So you went to add a new address to a user account in Active Directory, and you got an error that this address already exists? Sucks huh? Especially when you don’t know where it could be? Here’s one way to track it down.

On your domain root in AD Users and Computers, right click, select Find. Select Custom Search, click the Advanced tab, and enter an LDAP query like so:

proxyaddresses=smtp:emailaddress@youwanttofind.com

(I am assuming you are not a complete NEWB and you know you should replace that email with the one you want.)

Then click the Find Now button. You should see a in the results below any object that may have this address on it.

I’ve run into this a few times, thought I’d record the solution for once so I remember it.

After adding a new user account, the user does not show up in Outlook’s Global Address List, but does show in All Users. (If you click “To” in a new message, for example, and in the Select Names windows under “Show names from the:” drop down, you select All Users.) Even if I go into Active Directory Sites and Services and manually force replication it does not work. (under the NTDS Settings for each server) Normally, I would even go into Recipient Update Services and manually update, but this does not work either.

I found out that if you have Outlook in Cached Exchange Mode, the Global Address List does not update for up to 24 hours. I don’t know the details on that, but I can force it to update. This is on a per-machine basis, so doing this across the whole network won’t work. (Although, there may be a way to do this, I just don’t know how.)

Go into Outlook, go to Tools, Send/Receive, then click Download Address Book. Make sure you have Global Address List under the Choose Address Book drop down, and click OK. Problem solved.

By the way, I am using Exchange 2003 and Outlook 2003.

When using Folder Redirection on a Windows 2003 server, the default policy is allow only ownership and permissions to the user. No admin account would have access to this folder. For example, you create a Group Policy to redirect user’s My Documents folders to a home directory on the server. Once a user logs on and this policy is applied, the folder is created with ownership of the user only, and file permissions granted for that user only, too.

This has presented a big problem for me, having come from Windows 2000, where this was not the case. As you might guess, when only the user has permissions specified, no administrator can get access to this folder for backup purposes. Our backups always failed.

Well then, on Windows 2003 Server, two default policies are in place making the user’s folders more secure. Nice, but I don’t care. I want backup rights by default. Go into the Group Policy where you would like to define the new policy. I made a new Organizational Unit and put all my computers in there, so I could define the policy at a lower level, instead of at the domain level. Once into and editing you policy, drill down to here:
Computer Configuration –
Administrative Templates -
System –
User Profiles –

In here look for these two policies and enable them:
“Do not check for user ownership of Roaming Profile Folders”
“Add the Administrators security group to roaming user profiles”

Now this will allow Windows 2003 to behave more like Windows 2000 on the redirected folders. Unfortunately, there is one issue. It does not change permissions on previously created folders, only on newly created folders. That’s a pain, but not that big a deal, because I can probably script some folder moves and recreate them.

Also, even though this says “Roaming” in the policy items, they apply to local and roaming accounts.  So even if your users are normal, non-roaming profiles, you still need to set.  In my case, we did not have any roaming profiles and only used folder redirection OR simply had home folders mapped from the server.  Doing either of those had the same permissions problem and the policies mentioned solved the issue. (except for previously created folders, it only changes on newly created folders after the policy change.)

Recently I went to reset a user’s home directory permissions on the server to allow them full control over each file/folder in their home directory. I setup all the normal accounts and of course the actual user account, with Full Control. I then went into Advanced and selected “Replace permission entries on all child objects” and hit apply.

This seemed to work fine, except the user complained that they could not access the documents in certain subfolders. When I checked those subfolders, the permissions were correct, except for her account had no permissions specified. Essentially this means, no perms, no access. So I tried again, same result.

The solution was simple, though, I can’t figure out why this was configured this way. At the root folder you wish to start inheritance, go into advanced under security on that folder. Go into Advanced again, and under Permissions, highlight the user in question, and click Edit. Under the detailed Permission Entry window, at the very bottom is a checkbox for:

“Apply these permissions to objects and/or containers within this container only.”

Uncheck that! And apply the permissions once more. All child objects should now have all the correct permissions! Yay!

I don’t understand why this is set this way. Is there a Group Policy in place I don’t know about? Did a previous IT guy change that? At least I have a solution. J

In Internet Explorer 7, Tools, Internet Options, Advanced tab. The checkbox for “enable integrated windows authentication” is very confusing. You would think this means “just log me in with my windows credentials”, but no, there’s more to it than that. And what I found was, it simply enables “Negotiate”. It set’s this registry key to 1:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate

After some research, this actually means that IE will negotiate between NTLM or Kerberos authentication. In some situations, Kerberos will fail. I don’t understand well enough to explain this one. But that’s ok, because the point of all this is… I want IE to authenticate automatically on my Intranet! Anyway, if you uncheck this setting in IE, it will set Negotiate to disabled. (0) If Negotiate is disabled, IE will use NTLM by default. BAM! I can login automatically.

Wouldn’t it be much more helpful if Microsoft had labeled that for what it was? Like: Negotiate Kerberos or NTLM Authentication.

Word of caution… some Intranet apps might depend on Kerberos, so this might cause more problems down the road of you disable this on all your client systems.

Another note… IE6, as I understand it, does not behave this way. It has a similar setting to enable windows authentication and I believe it uses NTLM by default. I HAVE NOT TESTED THIS, and I don’t know for sure if this is true, but according to my Googling, this is the case.

I found this site with info regarding EnableNegotiate:

http://ie7triage.spaces.live.com/blog/cns!3B6634EF5458F389!422.entry

Here’s another blog you might find useful:

http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

I love how people always say that a software firewall like IPCop is a “lesser” product than a hardware system. I ran into one site speaking of Netsentron as a hardware solution. I’d also include Endian Firewall and Untangle when we talk about a “linux based hardware firewall”. Well here’s my thought. These systems offer a hardware solution, but aren’t these products really the same thing as the downloaded software version they provide? And if so, these products are really only a “hardware/software bundle”, right? (I think they actually advertise them this way anyway, but my gripe is with all those techs out there under the notion that these are real hardware based products.)

I can’t comment on any Cisco or Sonicwall, hardware firewalls, because I have not used any of them. But are these also just software running on hardware? And the main thing I’ve heard from security people about the lesser quality software products is that they are not good at defending against DOS attacks. Is this really true? Even if so, in the last 10 years I’ve ran some sort of Linux based firewall, whether home-brewed or special firewall distribution, I’ve not once had a break in. I’ve not once had a DOD attack. (THIS IS NOT AN INVITATION!)

Now, I have had a DOD attack directly on and Exchange or IIS server that was port forwarded directly to the Internet. Not pretty! Which is a big reason why I don’t run these systems directly anymore. But this is off topic. (maybe another blog coming!)

I’ll do some of my own research, but maybe if someone out there can shed some light on the deficiencies of a Linux firewall, in particular IPCop or Smoothwall. For my use, IPCop with a few addons, make for a fantastic filtering firewall, provided we pick good hardware to run it, and configure it properly. Is Sonicwall truly better at providing security?

Ah, just thinking out loud again. I am sure someone out there will give me hell for saying things like this. I am not a security expert, not even close. But, sometimes I just wonder about thing.

EDIT 03/08/2010 ::

Since I wrote this article, I’ve since switched to PFSense as my firewall of choice.  It does way more and better than I could do with IpCop. (still like IPcop though!)  PFsense is a FreeBSD based solution.  It can handle multiple WAN connections, can add several interfaces all with IP aliases, and has all the “lock down” rules in place from the start.  Not to mention, there are plugins that make tracking down traffic issues much easier.  I LOVE IT!

The only gripe I might have is in the complexity of the traffic shaper, although, I could actually use it as opposed to trying to figure out the Linux way. (which I never did figure out.)

Having said all that, my original point of the post is still standing.  Who cares if you have a Sonicwall or Pix?  Are they truly more secure?  Are they not also just software running on hardware, making them really just “embedded apps” or a sort?  I think PFSense can run embedded, right?  (Which really just translates to, “I can run this on a flash media drive and on a tiny little computer.”)  So yes, I still need to research this on my own, but I really don’t get what is better about those expensive solutions.  I’d rather have PFSense, or similar, on generic hardware that can be swapped and troubleshooted easier.  Just my opinion.

I found a ton of help on Google for this “Service Unavailable” issue on the OMA virtual directory for Exchange 2003. Unfortunately, this was not something readily available. Several sites will explain the proper config for all the virtual folders in IIS, which you should obviously follow, but they don’t mention one little thing… OMA uses ASP.net 1.1. If you go into the OMA properties in IIS, change it from ASP.net 2 to ASP.net 1.1. After that, it all worked beautifully!

Oh, and by the way, I ran into this issue while setting up some Windows Mobile devices with ActiveSync and Direct Push at a couple clients, one was running IIS5 on Windows 2000, and the most recent was running IIS6 on the Windows 2003. The solution was the same on both of them.

I fought with this one for a while, like several hours. I installed the pptp addon for IPCop, which, by the way, you must Google for. I installed version 0.2.9 (pptpd_0.2.9.tar.gz) and found that on a forum somewhere. If you go to the addon’s from IPCop, you will only find 0.2.6, and that wont work with 1.4.13 or higher. (I might have that version a bit off, but I think that’s right) So Google for that file and you should find the file and ftp server IP. I don’t want to provide that, because I don’t have permission to do so.

Anyway, back to the problem. The pptp addon installed just fine on IPCop, and the admin web gui showed the correct items. I could not, however, get Windows to connect. I always got a 619 error, like that is helpful! On the IPCop /var/log/messages, I found this:
pptpd[5740]: GRE: read(fd=5,buffer=804dc00,len=8196) from PTY failed: status = -1 error = Input/output error

You can see the details on the pptpclient help page:

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#read_eproto

I didn’t know how to do their troubleshooting, especially on IPCop. But then it occurred to me, find pppd, and ask it for help!

I ran this: /opt/pptp/sbin/pppd –help
Returned: /opt/pptp/sbin/pppd: error while loading shared libraries: libpcap.so.0.8.3: cannot open shared object file: No such file or directory

Ah-HA!!!

Run this on IPCop 1.4.15 while in the /usr/lib directory: ln -s libpcap.so.0.9.5 libpcap.so.0.8.3

BINGO! Windows can connect! From Vista no less!

Oh, and I know that PPTP is not the best as far as security goes, but it is the only thing I can use. I am running several Wifi Palm devices with a PPTP client on them for Hotsyncing on the Internet. I realize there is another product available that uses IPSec, but that is quite expensive per device. Plus that solution might run into a lot more hassle for the users while on the road trying to connect over hotspots, because IPSec may be blocked. PPTP is just more compatible. I’d really prefer to have an SSL based VPN on the Palm, but I don’t know of one available. So, for now, I’ll at least suffer with PPTP instead of opening my hotsync up to the world. Not perfect, but I can lock down the connection with IPcop too. (sounds like another blog… J )

The basics of this require that we setup a second CPU to take offsite. This system would have AD loaded, GC set, DNS, and all that stuff needed to run AD separately from the network. Here’s the catch, though. We can’t run this and be current. In a disaster, it would work great to be up and running, but it wouldn’t stay current.

So what do we do? We use a cheap PC, do all that DC stuff on it, and make sure it’s syncing good and working on the network (with the GC, DNS, WINS and stuff). IT SHOULD NOT have any FSMO roles. It’s purely a secondary.

BEFORE running DCpromo on that system, Make an image. And make sure we can recover it quickly. Save that image of the server in “stand alone server” install mode (not a DC or even member server yet), because this is what we’ll use to run this process over and over quickly.

AFTER we run the DCpromo and setup all the DC stuff, make another image. We’ll use this to drop back onto the system for offsite recovery of AD.

Here’s the steps to setup. (in general)

1. Setup a stand-alone server, not member of domain. (include all needed SP’s and patches)
2. Make an image. (PRELOAD image, save this!)
3. Dcpromo and setup all needed AD and make sure NTFrs and syncing work perfectly.
4. Make an image. (OFFSITE-DC image, save this!)
5. Demote the server to a member server again and then remove from domain. (this is to remove it from AD as a DC, make AD cleaner and no NTfrs errors)
6. Add OFFSITE-DC image to system again, BUT DO NOT CONNECT TO NETWORK.

Here’s the steps to run regularly to keep up to date.

1. Take that offsite pc, image over it with the PRELOAD.
2. Join this to the domain and do the DC stuff.
3. Make your OFFSITE-DC image again.
4. Demote the server, remove from domain.
5. Load OFFSITE-DC image on again, BUT DO NOT CONNECT TO NETWORK.
6. Take it offsite, seize the FSMO roles. You now have a DC ready to run in an emergency.

This process might take a day with all the imaging, but if you keep the drive loaded with ONLY the DC, it should be pretty quick. And consider that you won’t sit and watch it, you really should only spend like 2 or 3 hours running the process. Also consider that if you run this every month, or even every couple weeks, you’d get real fast at it. And this is what we want in a disaster recovery situation, fast recovery!

Why do all this? Couldn’t we just do an NTBackup recovery? Well, first of all, last I saw on a Microsoft KB article, recovering to alternative hardware on a DC was not supported. So, there’s one obstacle. Though, they do provide a good “how to” KB article, they say it’s not supported. (now I need to find that article again.) Second of all, I tried doing all of the Microsoft suggestions, and I was never able to recover my DC, whether it was the PDC or a backup, to alternative hardware. Of course, I was using Windows 2000, and recovering to 5 years newer hardware, maybe that might have something to do with it. But you know what, I have a lot of clients that would be in that boat. I’ll have more to say on this later.

The shortest interval to download user email with the Exchange Pop3 connector is 15 minutes. Too long for most people. To shorten that to 5 minutes, you have to update/add a registry value in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Network\POP3 Connector

Add Dword:

“ScheduleAccelerator”=dword:00000003

It works by dividing the default schedule interval by that value. For example, the server connector is set to 15 minutes, the lowest setting. Set the reg value to 3, so 15 divided by 3 equals 5. This makes it a 5 minute interval.

When opening files on the network over mapped drive OR UNC, you receive a “publisher” or “security” warning before running the file. Very annoying.

In IE, you add the server or domain to your “local intranet” security zone. In my case, my server was: main.domain.local
It was mapped on O: drive.

So in the zone I added:
\\main
O:\
domain.local
\\domain.local

That took care of all kinds of connections.

On a domain wide setting: In active directory, I added a group policy for the file types of moderate security.

Go to a domain policy, I did the Default Domain Policy on mine. > Open User Configuration > Administrative Templates > Windows Components > Attachment Manager.

And edit the item: Inclusion List for Moderate Risk file types

Add: .doc;.xls;.exe;.pdf
(just the most common, you might want more)

Add the type you want to exclude from the security warning. Reboot the client computer, or run gpupdate on it to get the new policy. Problem went away for me!

Gregs Uberfast version:

Linux:

openssl genrsa -des3 -out CA.key 1024
openssl req -new -key CA.key -x509 -days 3650 -out CA.crt
chmod 400 CA.key
chmod 400 CA.crt

(the above made a new CA, you want to install the crt into IE’s trusted certs.)

Win:

Make cert request in IIS – take to Lin.

Linux:

(All one line)
openssl x509 -req -days 3650 -in certreq.txt -CA CA.crt
-CAkey CA.key -CAcreateserial -out mail.server.crt

Win:

Take that mail.server.crt and install in IIS. People browsing yoru site will get a “not valid CA” type error, especially in IE7, and they’ll need to accept that. Otherwise, you need to buy a real cert. If it’s only your users on the site, then just have them install the CA.crt into IE, as then they will trust the authority/key from the web server. Every user will need to do that.

Greg Fischer
6/15/07

I used Exchange 2000 on Windows 2000 for this, 2003 might be a little different. Obviously, you need to make sure you have the backups in the first place, this assumes you have done this, and we will only focus on recovery. Also, this is intended for Small businesses with only 1 Exchange server and some, just a little, tolerance for downtime. You maybe can apply some of this in a large organization, but probably not.

Using NTBackup (online data):

(work in progress)

OLD Server: Felix
NEW Server: Ruphus

1. Setup a new server as Ruphus. This can be in the same domain and exist with the old server, BUT you will not be able to reconnect the user mailboxes on the new server. That’s a different story and I have not tested procedures for it. We are going to assume the old server is Gone, bye-bye, toast! Also, see notes on seting up a test domain controller and network for full recovery. But at this point, you should have a new Windows server up and running, a DC or not.
2. Install Exchange, install SP’s on Ruphus.
3. Open System Manager, delete the Felix from the Exchange site. (will give warnings, but ok)
4. At this point, we do not have all the configuration from the old server, and for the purposes of this guide, we are not going to bother and assume you can setup your SMTP and other items from memory. In a very large Exchange environment, this might not be possible though, but this guide is intended for those of us with only 1 Exchange server on a small network.
5. On Ruphus rename the old mailbox and public store databases, and/or create new databases that have the same “exact” logical names as were on Felix. (in System Manager, browse to Servers, and find your public and mailbox stores. Right click and select Rename.)
6. Run NTBackup, go to Restore, and find your Felix Information Store database, check the mailbox stores listed. (and log files, which will probably be an option)
   1. Click Start Restore.
   2. Select Ruphus as the server
   3. Select a temp directory, in my case I used the large D: drive. (d:\temp)
   4. Check the boxes (I think, Last set, and Mount db’s?)
   5. Start recovery.
7. Reboot, and make sure your stores mount.
8. Now, if you have setup a new server on a test network OR your old server is toast and you are trying to recover a new server, then you will need to reconnect the mailboxes to the user accounts. For this you will use a tool called, “mbconn.exe”. On your exchange cd, under: SUPPORT\UTILS\I386
   Find the mbconn.exe and run it. (a gui)
9. In here, you connect to Ruphus, and select the store you want to reconnect mailboxes. It should display all the orphaned mailboxes. Then you go to Action, Preview All, and select the AD container with your user accounts, and select OK. I should put green checkmarks next to the mailboxes that it matches to. Then you go to Action, and Apply.
   Re-apply this to any leftover mailboxes if they are in different OU’s. For example, you might have users in Accounting, or Marketing OU’s. Each will Preview and Apply separately until you have reconnected all of them.
   NOTE: You probably wont be able to reconnect a few items, like System Attendant mailbox, as they are created new on Ruphus. Also, you will need to do this procedure for each mailbox store separately.
10. Check Recipient Update Services in Exchange and set the properties accordingly, they will be set to the old server and domain controllers. Tell the objects in RUS to rebuild.
11. Dare I say, “login as a user and see if Outlook works” … ?

Using Offline Database:

Coming later…

Notes on setting up a DC

In my case, I wanted to have a test network, and also a way to do fast recovery of the network on a new server that is offsite. Instead of recovering a DC and AD, I just installed a new server on my existing domain. I made sure it had BASIC drives, not DYNAMIC! And then I setup the server as a backup DC. Make sure you select it as a Global Catalog too! Also, make sure DNS is setup and configured on it!

So, at this point, I had a new DC, GC, DNS server, acting as a backup on my domain. I went in the AD sites and services, and performed a manual replication in the NTDS settings for each server. I also made a ghost image of this server, so I can make a step back, and/or do this again for backup procedures. Keep in mind, once you move ahead though, you’ll probably need to do all this again each time you want a current snapshot of AD for recovery. So what I would do is, setup a basic Win2k load NOT joined to the domain with all the service packs and IE updates, and even Office (I find usefull), and all your utilities you need. (don’t forget the Adminpak!) Then, make a ghost of this server, before doing the join and DCpromo.

Now, we’ve got our replicated server. Lets shut it down, and set it up on the new testing network. (MAKE SURE!!! You cannot communicate with the old one, make them physically separate!) And once removed and setup on the new network, you will need to manually delete this newly dcpromo’d server from your existing network. (see below)

AT this point, we need to sieze all the roles, and make this server the master of the domain. So, look it up online, run the ntdsutil command program and seize all the 5 FSMO’s. Then, go into DNS and remove anything regarding the old servers. (don’t’ forget the server properties listing the old ones as Name servers too) And also, in _msdc SRV records, remove the old servers. After all that, you might need to go in to ADSIEdit (in the adminpak) and find the old servers and delete them in the CN=Configuration container. And if necessary, go in the AD Computers and in Domain Controllers, and delete the servers. And one more… Go into AD sites, and delete the NTDS replication entries and servers. Whew! I think that’s it! You should have a single DC on a test network. This all takes only minutes once you do it a couple times, so it’s not that bad. The hardest part is remembering the ntdsutil command, which you need to lookup online. Just verify that the new server actually holds all the FSMO roles.

We should have a new server all ready to go on the testing/recovery network! All user accounts and settings intact! And now we can begin Exchange!

Statically/manually define/set duplex on linux network card
Use mii-tool or ethtool

//////////////////////////////

A Note About Duplex Settings

By default, Linux NICs negotiate their speed and duplex settings
with the switch. This is done by exchanging electronic signals
called Fast Link Pulses (FLP). When the speed and duplex are forced
to a particular setting the FLPs are not sent. When a NIC is in
auto-negotiation mode and detects a healthy, viable link but receives
no FLPs, it errs on the side of caution and sets its duplex to
half-duplex and sometimes it will also set its speed to the lowest
configurable value. It is therefore possible to force a switch port to
100 Mbps full duplex, but have the auto-negotiating server NIC set
itself to 100Mbps half-duplex which will result in errors. The same is
true for the switch if the switch port is set to auto-negotiate and
server NIC is set to 100 Mbps full duplex. It is best to either force
both the switch port and server NIC to either auto-negotiate or
the same forced speed and duplex values.

//////////////////////////////

//////////////////////////////// mii-tool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# mii-tool
SIOCGMIIPHY on ‘eth0′ failed: Operation not supported
eth1: 100 Mbit, half duplex, link ok
[root@bigboy tmp]#

[root@bigboy tmp]# mii-tool -v
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:10:18, model 33 rev 2
basic mode:   autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
[root@bigboy tmp]#

mii-tool -F 100baseTx-FD eth0

//////////////////////////////// Ethtool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes
[root@bigboy tmp]#

#
# File: /etc/sysconfig/network-scripts/ifcfg-eth0
#
DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yes
ETHTOOL_OPTS=”speed 100 duplex full autoneg off”

////////////////////// or
ethtool -s eth1 speed 100 duplex full autoneg off

All these years and I’ve never known how to determine what the “master browser” was on my networks. How many times do you see those event log errors about “such and such is not the master browser” or “unable to get a browse list”. Not that I know how to fix all that, but at least I can find out WHAT THE MASTER IS in the first place!

There’s a cool utility called: browstat

Run from command line. There is one stupid thing though, you need to determine your Netbios transport first. To do that, run: net config rdr

C:\>net config rdr

Computer name                        \\MYSERVER

Full Computer name                   myserver.yourdomain.com

User name                            administrator

Workstation active on

        NetbiosSmb (000000000000)

        NetBT_Tcpip_{0FCE584B-9B98-4D26-A241-1A070D06767A} (00188B3A1EE6)

        NetBT_Tcpip_{F55EF45C-33E5-4842-A4AC-8DFF82D07B76} (00188B3A1EE8)

Software version                     Windows 2000

Workstation domain                   YOURDOMAIN

Workstation Domain DNS Name          YOURDOMAIN.com

Logon domain                         YOURDOMAIN

COM Open Timeout (sec)               0

COM Send Count (byte)                16

COM Send Timeout (msec)              250

The command completed successfully.

So you can see… what a mess! You need this:

NetBT_Tcpip_{0FCE584B-9B98-4D26-A241-1A070D06767A}

And to get your master browser run this:

browstat getmaster NetBT_Tcpip_{0FCE584B-9B98-4D26-A241-1A070D06767A} YOURDOMAIN

It should return something like: Master Browser: MYSERVER

You can also run: browstat status YOURDOMAIN
This will list all kinds of useful info, including your transports.  It shows your backup servers, as well as your master browser.