Microsoft Corporation
July 1996
The browser is a network resource enumeration tool first created for Microsoft® Windows® for Workgroups, and then adopted and enhanced for domain browsing on Microsoft Windows NT® networks. The Microsoft networking browser maintains a list, called the browse list, of all the available servers, workgroups, and domains (for Windows NT and LAN Manager networks). For example, when a user attempts to connect to any network resource using Network Neighborhood, the list of servers that appears is the browse list, and it is provided by a browser in the local computer's workgroup or domain.
The Microsoft networking browser system consists of a master browser, backup browsers, and client computers. The master browser maintains the browse list and periodically sends copies to the backup browsers. When a browser client needs information, it obtains the current browse list by sending a NetServerEnum2 application programming interface (API) function call to either the master browser or a backup browser.
The NetServerEnum2 API call returns information about SV_TYPE_SERVER entries in a domain or workgroup. It allows client computers to view the set of servers in the workgroup or domain. The API function provides a ServerType mask that allows users to query for various types of servers such as workstations, servers, time servers, domain controllers, and so on. (A NetServerEnum API call is also supported for compatibility with Microsoft LAN Manager networks.)
Because a computer announces itself on the network based on the type of server services that it is running, a Windows 95 computer appears in a browse list only if it is running File and Printer Sharing services and if the service is configured to announce itself on the network.
The centralized browser architecture for Windows networking reduces the number of broadcast datagrams on the network. A datagram is a network packet that is sent to a mail slot on a specified computer (a directed datagram) or to a mail slot on any number of computers (a broadcast datagram). The centralized browser architecture also reduces the demands on the client computer's CPU and memory.
Note For Microsoft networking using the Microsoft TCP/IP protocol, broadcast name resolution is a direct implementation of Request for Comments (RFCs) 1001 and 1002 (NetBIOS Service Protocols). This implementation of NetBIOS over TCP/IP is wholly compliant with the RFCs it and does not involve any method of what has been referred to as "NetBEUI encapsulation."
For more information about NetBIOS over TCP/IP, see the discussion of name resolution for Windows-based networking in the Windows NT Networking Guide (volume 2 in the Microsoft Windows NT 3.5 Resource Kit).
The Microsoft networking browser system consists of two components:
All browser datagrams destined for computers running LAN Manager, Windows for Workgroups, Windows 95, Windows NT Workstation, or Windows NT Server are sent to the mail slot name \MAILSLOT\LANMAN. Browser datagrams destined only for computers running Windows NT Workstation or Windows NT Server are sent to the mail slot name \MAILSLOT\MSBROWSE.
In a LAN environment using any protocol or combination of protocols, all Microsoft networking browsing activities are maintained using broadcasts and special NetBIOS names that identify the type of resource. All browsing services are provided on a per-protocol basis to prevent, for example, a NetBEUI-only client from enumerating a TCP/IP-only server in the process of querying the browser.
The NetBIOS name space is not hierarchical, so all names must be unique on the network. Resources are identified by the NetBIOS names, which are registered dynamically when the computer starts, a service starts, or a user logs on.
The special NetBIOS names used in Microsoft networking are indicated by adding a hexadecimal value as a sixteenth byte at the end of the 15-character computer name or domain name. If the computer or domain name is less than 15 characters, spaces are used to pad the name to the sixteenth byte.
The browsing discussion in this paper uses the special NetBIOS names to explain how names are registered and resolved for browsing on Microsoft networks. The following table shows some of these special names.
Table 1. Samples of NetBIOS Special Names
| Special name | Description |
| Registered unique computer names: | |
| computer\0x00 | Used by Microsoft networking workstations to receive second class mail slot requests. All workstations must add this name in order to receive mail slot requests. This is the computer name registered for workstation services by a WINS client. |
| computer\0x03 | Used as the computer name that is registered for the messenger service on a computer that is a WINS client. |
| computer\0x20 | Used as the name that is registered for the peer server service on a Windows 95 computer (or the server service on a Windows NT computer) that is a WINS client. |
| computer\0xBe | Used as the unique name that is registered when the Network Monitor agent is started on the computer. |
| computer\0x1f | Used as the unique name that is registered for network dynamic data exchange (DDE) when the NetDDE service is started on the computer. |
| Registered group names: | |
| .._MSBROWSE_. | Used by master browser servers to periodically announce their domain on a local subnet. This announcement contains the domain name and the name of the master browser server for the domain. In addition, master browser servers receive these domain announcements to this name and maintain them in their internal browse list along with the announcer's computer name. |
| domain\0x00 | Used by workstations and servers to process server announcements to support Microsoft LAN Manager. Servers running Windows 95, Windows NT, Windows NT Server, and Windows for Workgroups do not broadcast this name unless the LMAnnounce option is enabled in the server's properties. |
| domain\0x1b | Used to identify the domain master browser name, which is a unique name that only the primary domain controller (PDC) can add. The PDC processes GetBrowserServerList requests on this name. WINS assumes that the computer that registers a domain name with the \0x1b character is the PDC. |
| domain\0x1c | Used for the Internet group name, which the domain controllers register. The Internet group name is a dynamic list of up to 25 computers that have registered the name. This is the name used to find a Windows NT computer for pass-through authentication. |
| domain\0x1d | Used to identify a master browser (not a domain master browser). The master browser adds this name as a unique NetBIOS name when it starts. Workstations announce their presence to this name so that master browsers can build their browse list. For peer servers, this name has the form workgroup\0x1d. |
| domain\0x1e | Used for all workgroup or domain-wide announcements by browser servers in a Windows network workgroup or Windows NT Server domain. (Notice, however, that workstations use the domain\0x1d form, not \0x1e.) This name is added by all browser servers and potential servers in the workgroup or domain. All browser election packets are sent to this name. |
| computer\0xBf | Used as the group name that is registered when the Network Monitor agent is started on the computer. If this name is not 15 characters in length, it is padded with plus (+) symbols. |
| username\0x03 | Used to register the name of the currently logged-on user in the WINS database so that users can receive net send commands sent to their user names. |
The following example shows a sample NetBIOS name table for a computer running Windows 95 plus File and Printer Sharing for Microsoft Networks, based on the list that appears if you type nbtstat -n at the command prompt. This example shows the sixteenth byte for special names, plus the type of NetBIOS name (unique or group).
Node IpAddress: [157.56.60.111] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
ANNIEP_PC <00> UNIQUE Registered
WIN95GRP <00> GROUP Registered
ANNIEP_PC <03> UNIQUE Registered
ANNIEP_PC <20> UNIQUE Registered
WIN95GRP <1E> GROUP Registered
ANNIEP <03> UNIQUE Registered
In this example, several special names are identified for the Windows 95 computer (ANNIEP_PC in the example above), the workgroup (WIN95GRP), and the current user (ANNIEP), including the following:
Tip for NetBIOS Scope ID Microsoft networking allows administrators to specify NetBIOS scope IDs to define special groups within the network that can communicate only with each other. The NetBIOS scope ID can be used for interoperation with other NetBIOS implementations that use the NetBIOS scope ID. Before any packets that contain a NetBIOS name are transmitted, the NetBIOS scope ID is appended to the name. This includes packets such as name queries, name registrations, and session requests. On the receiving end, the NetBIOS scope in a packet must match the locally configured NetBIOS scope; otherwise, the packet is ignored. Therefore, only computers that have the same scope can communicate with each other. However, for most cases on most networks, the NetBIOS scope ID is null.
In a Windows NT domain, every Windows NT Server computer is a browser. The primary domain controller (if there is one) is the master browser and the other computers running Windows NT Server, Windows NT Workstation, or Windows 95 are backup browsers. If there is more than one Windows NT Server computer in the domain, no computer running Windows NT Workstation or Windows 95 will ever be a master browser in the domain.
In a workgroup containing computers running Windows 95 and Windows NT Workstation, there is always one master browser. If there are at least two Windows 95 or Windows NT Workstation computers in the workgroup, there is also one backup browser. For every 32 computers running Windows 95 and Windows NT Workstation in the workgroup, there is another backup browser.
Each computer running Windows 95, Windows for Workgroups, Windows NT Workstation, or Windows NT Server has configuration settings that determine whether that computer can become a browser. For servers running Windows 95, this is determined by the Browse Master value for File and Printer Sharing for Microsoft Networks. For servers running Windows NT, the value for MaintainServerList for the browser service determines its possible role as a browser. By default, servers are configured to have the potential to become browsers.
Unless the server is specifically configured never to be a browser, the Microsoft networking browser service starts automatically when the computer starts, and the server announces itself on the networking using the special NetBIOS name workgroup\0x1e.
Windows 95 Server domain controllers can also be configured to be the domain master browser, which is always the preferred master browser on the domain when there are master browser elections.
A master browser election always occurs in the following circumstances:
When any server needs to force a master browser election, it notifies the other browsers on the system by broadcasting an election datagram that contains the sending browser's election version and election criteria. The election datagram and subsequent traffic takes place over the NetBIOS name of workgroup\0x1e.
The election version is a constant value that identifies the version of the browser election protocol. If the election versions are identical for both computers, the election criteria are compared. The election criteria consists of a 4-byte hexadecimal value. Specific groups of bytes are masked and their values set according to the following list.
| Election criterion | Value |
| Operating system type | 0xFF000000 |
| Windows NT Server | 0x20000000 |
| Windows NT Workstation | 0x10000000 |
| Windows 95 | 0x01000000 |
| Windows for Workgroups | 0x01000000 |
| Election version | 0x00FFFF00 |
| Per version criterion | 0x000000FF |
| Primary domain controller | 0x00000080 |
| WINS client | 0x00000020 |
| Preferred master browser | 0x00000008 |
| Running master browser | 0x00000004 |
| MaintainServerList or BrowseMaster=yes | 0x00000002 |
| Running backup browser | 0x00000001 |
When a browser receives an election datagram, the receiving browser compares the election version in the datagram with its own. If the receiving browser has a higher election version than any other browser, it wins the election regardless of any other election criteria. For example, a computer running any version of Windows NT will always win the election over a computer running Windows 95.
If the election versions are identical, the receiving browser compares the election criteria as follows:
When a browser receives an election datagram indicating that it wins the election, the browser enters the running election state. In the running election state, the browser sends an election request after a delay based on the browser's current browser role:
The browser broadcasts up to four election datagrams. If, after four election datagrams, no other browser has responded with an election criteria that would win the election, the browser becomes the master browser. If the browser receives an election datagram indicating that another system would win the election, the browser demotes itself to backup browser. To avoid unnecessary network traffic, a browser that has lost an election does not broadcast any unsent election datagrams.
Role of master browsers
The master browser maintains the browse list, which is the list of all servers in the master browser's domain or workgroup, plus the list of all domains on the network. For a domain that spans more than one subnetwork, the master browser maintains the browse list for the portion of the domain on its subnetwork. The rest of the domain is known based on domain announcements made by the master domain browser, as described later in this article.
Individual servers running Windows NT Server, Windows NT Workstation, Windows 95, Windows for Workgroups, or LAN Manager announce their presence by sending a directed datagram called a server announcement to the domain or workgroup's master browser. This announcement includes the server's NetBIOS name of \0x01\0x02_MSBROWSE_\0x02\0x01, domain\0x1d, or domain\0x1e as appropriate for the type of server. When the master browser receives a server announcement from a computer, it adds that computer to the browse list.
The master browser also returns lists of backup browsers to computers running Windows NT Server, Windows NT Workstation, Windows 95, and Windows for Workgroups. When a computer starts that is configured to automatically become a browser if required, the current master browser must tell that computer whether to become a backup browser.
If its browse list is empty when a computer first becomes a master browser, it can force all servers to register with it by broadcasting a RequestAnnouncement datagram. All computers receiving this datagram must respond by sending a server announcement at a random time within the next 30 seconds. The randomized delay ensures that the network and the master browser itself are not overwhelmed with responses.
When a master browser receives a server announcement from another computer that claims to be the master browser, the receiving master browser demotes itself and forces an election as described in the previous section. This ensures that there is always only one master browser in each domain or workgroup.
The list of servers that the master browser maintains is limited to 64K of data. So the number of computers that can be in the browse list for a single workgroup or domain is limited to 2,000 – 3,000 computers.
Role of backup browsers
Backup browsers call the master browser every 15 minutes to get the latest copy of the browse list, as well as a list of domains. Each backup browser caches these lists and returns the list of servers to any clients that send a remote NetServerEnum API call to the backup browser. If the backup browser cannot find the master browser, it forces an election.
By default, File and Printer Sharing for Microsoft Networks is configured to become a master browser if required.
Figure 1. To configure master browser capabilities using the Network option in the Windows 95 Control Panel, select the related option in the File and Printer properties.
Role of domain master browsers
The browser service running on a domain's primary domain controller (PDC) has the special additional role of being the domain master browser. The PDC of a domain has a bias in browser elections to ensure that it becomes the master browser.
On Microsoft networks using the IPX/SPX-compatible network protocol (NWLink), there is always only one master browser for each domain, because name queries are sent across routers automatically.
On networks using TCP/IP, where a domain spans more than one subnetwork, each subnetwork functions as an independent browsing entity, with its own master browser and backup browsers. Name-query datagrams do not cross routers. To browse across the wide-area network (WAN) to other subnetworks, at least one browser running Windows NT Server is required on the domain for each subnetwork. On the subnetwork where the PDC is placed, this Windows NT Server computer is usually the PDC, which functions as the domain master browser.
When a domain spans multiple subnetworks, the master browser for each subnetwork announces itself as the master browser to the domain master browser by sending a directed MasterBrowserAnnouncement datagram using the computer's NetBIOS domain\0x1d. The domain master browser then sends a remote NetServerEnum API call to each master browser to collect each subnetwork's list of servers. The domain master browser merges the server list from each subnetwork master browser with its own server list to form the browse list for the domain. This process is repeated every 15 minutes to ensure that the domain master browser has a complete browse list of all the servers in the domain.
The master browser on each subnetwork also sends a remote NetServerEnum API call to the domain master browser to obtain the complete browse list for the domain. This complete browse list is thus available to browser clients on the subnetwork.
Note Microsoft networking workgroups cannot span multiple subnetworks. Any workgroup that spans subnetworks actually functions as two separate workgroups with identical names.
A failed server stops announcing itself. When the master browser does not receive a server announcement for three of the server's current announcement periods, the master browser removes that server from the browse list. It might take up to an additional 15 minutes for the backup browsers to retrieve the updated browse list from the master browser, so it could take as long as 51 minutes from the time a server fails to when it is removed from all browse lists.
Because a backup browser announces itself in the same way as a server, the procedure when a backup browser fails is the same as that for a server. If the name of this backup browser has been given to any clients, attempts made by those clients to contact this backup browser fail. The client then retries the NetServerEnum API call on another backup browser on the client's list of browsers. If all the backup browsers that a client knows have failed, the client attempts to get a new list of backup browsers from the master browser. If the client is unable to contact the master browser, it forces a browser election. The client then returns an error to the application, indicating that the master browser could not be found.
When a master browser fails, the backup browsers detect the failure within 15 minutes. The first backup browser to detect the failure forces an election to select a new master browser. Between the time the master browser fails and a new master browser is elected, the domain could disappear from the list of domains in the browse list. If a client performs its first NetServerEnum API call after the old master browser has failed but before a backup browser detects the failure, the client forces an election. If a master browser fails and there are no backup browsers, browsing in the workgroup or domain will not work correctly.
When a domain master browser fails, other master browsers see only servers on their shared local subnetwork. Eventually, all servers that are not on the local subnetwork are removed from the browse list.
When a server is started (including any computer running File and Printer Sharing for Microsoft Networks), it announces itself by sending a server announcement to the master browser every minute. This announcement uses the special NetBIOS name of workgroup\0x1d. As the computer continues running, the time between server announcements is increased until it eventually becomes once every 12 minutes.
If the master browser has not received a server announcement from a computer for three announcement periods, the computer is removed from the browse list. Therefore, there might be up to a 36-minute delay between the time a server goes down and the time it is removed from the browse list.
Client computers sometimes need to retrieve lists of domains, as well as lists of servers in those domains. To support this, when a browser becomes a master browser, it broadcasts a DomainAnnouncement datagram every minute for the first five minutes, and then broadcasts once every 15 minutes after that. Master browsers in domains and workgroups announce their presence to the special NetBIOS name of \0x01\0x02_MSBROWSE_\0x02\0x01 and register their names with this group. Master browsers on other domains receive these DomainAnnouncement datagrams and add the specified domain to the browse list.
DomainAnnouncement datagrams contain the name of the domain, the name of the domain master browser, and whether the master browser is running Windows NT Server, Windows NT Workstation, or Windows 95. If the master browser is running Windows NT Server, the datagram also specifies whether that browser is the domain's PDC.
If a domain has not announced itself for three consecutive announcement periods, the domain is removed from the browse list. Therefore, a domain might be down for as long as 45 minutes before it is removed from the browse list.
When a master browser is shut down correctly, it sends a ForceElection broadcast so that a new master browser can be elected. When a backup browser is shut down correctly, it sends an announcement to the master browser that it is shutting down. To do this, it sends a server announcement that does not include the browser service in the list of running services.
When an application running on a client computer makes a NetServerEnum API call, the client sends the call to a browser. If this is the first time this call has been made by an application on this client, the client must first determine which computers are the browsers in its workgroup or domain by sending a QueryBrowserServers directed datagram. This datagram is in the form of a GetBackupListRequest mail slot request sent to the special NetBIOS domain\0x1d name that the master browser has registered.
This request is processed by the master browser for the client's domain and subnetwork. The master browser then returns a list of browsers active in the workgroup or domain being queried. The client selects the names of three browsers from the list, and then it stores these names for future use.
The client computer randomly chooses a browser from one of the three browser names. Then the client sends the NetServerEnum API call, requesting a list of servers or domains. The browser server returns the list to the client, which then can be displayed in Network Neighborhood.
If the user selects a domain name in the browse list, a new set of browser servers must be found for the new domain. In this case, a GetBackupListRequest frame is sent to the new domain name.
After a user selects a server from the browse, the browser is no longer involved in the process of contacting the server for a list of available resources. The transport protocols on the client computer use whatever name resolution methods are available to find and connect to the server.
When the client workstation attempts to connect to a server, a NetBIOS session is established between the two computer names. For example, when a Windows 95 client workstation on an IP network connects to a computer running File and Printer Sharing for Microsoft Networks, the following occurs:
Only one NetBIOS session is established between two names at a time. Additional connections for file or printer sharing are multiplexed over the same NetBIOS session.