[MS-WINSRA]:

Windows Internet Naming Service (WINS) Replication and Autodiscovery Protocol

Intellectual Property Rights Notice for Open Specifications Documentation

Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions.

Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation.

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .

License Programs. To see all of the protocols in scope under a specific license program and the associated patents, visit the Patent Map.

Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit

Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise.

Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it.

Support. For questions and support, please contact .

Revision Summary

Date / Revision History / Revision Class / Comments
8/10/2007 / 1.0 / Major / Version 1.0 release
9/28/2007 / 1.0.1 / Editorial / Changed language and formatting in the technical content.
10/23/2007 / 2.0 / Major / Revised Windows Behavior sections.
1/25/2008 / 2.0.1 / Editorial / Changed language and formatting in the technical content.
3/14/2008 / 2.0.2 / Editorial / Changed language and formatting in the technical content.
6/20/2008 / 2.0.3 / Editorial / Changed language and formatting in the technical content.
7/25/2008 / 2.0.4 / Editorial / Changed language and formatting in the technical content.
8/29/2008 / 3.0 / Major / Updated and revised the technical content.
10/24/2008 / 3.0.1 / Editorial / Changed language and formatting in the technical content.
12/5/2008 / 4.0 / Major / Updated and revised the technical content.
1/16/2009 / 5.0 / Major / Updated and revised the technical content.
2/27/2009 / 5.1 / Minor / Clarified the meaning of the technical content.
4/10/2009 / 5.2 / Minor / Clarified the meaning of the technical content.
5/22/2009 / 6.0 / Major / Updated and revised the technical content.
7/2/2009 / 6.0.1 / Editorial / Changed language and formatting in the technical content.
8/14/2009 / 6.0.2 / Editorial / Changed language and formatting in the technical content.
9/25/2009 / 6.1 / Minor / Clarified the meaning of the technical content.
11/6/2009 / 6.1.1 / Editorial / Changed language and formatting in the technical content.
12/18/2009 / 7.0 / Major / Updated and revised the technical content.
1/29/2010 / 7.0.1 / Editorial / Changed language and formatting in the technical content.
3/12/2010 / 8.0 / Major / Updated and revised the technical content.
4/23/2010 / 8.0.1 / Editorial / Changed language and formatting in the technical content.
6/4/2010 / 8.0.2 / Editorial / Changed language and formatting in the technical content.
7/16/2010 / 8.0.2 / None / No changes to the meaning, language, or formatting of the technical content.
8/27/2010 / 9.0 / Major / Updated and revised the technical content.
10/8/2010 / 9.1 / Minor / Clarified the meaning of the technical content.
11/19/2010 / 9.1 / None / No changes to the meaning, language, or formatting of the technical content.
1/7/2011 / 9.1 / None / No changes to the meaning, language, or formatting of the technical content.
2/11/2011 / 9.1 / None / No changes to the meaning, language, or formatting of the technical content.
3/25/2011 / 9.1 / None / No changes to the meaning, language, or formatting of the technical content.
5/6/2011 / 9.1 / None / No changes to the meaning, language, or formatting of the technical content.
6/17/2011 / 9.2 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 9.2 / None / No changes to the meaning, language, or formatting of the technical content.
12/16/2011 / 9.2 / None / No changes to the meaning, language, or formatting of the technical content.
3/30/2012 / 9.2 / None / No changes to the meaning, language, or formatting of the technical content.
7/12/2012 / 9.2 / None / No changes to the meaning, language, or formatting of the technical content.
10/25/2012 / 9.2 / None / No changes to the meaning, language, or formatting of the technical content.
1/31/2013 / 9.2 / None / No changes to the meaning, language, or formatting of the technical content.
8/8/2013 / 10.0 / Major / Updated and revised the technical content.
11/14/2013 / 10.0 / None / No changes to the meaning, language, or formatting of the technical content.
2/13/2014 / 10.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 10.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 11.0 / Major / Significantly changed the technical content.
7/14/2016 / 11.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/1/2017 / 11.0 / None / No changes to the meaning, language, or formatting of the technical content.
9/15/2017 / 12.0 / Major / Significantly changed the technical content.

Table of Contents

1Introduction

1.1Glossary

1.2References

1.2.1Normative References

1.2.2Informative References

1.3Overview

1.4Relationship to Other Protocols

1.5Prerequisites/Preconditions

1.6Applicability Statement

1.7Versioning and Capability Negotiation

1.8Vendor-Extensible Fields

1.9Standards Assignments

2Messages

2.1Transport

2.2Message Syntax

2.2.1Replication Partner AutoDiscovery Message

2.2.2Common Replication Message Header

2.2.3Association Start Request Message

2.2.4Association Start Response Message

2.2.5Association Stop Request Message

2.2.6Owner-Version Map Request Message

2.2.7Owner-Version Map Response Message

2.2.7.1Owner Record

2.2.8Update Notification Message

2.2.9Name Records Request Message

2.2.10Name Records Response Message

2.2.10.1Name Record

2.2.10.1.1Address Record for a Special Group or Multihomed Machine

2.2.10.1.1.1Owner and Member IPv4 Address

3Protocol Details

3.1Common Details

3.1.1Abstract Data Model

3.1.1.1Name Record

3.1.1.2Version

3.1.2Timers

3.1.3Initialization

3.1.4Higher-Layer Triggered Events

3.1.5Processing Events and Sequencing Rules

3.1.5.1Association Setup and Shutdown between Replication Partners

3.1.6Timer Events

3.1.7Other Local Events

3.2Pull Partner Details

3.2.1Abstract Data Model

3.2.2Timers

3.2.3Initialization

3.2.4Higher-Layer Triggered Events

3.2.5Processing Events and Sequencing Rules

3.2.5.1Standard Pull Replication

3.2.5.2Push Notification Triggered Pull Replication

3.2.5.3Data Verification Pull Replication

3.2.5.4Updating Time Stamps During Pull Replication

3.2.5.5Name Conflict Resolution During Pull Replication

3.2.6Timer Events

3.2.7Other Local Events

3.3Push Partner Details

3.3.1Abstract Data Model

3.3.2Timers

3.3.3Initialization

3.3.4Higher-Layer Triggered Events

3.3.5Processing Events and Sequencing Rules

3.3.5.1Sending Push Notifications

3.3.5.2Processing Pull Replication Requests

3.3.6Timer Events

3.3.7Other Local Events

3.4Replication Partner Autodiscovery Details

3.4.1Abstract Data Model

3.4.2Timers

3.4.3Initialization

3.4.4Higher-Layer Triggered Events

3.4.5Processing Events and Sequencing Rules

3.4.6Timer Events

3.4.7Other Local Events

4Protocol Examples

4.1Merging Owner-Version Maps from Different Partners

4.2Pull Replication without Persistent Association

4.3Propagation of Push Notification with Persistent Association

5Security

5.1Security Considerations for Implementers

5.2Index of Security Parameters

6Appendix A: Product Behavior

7Change Tracking

8Index

1Introduction

Windows Internet Name Service (WINS) is the Microsoft implementation of NetBIOS Name Server (NBNS), a name server for NetBIOS names.

NBNS supports resolution of NetBIOS names to IPv4 addresses. The NBNS database is distributed. Networks normally have more than one NBNS server to help improve availability and scalability of NetBIOS name service. The mappings registered by the clients on one server are replicated across all NBNS servers for consistent NetBIOS name resolution. This document specifies the replication protocol while the [RFC1001] and [RFC1002] specify the NetBT protocol.

Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.

1.1Glossary

This document uses the following terms:

active: The state of a name record, in which it has been registered but not released.

active record: A name record that has been registered but not released.

b-node: A NetBT node configured to use broadcast NetBIOS name queries for name registration and resolution.

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].

dynamic record: A name record that is created through NetBT name registration by a client.

extinction interval: The interval at which released names are changed to the tombstone state.

extinction timeout: This is also known as Tombstone timeout. Extinct (or tombstone) records that are older than extinction timeout are removed from the database.

host name: The name of a host on a network that is used for identification and access purposes by humans and other computers on the network.

Internet Protocol security (IPsec): A framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.

little-endian: Multiple-byte values that are byte-ordered with the least significant byte stored in the memory location with the lowest address.

local record: Local record is a name record that is owned by the local NBNS server.

migration on: Migration on is a setting to ease the process of making a b-node an h-node, p-node, or m-node (NetBT client). If set, the static nature of unique names changes in that these records are now treated as pseudo-static.

m-node: A NetBT node type that uses a mix of b-node and p-node communications to register and resolve NetBIOS names. M-node first uses broadcast resolution; then, if necessary, it uses a server query.

multicast interval: The interval for sending NBNS replication partner AutoDiscovery message.

name record: The NetBIOS name-to-IPv4 address mapping.

name server: The server that resolves names for hosts by providing NetBIOS name-to-IPv4 address mappings.

NBNS AutoDiscovery: A mechanism with which an NBNS server dynamically detects other NBNS servers in an administrative domain.

NBNS pull partner: A NetBIOS name server that requests new NBNSname records (replicas) from its partner.

NBNS push partner: A push partner is an NBNS server that pushes or notifies other NBNS servers (those configured as a pull partner) of the need to replicate their name records.

NBNS replication partner: An NBNS server that is configured or discovered as a partner to exchange the NBNS database.

NetBIOS: A particular network transport that is part of the LAN Manager protocol suite. NetBIOS uses a broadcast communication style that was applicable to early segmented local area networks. A protocol family including name resolution, datagram, and connection services. For more information, see [RFC1001] and [RFC1002].

NetBIOS name: A 16-byte address that is used to identify a NetBIOS resource on the network. For more information, see [RFC1001] and [RFC1002].

NetBIOS name resolution: The process of resolving a NetBIOS name to an IPv4 address.

NetBIOS Name Server (NBNS): A server that stores NetBIOS name-to-IPv4 address mappings and that resolves NetBIOS names for NBT-enabled hosts. A server running the Windows Internet Name Service (WINS) is the Microsoft implementation of an NBNS.

NetBIOS node type: The transport mechanism used to resolve NetBIOS names (broadcast, multicast, or unicast).

NetBIOS over TCP/IP (NBT): A feature that allows NetBIOS to be used over the TCP/IP protocol, as defined in [RFC1001] and [RFC1002].

normal group: A group of hosts that does not have an associated address. It is assumed to be valid on any subnet.

owner NBNS server: An NBNS server that handles the name registration of a client and so owns the mapping for that client. An owner NBNS server is also referred to by the term owner WINS server.

p-node: When using p-node NetBIOS name resolution, broadcasts are not used for name registration or NetBIOS name resolution. Instead, all systems register themselves with a NetBIOS Name Server (NBNS) upon startup. The NBNS is responsible for mapping computer names to IPv4 addresses and making sure that no duplicate names are registered on the network.

released record: A name record that has been explicitly released through a name release request; or a name record that a client has failed to refresh by name within the renewal interval.

replica: NBNS database name records (name-to-IPv4 address mapping) replicated from other NBNS servers.

special group: A group of hosts that have a single name. When a name registration is received for a special group, the actual address rather than the limited broadcast address is stored in the group. When a name query is received for such a group, the IPv4 addresses that have not timed out are returned.

static mapping or record: A manually created entry in the database of a NBNS server.

static record: A manually created entry in the database of a NBNS server.

tombstone: A marker that is used to represent an item that has been deleted. A tombstone is used to track deleted items and prevent their reintroduction into the synchronization community.

tombstoned record: Tombstoned record or tombstoned name record is a released name record that is not re-registered or refreshed by the client within the extinction interval waiting to be deleted.

Windows Internet Name Service (WINS): A name service for the NetBIOS protocol, particularly designed to ease transition to a TCP/IP based network. An implementation of an NBNS server.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in[RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

1.2References

Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata.

1.2.1Normative References

We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact . We will assist you in finding the relevant information.

[IANAPORT] IANA, "Service Name and Transport Protocol Port Number Registry",

[MS-DTYP] Microsoft Corporation, "Windows Data Types".

[RFC1001] Network Working Group, "Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods", RFC 1001, March 1987,

[RFC1002] Network Working Group, "Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Specifications", STD 19, RFC 1002, March 1987,

[RFC1700] Reynolds, J. and Postel, J., "Assigned Numbers", STD 2, RFC 1700, October 1994,

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997,

1.2.2Informative References

[MS04-045] Microsoft Corporation, Security Bulletin MS04-045, "Vulnerability in WINS Could Allow Remote Code Execution (870763)", December 2004,

1.3Overview

The Windows Internet Naming Service is the Microsoft implementation of a NetBIOS Name Server. An NBNS server resolves NetBIOS names to the IPv4 addresses that have been registered for that name via the mechanisms specified in [RFC1002].

To facilitate service scalability and availability, the database that NBNS uses needs to be synchronized between NBNS servers.

In the example below, the flow is as follows:

Figure 1: NBNS protocol and message flow

NetBIOS applications can register one or more names. In order to request a name, the client node sends a Name Registration Request to the NBNS server. The NBNS server accepts or rejects the name registration by issuing a Positive or Negative Name Registration Response to the requesting node. In the example shown above, Client1 and Client2 dynamically register their host names by sending a "Name Registration Request" to NBNS Server1 and NBNS server2 respectively using the NetBT protocol [RFC1002].

NBNS server1 and NBNS server2 synchronize their databases as described in this document.

As per [RFC1002], Client1 queries the NBNS Server1 for the IPv4 address of Client2.

As per [RFC1002], NBNS Server1 responds with the IPv4 address of Client2.

To facilitate the distribution of the mappings registered with each NBNS server, servers replicate their local mappings to other NBNS servers within the same administrative domain by using the NBNS Replication. To simplify the configuration of this replication process, the NBNS server can implement the replication AutoDiscovery Protocol, which enables dynamic discovery of servers.

A name record maps a name to an IPv4 address(es). However, additional information about each mapping is maintained to aid in record expiration and conflict resolution. For example, each record consists of the following information (see section 2.2.10.1 for more information):