Troubleshooting the Browser Service

By Ace Fekay, , MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

v2

 

Preamble:

Each subnet has it’s own master browser, and if you are using WINS, the master browser works together with the WINS service to enumerate an infrastructure wide browse list.

If not using WINS, it uses broadcasts, however, you’ll only see what’s on your own subnet, because NetBIOS broadcasts are more than likely blocked by routers, which is default, and many routers don’t allow NetBIOS broadcast across subnets to be enabled.

If you are in a multi-subnetted environment, and you want full browsing capabilities, to get around routers blocking NetBIOS broadcasts, it’s suggested to use WINS.

And the default WINS settings out-of-the-box, work fine, as long as you set up DHCP WINS options correctly. There is no need to adjust WINS’ registry parameters, otherwise you’ll find yourself trying to change registry entries on multiple servers and mis-keying something. Here’s more info on configuring WINS:

WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

If you’ve just upgraded your PDC from Windows 2003 to Windows 2008 or Newer

The Computer Browser service on Windows 2008 and newer is disabled by default. If you want the PDC Emulator to do it’s job as the Master Browser and not have some workstation win the election (read below what that means), then I suggest to set it to Automatic and start it. Otherwise, browsing will not work properly and you’ll be chasing a ghost trying to figure out why. I usually just enable it on all of my DCs. More info in the following link:

NetBIOS browsing across subnets may fail after upgrading to Windows Server 2008
http://blogs.technet.com/b/networking/archive/2008/07/25/netbios-browsing-across-subnets-may-fail-after-upgrading-to-windows-server-2008.aspx

Preferably install at least one server OS on each subnet:

If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

And as mentioned, if you just upgraded the PDC emulator to 2008 or newer, set the Computer Browser service to Automatic and start it.

If you find workstations are becoming masters, that means there are no server operating systems on those subnets, in such cases, the workstation will win Master Browser election.

And I realize in many large infrastructures, it would be nearly impossible to put a server operating system on each subnet. However, as long as there is a desktop using the latest client operating system that is always up and running 24/7, that will do the trick.

If a newer client OS were to be introduced, then it would start a master browser election, and win the election (OS version and server role is a factor in the election process). And any machine that someone clicks on Network Neighborhood or clicks a Browse button somewhere, would invoke an election, but if a desktop is running on the subnet 24/7, it will win the election, since it’s already up and running.

If you don’t want any other client machine to win the election and were to opt for only that one machine, you can set a registry entry using a GPO to disable participating in the browse list for all the machines in the subnet other than the client machine you chose to keep up and running 24/7:

Set the client machine of your choosing to:
Emulator MaintainServerList=Yes, IsDomainMaster=True

All other clients on the subnet, set it to:
MaintainServerList=Auto,IsDomainMaster=False

I’m not saying this is a perfect solution, but it’s something to consider. Otherwise, if no specific machine is up and running 24/7 on any given subnet, the browse list will be rebuilt each time everyone shuts down, then brings their machines up in the morning, and the cycle starts from scratch to rebuild the list of machines on that subnet.

 

Third Party Devices Participating in the Browser Service

I would like to point out that if you have any 3rd party devices, such as a Seagate BlackArmor NAS, it will jump in on the election process and may win, which in case will snafu your browse list. I had one of those devices at a customer site last year causing numerous problems with the browse list, which in turned snowballed to cause problems with Symantec BackupExec, and other services that rely on browsing.

After some troubleshooting, I found that the BlackArmor NAS was consistently winning the election causing the problems. I couldn’t find anything specific on how to disable browser service participation on the device. It has the latest firmware. I contacted Seagate, and they said they couldn’t help me to disable the device’s ability to participate in the Browser Service.

I finally moved it on to its own VLAN so it can be king of itself on that subnet, so to speak. I gave it it’s own island. Smile

 

Browse List Propagation:

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master. A good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propagation cycle in a multiple-segment domain environment.

 

When to Troubleshoot

Below are the generic troubleshooting steps I used to troubleshoot the browser service that helped me find out the BlackArmor device was the culprit.

If you are seeing problems with the browser service, such as computers disappearing from the browse list, whether the cause is a third party device, Unix/Linux machine running Samba, or simply based on the infrastructure’s design, it might be a good idea to start troubleshooting to find the culprit.

 

Prepare to Troubleshoot:

  • Make sure the Computer Browser service is Started. Make sure NetBIOS is enabled on al machines.
  • On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the “browstat” utility available.
  • With Windows 2008 and newer, the utility is already installed as part of the operating system files.
  • If there are any antivirus software, third party firewalls, or firewall rules between locations blocking WINS traffic (TCP 42), it could block browser traffic, too. This of course, assumes the Computer browser service is running.

 

Firewall blocks – Test it with PortQry

You can use the Portqry.exe utility to test if the Browser, SMB, WINS and the ephemeral (service response) ports are permitted.

  • Browser: UDP 137/138, TCP 139
  • SMB: TCP 445
  • WINS: TCP 42
  • Ephemeral (Service Response Ports): Varies depending on OS:
    • Windows 2000/2003/XP: TCP/UDP 1024-5000
    • Windows 2008/Vista and newer: TCP/UDP 49152-65535

Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099

Active Directory Firewall Ports – Let’s Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx 

 

Multihomed DCs:

And if you have any multihomed DCs, among numerous other problems, that is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a “Multihomed Browser” scenario. I suggest to disable one of the interfaces.

More info regarding multihoming DCs and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

 

Troubleshooting Steps:

Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:
browstat status

You should get a response similar to:
Browsing is active on domain.
Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc.

If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you’ll have to find the TransportID:
First run:

browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the “netbt_el59x1” probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:
browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting “Access Denied” when trying to browse.

 

Master Browser Election Process

I know, most of you probably wondered what the order of who would be the winner during a Master Browser election. The winner of a browse master election process is based on operating system version and role. It’s also based on each subnet.

So if a Windows XP client is on a subnet by itself, then yes, it may become an MB if nothing else beats it.

And if a Windows Server 2008 R2 DC is on subnet 192.168.50.0/24 and on subnet 192.168.30.0/24 there are only a bunch of Windows XP and 2000 computers, then the XP will win.

If the DC is multihomed, then that will definitely throw a wrench into it. Do NOT multihome your DC. Really, believe me, you don’t want to do it.

The following list shows the order of precedence of which operating system will win. And keep in mind, it’s subnet specific.

1. DC – PDC Emulator (no matter what OS)
2. DC – Non-PDC Emulator (no matter what OS)
3. Windows Server 2012
4. Windows 8
5. Windows Server 2008 R2
6. Windows 7
7. Windows Server 2008
8. Windows Vista
9. Windows Server 2003 R2
10. Windows Server 2003
11. Windows XP
12. Windows Server 2000
13. Windows 2000 Pro
14. Windows NT 4.0
15. Windows ME
16. Windows 98
17. Windows 95
18. Windows for Workgroups 3.11
19. Windows 3.1 with NDIS
20. DOS

 

Reference:

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

Browser Elections
http://technet.microsoft.com/en-us/library/cc959896.aspx 

Description of the Microsoft Computer Browser Service
http://support.microsoft.com/kb/188001?wa=wsignin1.0

==============================================================

Summary

Updated 10/18/2014

I hope this helps! I’m sure I may have missed something. Comments and suggestions are welcomed.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[6] clip_image004[6] clip_image006[6] clip_image008[6] clip_image010[6] clip_image012[6] clip_image014[6]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Do I need NetBIOS?

By Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
www.delcocomputerconsulting.com

Do you need NetBIOS? That Depends …

Previous to Windows2000, Microsoft OS could only use SMB over a NetBIOS session. This means that all SMB traffic will start after NetBIOS session is established. It’s relies on TCP port 139. If we disabled the NetBIOS over TCP/IP, the SMB connectivity was interrupted.

With Windows 2000 and higher version, the OS support both NetBIOS sessions and Direct Hosting. That’s because Windows 2000 and newer will try to connect simultaneously over NetBIOS (port 139) and DirectSMB (port 445). If no response from the target on 445, it reverts back to 139. This offers legacy support for NetBIOS based apps.  That is why if you disable NetBIOS on a server, it will still connect to other servers, but any NetBIOS based apps that require connectivity to that server will fail.

If you run a netstat -a, you can see port 445. It may even define it as Microsoft-DS, which means Microsoft DirectSMB. I know Vista doesn’t, but Windows 2003 will.

What’s TCP port 445 used for in Windows 2000/XP?
http://www.petri.co.il/what’s_port_445_in_w2k_xp_2003.htm

Quick Brief on NetBIOS and Those Noisy Broadcasts

Any machine that is NetBIOS capable (Windows, or Unix/Linux machines with SAMBA installed), will participate in a NetBIOS environment and with the browser service. Any NetBIOS capable machine will broadcast their NetBIOS computer name every 60 seconds, “Hey, my computer name is Computer1, and my IP address is <enterIP>, and I am offering the Workstation Service and Server Service on such and such workgroup and/or domain.”

WINS is a NetBIOS name to IP database. It’s a flat database with no hierarchal structure – simply one name to one IP. It’s similar to DNS, but DNS is hierarchal (child3.child2.child1.domain.com, etc.).

When you install WINS and configure all machines to use WINS, then the NetBIOS aware processes and functions will recognize there is a WINS server configured, and instead of broadcasting every 60 seconds, it simply registers its name and related services to the WINS database instead of repeatedly broadcasting, or simply put, it shuts up yelling out its name every 60 seconds.

Without WINS, it’s like a grade school cafeteria with all the background chatter, conversation, etc. With WINS, think of it as the kids in the cafeteria quietly enter their names, thoughts into a database and the other kids can read the database, so there is no more noise. Kind of like if every kid were to be yelling back and forth using Facebook using a table or smartphone in front of them, instead of peeping one word.

Therefore, WINS literally quiets the network. Period. But all machines must be configured with WINS to make this happen.

When a WINS enabled client needs to resolve a name, it really tries to resolve it first by DNS (hostname resolution process), and if only that doesn’t work, only then does it query WINS. If WINS isn’t configured, it would have used broadcast to find it, and if WINS doesn’t have the name entered in the database, it will use broadcast to find it.

The Computer Browser services enumerates and assembles the Browse List (the neighborhood) using Broadcasts. If WINS is configured, it will use the WINS database to assemble the browse list. This is why without WINS, the browse service can only assemble the local subnet, since NetBIOS does not travers across subnets. WINS provides multi-subnet support for NetBIOS resolution as well as enterprise-wide browse list so any machine anywhere in a network can browse to a machine anywhere else in a network, such as a machine in NY can browse to a machine in San Fran.

Joining a machine to the domain.

Yep, you need it to join a machine.

Windows 7 or Windows Server 2008 R2 domain join displays error “Changing the Primary Domain DNS name of this computer to “” failed….”
http://support.microsoft.com/kb/2018583

Network and Printer Browsing

The only complaints I’ve heard is losing network and printer browsing capabilities across subnets, since the browser service compiles the browse list from broadcasts, but broadcasts do not traverse routers to reduce excessive traffic across WAN links.However, I can’t substantiate the complaints, since all small to medium sized installations I’ve worked with kept NetBIOS enabled and used WINS.

Then again, you can use AD printer publishing for that feature and search AD for printers (when you share a printer, there’s a checkbox to publish it in AD).

WINS

Your best bet for smooth sailing with multi-subnet browsing and to support legacy apps is to use WINS.

WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

Legacy Apps Require NetBIOS

So the biggest caveat is with legacy apps that rely on NetBIOS. For example, SEP and McAfee ePO uses the browser service, not DirectSMB, and they will fail with central control, updates, etc.

If you disable NetBIOS over TCP/IP, it causes functionality issues with ePO 4.x
https://kc.mcafee.com/corporate/index?page=content&id=KB76756&cat=CORP_EPOLICY_ORCHESTRATOR&actp=LIST

Environmental requirements for agent deployment from the ePO 4.x server
https://kc.mcafee.com/corporate/index?page=content&id=KB56386

Same with Backup Exec and backup agents. There are many other apps that require NetBIOS functionality.

What I can say is that some legacy applications and services still require WINS that AD DirectSMB doesn’t support, some of these apps include, but not limited to are:

  • Exchange 2003 with certain Outlook features
  • McAfee Enterprise ePolicy Orchestrator
  • Symantec Endpoint Protection
  • Symantec Backup Exec
  • Computer Associates AV
  • SQL
  • Mapped Drives
  • Printer sharing (not published in AD)
  • and many more….

Exchange 2000/2003 Need NetBIOS

Yea, I know this is the day and age of Windows 2012 and Exchange 2013, but believe it or not, there are still installations out there that are running legacy operating systems and Exchange, so I had to throw this in there.

Exchange 2000/2003require NetBIOS is Exchange 2003 for Outlook-Exchange Free/Busy communications.

WINS is still required with both Exchange 2000 and 2003
Aug 8, 2005 … See why Exchange needs WINS and how you can get a WINS server up and running and configure Exchange to use it. …
http://articles.techrepublic.com.com/5100-10878_11-5820760.html

WINS and Exchange 2003 Server Dependencies:
I had been laboring under the delusion that Windows and Exchange 2003 servers no longer need WINS, it seems that I was wrong. However, what I now believe …
http://www.computerperformance.co.uk/w2k3/services/WINS_exchange.htm

Exchange Server 2003 and Exchange 2000 Server require NetBIOS name …
You may have to use NetBIOS name resolution across different subnets for the … The following Exchange functionality still depends on WINS name resolution: …
http://support.microsoft.com/kb/837391

So you have to ask yourself, what else are you running?

Search Suffixes

Search Suffixes are used to facilitate single name resolution. As long as the search suffix is properly configured for your infrastructure, you should be ok.

Configuring DNS Search Suffixes
http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx

Suggestions, Corrections, & Comments are welcomed.

Ace Fekay

Troubleshooting the Browser Service

By Ace Fekay, MCT, MVP
10/1/2012

Preamble:

Keep in mind, each subnet has it’s own master browser, and if you are using WINS, the master browser works together with the WINS service to enumerate an infrastructure wide browse list.

If not using WINS, it uses broadcasts, however, you’ll only see what’s on your own subnet, because NetBIOS broadcasts are more than likely blocked by routers, which is default, and many routers don’t allow NetBIOS broadcast across subnets to be enabled.

And if you are in a multi-subnetted environment, and you want full browsing capabilities, to get around routers blocking NetBIOS broadcasts, it’s suggested to use WINS.

And the default WINS settings out-of-the-box, work fine, as long as you set up DHCP WINS options correctly. There is no need to adjust WINS’ registry parameters, otherwise you’ll find yourself trying to change registry entries on multiple servers and mis-keying something. Here’s more info on configuring WINS:

WINS – What Is It, How To Install It, WINS Replication Partner Design Guidelines, How to Configure DHCP Scopes For WINS Client Distribution, and more:
http://msmvps.com/blogs/acefekay/archive/2010/10/27/wins-what-is-it-how-to-install-it-and-how-to-configure-dhcp-scopes-for-wins-client-distribution.aspx

 

Preferably install at least one server OS on each subnet:

If there is a server OS, and it’s not multihomed, especially if a DC on the subnet and it’s not multihomed (multihoming a DC is a really bad idea), then it should win, unless there’s a problem with the machine itself, such as some sort of security setting in your antivirus blocking traffic, or firewall blocking traffic on it.

If you find workstations are becoming masters, that means there are no server operating systems on those subnets, in such cases, the workstation will win Master Browser election.

And I realize in many large infrastructures, it would be nearly impossible to put a server operating system on each subnet. However, as long as there is a desktop using the latest client operating system that is always up and running 24/7, that will do the trick.

If a newer client OS were to be introduced, then it would start a master browser election, and win the election (OS version and server role is a factor in the election process). And any machine that someone clicks on Network Neighborhood or clicks a Browse button somewhere, would invoke an election, but if a desktop is running on the subnet 24/7, it will win the election, since it’s already up and running.

If you don’t want any other client machine to win the election and were to opt for only that one machine, you can set a registry entry using a GPO to disable participating in the browse list for all the machines in the subnet other than the client machine you chose to keep up and running 24/7:

Set the client machine of your choosing to:
Emulator MaintainServerList=Yes, IsDomainMaster=True

All other clients on the subnet, set it to:
MaintainServerList=Auto,IsDomainMaster=False

I’m not saying this is a perfect solution, but it’s something to consider. Otherwise, if no specific machine is up and running 24/7 on any given subnet, the browse list will be rebuilt each time everyone shuts down, then brings their machines up in the morning, and the cycle starts from scratch to rebuild the list of machines on that subnet.

 

Third Party Devices Participating in the Browser Service

I would like to point out that if you have any 3rd party devices, such as a Seagate BlackArmor NAS, it will jump in on the election process and may win, which in case will snafu your browse list. I had one of those devices at a customer site last year causing numerous problems with the browse list, which in turned snowballed to cause problems with Symantec BackupExec, and other services that rely on browsing.

After some troubleshooting, I found that the BlackArmor NAS was consistently winning the election causing the problems. I couldn’t find anything specific on how to disable browser service participation on the device. It has the latest firmware. I contacted Seagate, and they said they couldn’t help me to disable the device’s ability to participate in the Browser Service.

I finally moved it on to its own VLAN so it can be king of itself on that subnet, so to speak. I gave it it’s own island. Smile

 

Browse List Propagation:

We have to keep in mind with troubleshooting the browser service, there is a time period you have to wait for the list to fully enumerate and become available on the master. A good example is when a server is shut off on a segment, and the workstations kick in, or the server is rebooted, wins the election, and begins a new cycle to enumerate the browse list from WINS and/or broadcasts. This can take a minimal of 12 minutes, upwards to the 48-minute full propagation cycle in a multiple-segment domain environment.

 

When to Troubleshoot

Below are the generic troubleshooting steps I used to troubleshoot the browser service that helped me find out the BlackArmor device was the culprit.

If you are seeing problems with the browser service, such as computers disappearing from the browse list, whether the cause is a third party device, Unix/Linux machine running Samba, or simply based on the infrastructure’s design, it might be a good idea to start troubleshooting to find the culprit.

 

Prepare to Troubleshoot:

  • Make sure the Computer Browser service is Started. Make sure NetBIOS is enabled on al machines.
  • On Windows 2003 and 2000, install the Support Tools (from the Windows CDROM) in order to have the "browstat" utility available.
  • With Windows 2008 and newer, the utility is already installed as part of the operating system files.
  • If there are any antivirus software, third party firewalls, or firewall rules between locations blocking WINS traffic (TCP 42), it could block browser traffic, too. This of course, assumes the Computer browser service is running.

 

Firewall blocks – Test it with PortQry

You can use the Portqry.exe utility to test if the Browser, SMB, WINS and the ephemeral (service response) ports are permitted.

  • Browser: UDP 137/138, TCP 139
  • SMB: TCP 445
  • WINS: TCP 42
  • Ephemeral (Service Response Ports): Varies depending on OS:
  • Windows 2000/2003/XP: TCP/UDP 1024-5000
  • Windows 2008/Vista and newer: TCP/UDP 49152-65535

Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099

Active Directory Firewall Ports – Let’s Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx 

 

Multihomed DCs:

And if you have any multihomed DCs, among numerous other problems, that is a major cause of browser problems. Multhoming DCs is not recommended for multiple reasons, including a "Multihomed Browser" scenario. I suggest to disable one of the interfaces.

More info regarding multihoming DCs and why not to do it:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters – A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

 

Troubleshooting Steps:

Run a browstat status to see who the browse master is for the segment. If it’s not the PDC Emulator, and some other device won the election, that can cause a problem.

To check current status of the browse service on the domain, run:
browstat status

You should get a response similar to:
Browsing is active on domain.
Master browser name is: <serverName>

Note, the machine that is the current master browser will either be, depending if the machine type exists on the segment: the PDC Emulator, a replica DC on the segment, a member server, joined workstation, or workgroup member, Unix or Linux with SAMBA, etc.

If you find a device is winning the election, then we need to disable that ability in the device. If there are no features for that, contact their support department, or put the device behind it’s own subnet or VLAN to prevent it from winning the election on the production network.

To find the current browse master on a segment, you’ll have to find the TransportID:
First run:

browstat getmaster \device\netbt_el59x1 <domainname>

It will error out because the "netbt_el59x1" probably doesn’t exist, and will respond with the transports currently bound to the browser. Copy and paste the transport that does show up into your next command:

browstat getmaster \Device\NetBT_Tcpip_{C2055954-4F86-446F-ACBA-E00BE731C3FB} <domainname>

Force an election by running:
browstat elect \device\netbt_ieepro1 <domainname>

Then check the event logs to see which machine won the election. If it’s a device, such as I’ve found that Linux/Unix with SAMBA, or devices such as a Seagate NAS, may win the election and cause browsing havoc within an environment and get that familiar, but unwanting "Access Denied" when trying to browse.

 

Reference:

Troubleshooting the Microsoft Browser Services:
http://support.microsoft.com/kb/188305

 

Comments, corrections and suggestions are welcomed.
Ace Fekay