This rule generates an alert when Windows® detects that the host name of the local computer is being used by another computer or computers on the network.
Until the duplicate host name issue is resolved, remote clients and applications may have difficulty accessing resources on any of the effected computers.
Sample Event:
This rule generates an alert whenever the following events occur and are recorded in the System Event Log:
A duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Type nbtstat -n at the command line to see which name is in the conflict state.
Another computer has sent a name-release message to this computer probably because a duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Type nbtstat -n at the command line to see which name is in the Conflict state.
The name "%2" could not be registered on the interface with IP address %3. The computer with IP address %4 did not allow the name to be claimed by this computer.
Source: TCPIP; Event ID: 4319A duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Type nbtstat -n at the command line to see which name is in the conflict state.
Source: TCPIP; Event ID: 4320Another computer has sent a name-release message to this computer probably because a duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Type nbtstat -n at the command line to see which name is in the Conflict state.
Source: TCP; Event ID: 4321The name "%2" could not be registered on the interface with IP address %3. The computer with IP address %4 did not allow the name to be claimed by this computer.
This issue can occur when:
The host name of the local computer is the same as that of another computer or computers on the network.
The local host computer is unable to register its name with a name resolution service.
Determine which event generated the alert and use the appropriate set of resolution steps listed below:
Events 4319 or 4320:
• Click Start, right-click My Computer, and then click Properties.
• Click the Computer Name tab, and then click Change.
• Type a new computer name for your computer. Click OK, and click OK again.
To determine which name is in conflict, type nbtstat -n at the command line, and then press ENTER.
Change the host name on each of the relevant computers. To change your computer's name:• Click Start, right-click My Computer, and then click Properties.• Click the Computer Name tab, and then click Change.• Type a new computer name for your computer. Click OK, and click OK again.
Event 4321:
If your computer is connected to the network by cable, confirm that the cable is plugged in properly. If you have a wireless network connection, confirm that you have a signal and the proper credentials for the wireless network.
If the network connection is working properly, check the following possible causes and take corrective action:
The network is down.
The firewall on your computer is blocking network broadcast traffic.
Your computer's network adapter or driver is not functioning correctly.
Microsoft Knowledge Base Article 261125, “WINS Service Stops or Does Not Start and Event ID 4319 or 4165 Is Logged,” at http://go.microsoft.com/fwlink/?LinkId=28862.
Microsoft Knowledge Base Article 131740, “Possible Causes of the NetBT Event ID 4320,” at http://go.microsoft.com/fwlink/?LinkId=28863.
Microsoft Knowledge Base Article 830063, “Name resolution and connectivity issues occur on Windows 2000 domain controllers that have the Routing and Remote Access service and DNS installed,” at http://go.microsoft.com/fwlink/?LinkId=28999.
Microsoft Knowledge Base Article 269239, “MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the Network Conflicts,” at http://go.microsoft.com/fwlink/?LinkId=28865.
Target | Microsoft.Windows.Server.6.2.OperatingSystem | ||
Category | EventCollection | ||
Enabled | False | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | System |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Windows.Server.6.2.OperatingSystem.DuplicateNameonNetwork.Alert" Enabled="false" Target="WindowsServer!Microsoft.Windows.Server.6.2.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventSourceName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>netbt</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>4319</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>4320</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.6.2.OperatingSystem.DuplicateNameonNetwork.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>