct 11 '11 at 14:33
8

In addition to what Shane posted in his answer, take care not to slay the wrong dragon. Yes, NetBIOS is chatty, but it's not neccessarily a problem that needs to be dealt with. Broadcast traffic, whether it be at layer 2 (ARP, Spanning Tree BPDU's, etc) or layer 3 (NetBIOS, etc) is a normal component of network traffic and communication. The key is to know whether or not the particular broadcast traffic you're focused on (ARP flooding, broadcast storm, multicast storm) is contributing to network issues (most likely congestion) which can manifest itself in duplicate ACK's, packet loss, TCP retransmits, TCP fast retransmits, etc.

My suggestion would be to run a packet capture on your switch (if the switch supports port mirroring/monitoring) with packet capture software that can give you a view of the percentage of traffic that is broadcast traffic as a whole and also what percentage of traffic is NetBIOS broadcast traffic. NetBIOS traffic that is not broadcast traffic (meaning it's unicast traffic) shouldn't present any more of a problem than any other unicast traffic.

I don't know of any hard numbers but if your percentage of broadcast traffic is above a few percent (not more than 5% probably) then you probably have network congestion that's manifesting itself in the symptoms I described above. At that point you should track down the cause of the congestion and resolve it.

One source of network congestion, for example, is heartbeat traffic related to load balancing or NIC teaming.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 1
    For sure - a lot of scroll in a Wireshark capture does not necessarily mean a lot of traffic. – Shane Madden Oct 10 '11 at 23:57
  • I generally use Wireshark (or Microsoft Network monitor) for looking at specific problems (host to host issues) and I use Colasoft Capsa to get a "big picture" view of the network. If I could afford it I'd use Cascade Pilot. – joeqwerty Oct 11 '11 at 00:09
  • Yeah, I haven't done anything intensive with regards to packet captures on switches or a large amount of hosts, but the few times I've had to pull out Wireshark to do some diagnosis its been difficult with all the broadcast traffic in there. My question was more from a curiousity stand-point on whether NetBIOS is really needed and whether its safe to disable (less is more? :P). – Ashley Oct 11 '11 at 07:13
  • IT's pretty simple to remove particular types of traffic from your wireshark capture. the capture filter "not broadcast" will help, for instance. – Dan Pritts Nov 28 '12 at 21:23
  • Or, keep all of the Wireshark packets and use a display filter to eliminate the traffic you don't want to see on your screen. A capture filter prevents the packet types specified in the capture filter from being captured at all. The display filter just removes the packets you don't want displayed on your screen but keeps them in your capture file. – Bill Vallance Sep 27 '19 at 17:17