Reserved

Microsoft.Windows.Server.2008.OperatingSystem.DuplicateNameonNetwork.Alert (Rule)

Knowledge Base article:

Summary

This rule generates an alert when Windows® detects that the host name of the local computer is being used by another computer or computers on the network.

Until the duplicate host name issue is resolved, remote clients and applications may have difficulty accessing resources on any of the effected computers.

Sample Event:

This rule generates an alert whenever the following events occur and are recorded in the System Event Log:

A duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Type nbtstat -n at the command line to see which name is in the conflict state.

Another computer has sent a name-release message to this computer probably because a duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Type nbtstat -n at the command line to see which name is in the Conflict state.

The name "%2" could not be registered on the interface with IP address %3. The computer with IP address %4 did not allow the name to be claimed by this computer.

Causes

This issue can occur when:

Resolutions

Determine which event generated the alert and use the appropriate set of resolution steps listed below:

Events 4319 or 4320:

• Click Start, right-click My Computer, and then click Properties.

• Click the Computer Name tab, and then click Change.

• Type a new computer name for your computer. Click OK, and click OK again.

Event 4321:

If your computer is connected to the network by cable, confirm that the cable is plugged in properly. If you have a wireless network connection, confirm that you have a signal and the proper credentials for the wireless network.

If the network connection is working properly, check the following possible causes and take corrective action:

External

Microsoft Knowledge Base Article 261125, “WINS Service Stops or Does Not Start and Event ID 4319 or 4165 Is Logged,” at http://go.microsoft.com/fwlink/?LinkId=28862.

Microsoft Knowledge Base Article 131740, “Possible Causes of the NetBT Event ID 4320,” at http://go.microsoft.com/fwlink/?LinkId=28863.

Microsoft Knowledge Base Article 830063, “Name resolution and connectivity issues occur on Windows 2000 domain controllers that have the Routing and Remote Access service and DNS installed,” at http://go.microsoft.com/fwlink/?LinkId=28999.

Microsoft Knowledge Base Article 269239, “MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the Network Conflicts,” at http://go.microsoft.com/fwlink/?LinkId=28865.

Element properties:

TargetMicrosoft.Windows.Server.2008.OperatingSystem
CategoryEventCollection
EnabledFalse
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
Duplicate name on network
{0}
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Windows.Server.2008.OperatingSystem.DuplicateNameonNetwork.Alert" Enabled="false" Target="Server2008!Microsoft.Windows.Server.2008.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventSourceName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>netbt</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>4319</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>4320</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2008.OperatingSystem.DuplicateNameonNetwork.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>