\[Editor's Note: Do you have something to share with other Windows NT Magazine readers? We want to know about it. Write for Reader to Reader online, and you can tell others about your NT discoveries, comments, problems, solutions, and experiences. Email your contributions (700 words or less) to [email protected] along with your name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]
Have you ever had a situation where you wanted to let your users browse the LAN or subnet, but not the entire network or WAN? By default, Windows NT lets workstations browse any other workstation in a domain. The OS divides the browsing service by IP subnets, so that every subnet has a browse master. The browse master is responsible for providing every other workstation in that subnet with a list of available resources for the entire domain.
Each browse master is aware only of its subnet, but in an effort to learn about other resources in the domain, the browse master offers its list of resources to the domain controller that authenticated the browse master in to the domain. In turn, that NT domain controller forwards the information to the domain master browser. The domain master browser is typically the PDC, but can also be a BDC. However, unlike a master browser, the domain master browser can't be a member server or workstation.
The process I just described explains why in a typical NT environment a workstation has the ability to see every other workstation in the Network Neighborhood. After some testing, researching, and a few calls to Microsoft, I discovered a way to hide the entire domain from an NT workstation, while still enabling the workstation to browse its local subnet. I achieved these results by halting the master browser synchronization that occurs on the domain master browser. By changing the following Registry setting from Yes to No on each domain controller, the PDC and BDCs are no longer eligible as domain master browser, so the role goes unclaimed:
After you change the above Registry setting, NT will display an event error on startup. You can prevent the error by disabling the computer browser service. Open the services applet within the Control Panel, select the Computer Browser service, click the Startup button, and set the service startup to disabled. Even though you've disabled the computer browser service, the domain controller will still show up in the browse list for its local subnet, and all other services will work properly.