Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_N1001. The backup browser is stopping.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What does NetBT mean?
What is the role of the Browser service?
What is a backup list?
I had this issue on a DC (running DNS) after installing routing and remote access for PPTP VPN connectivity. Microsoft’s ME292822 resolved the issue.
I had this problem on a Windows 2003 R2 Server x32 running in Microsoft Virtual Server 2005. The server was multihomed and running a teaming load balance between the two NICs. The server itself had no problems but the Virtual Server running on it did. I performed the following registry tweak to resolve the problem.
Change the following registry key value to False and reboot the computer: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList”.
I was seeing this event along with Event ID 8021 from the same source. I ran Netdiag and found that the Messenger service was disabled. Windows Domain Controllers need this service running. I started this service and both errors did not return.
ME188305 is a useful article with information on troubleshooting MASTER BROWSER issues in Windows servers.
If you are having a particular problem with a server that is part of the domain and it is constantly forcing elections to be the Master Browser, look at the subnet mask and make sure it is correct. I had this issue with one server.
The computer that shows this event is a backup browser. Backup browsers periodically retrieve the browse list from the master browser. The event notifies you that the computer could not retrieve the browse list from the master browser five times consecutively. See MSW2KDB for possible causes for this event.
As per Microsoft: "If the browser client is trying to locate a browser server on each endpoint, it waits until it either one receives valid information or times out on each endpoint before returning. This process can be slow if there is an endpoint that does not contain browser servers. When this is completed, the lists are merged into one master list that is presented to the user". See ME288801 for more details.
See ME191611 and ME888816 for additional information on this event.
This error occurred on one Domain Controller while we were trying to pull a domain together with a software VPN prior to going to a full time hardware VPN. The RAS server listed the VPN Server address above its own NIC address in the Name Server field in DNS. The quick solution was simply to raise the NIC address of the RAS server to the top of the DNS name server list in the network settings of the server that displayed the browser 8032 event error. As soon as this was done the server could enumerate all computers within the domain, rather than just the two servers on the client end of the RAS/VPN connection. Hope this makes sense.
This problem can occur if the File and Print Service component was not selected during the initial setup of the server or it has been uninstalled. When this occurs, the Server Service does not bind to the NetBIOS interface. A Windows-based computer that becomes a backup browser and does not have File and Print Sharing enabled is unable to share out the browse list to clients. Any computer that is to be included in the browse list must also have File and Print Sharing enabled.
See ME188001 for a description of the Microsoft Computer Browser service.
This problem appears on our Win2k servers, when we used VPN on the master browser computer which also provides DNS and is a Win2k3 PDC. VPN/RAS creates a new DNS entry when the first VPN client is logging on. After removing the DNS entry for VPN the event disappears.
I have 2 Win2K3 servers, one is the DC, the other an application server. Both have single network cards. The application server always got these messages and would not browse the network. I found that setting the "ISDomainMaster" to TRUE on the DC solves this problem. The "ISDomainMaster" key can be found under "HKLM\System\CurrentControlSet\Services\Browser\Parameters".
Don Christopher Kassay
After numerous attempts to resolve this problem by normal routine steps, I finally decided to reinstall DNS on this Domain Server. After the installation, I stopped the Browser Service and restarted it. After the next Browser cycle to retrieve the list of Servers, Workstations and printers, it retrieved them successfully and I have not had any problem since.
Local Security Policy\Local Policy\Security Options controls the RESTRICTANONYMOUS setting.
1 – “None. Rely on default permissions”.
2 – “Do not allow enumeration of SAM accounts and shares”.
3 – “No access without explicit anonymous permission”.
Setting #3 causes this error, but on several Win2K Pro/Server peer-to-peer networks where this error has appeared for many months there have been no ill consequences. We ignore it.
As per Microsoft, the backup browser will stop being a backup when it tries and fails to retrieve the list more than 5 times. It will start again after one hour. No action is needed unless you see this message on several different computers. This could indicate problems with the master browser.
This event may occur when File and Print Sharing is not installed or the master browser has multiple network interfaces.
Having NetBEUI installed can also cause this error. (so unless you need it, remove NetBEUI)
Check RESTRICTANONYMOUS registry setting. A value of 2 might cause this problem. See ME246261.
We have two NICs and one is not being used. I solved this error by removing the bindings for the NIC we weren't using.
Rick van Vliet
If you only have Windows 2000 Domain controllers you can change the domain to "native mode" using "Active Directory Domains and Trusts". Don't do this if you still have windows NT4 domain controllers or applications that require NT-like authentication (i.e. Exchange 5.5).
This event occured after running NWLINK and TCP/IP on the same nic on the PDC. ME135404 provides a workaround.
This event may occur on domain controller if it trying to use DNS that not providing dynamic update. In our case it appeared with warning 8021 and it was stopped after we delete DNS of our internet provider in TCP/IP configurations.
We had the same problem with a terminal server that gave this event. At the same time we had a problem with the internal DNS on our domain controller that had the role of master browser (W2K). After reconfiguring the internal DNS on the master browser server the event disappeared from the terminal server.
If the mcahine that is experiencing this problem is part of a Win2000 domain, then make sure that the Security Options (in Default Domain Policy, computer Configuration, Windows Settings, Local Policies, Security Options) "Additional Restrictions for Anonymous Connections is set to either "None" or "Do not allow enumeration...". This will make the same changes to the registry as per ME246261, but seeing as the computer is part of a domain that might have the setting of "No access", every time the Group Policy is applied, the registry modification made in ME246261 will be changed back to "2".
|Private comment: Subscribers only. See example of private comment|
|Links: EventID 8021 from source BROWSER|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (4) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated