Solved

Network traffic to domain controller and/or DHCP server every 15 minutes (incl. ethereal log)

Posted on 2006-11-07
11
2,568 Views
Last Modified: 2007-11-27
Hi

I'm having the following problem: Exactly every 15 minutes, my Windows XP English SP2 (and some patches) performs some communication a network servers. Characteristics of my working environment:
- I logon to a domain
- I get TCP/IP settings by dhcp
- my PC has IP xx.yy.11.95 (referred to as MyPc)
- The dhcp server has ip xx.yy.1.1 (referred to as Server) - ipconfig /all tells me that this server is my: dhcp-,dns- and primary wins server
Below I'll present you the traffic that occures every 15 minutes. My question to you is:
1. How can I disable this communication (or at least: make it happen less often) - by still having the full functionality (Changing policies on the domain controller IS possible)
2. (optionally): What exactly does this transfer(s) do? What are they needed for?

Now I present you the traffic that happens every 15 minutes in a stripped form similar to what ethereal showed me:
1.  MyPc -> Server> ICMP: Echo (ping) request
2.  Server -> MyPc> ICMP: Echo (ping) reply
3.  MyPc -> Server> TCP:  2461 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
4.  MyPc -> Server> ICMP: Echo (ping) request
5.  Server -> MyPc> TCP:  micrsoft-ds > 2461 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
6.  MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECSUM INCORRECT] Len=0
7.  Server -> MyPc> ICMP: Echo (ping) reply
8.  MyPc -> Server> SMB:  Negotiate Protocol Request
9.  Server -> MyPc> SMB:  Negotiate Protocol Response
10. MyPc -> Server> SMB:  Session Setup AndX Request [Unreassembled Packet [incorrect TCP checksum]]
11. MyPc -> Server> NBSS: NBSS Continuation Message
12. Server -> MyPc> TCP:  microsoft-ds > 2461 [ACK] Seq=183 Ack=2812 Win=65535 Len=0
13. Server -> MyPc> SMB:  Session Setup AndX Response
14. MyPc -> Server> SMB:  Tree Connect AndX Request, Path: \\A_Domain_Controller.myhostname.net\IPC$
15. Server -> MyPc> SMB:  Tree Connect AndX Response
16. MyPc -> Server> SMB:  Trans2 Request, GET_DFS_REFERRAL, File:
17. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
18. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \myhostname.net
19. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
20. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \MYHOSTNAME
21. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
22. MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=3182 Win=65179 [TCP CHECKSUM INCORRECT] Len=0
23. MyPc -> Server> SMB:  Logoff AndX Request
24. Server -> MyPc> SMB:  Logoff AndX Response
25. MyPc -> Server> SMB:  Tree Disconnect Request
26. Server -> MyPc> SMB:  Tree Disconnect Response
...
...
...

Note: Transfer 16. has reall no filename (I dindn't strip it away)

Thanks!
0
Comment
Question by:zulliger
  • 5
  • 4
11 Comments
 
LVL 38

Expert Comment

by:younghv
Comment Utility
The [SYN, ACK] is just a network host talking to a Server or DC (and the response).
In the old NT days, 15 minutes was the default time for this built-in function.

Can you access your Event Viewer and review the logs for Errors or Warnings?
Check all 3 and list some Event ID's.

We can move forward from there.


Vic
0
 

Author Comment

by:zulliger
Comment Utility
1. In the meantime, I've found out that if I stop the NetLogon service (net stop netlogon), then those transfers will stop occuring (and, remember, thats exactly what I want)! So I suggest to now find out how I can increase the 15 minutes to, let's say, 24 hours.

2. Or an other way to the solution: How can I fully use the system by disabled netlogon service? In fact, I've now (after the netlogon service has been stopped) W32Time and Kerberos errors (IDs: 36, 7, 18, 29) And some more W32Time warnings with ID: 24, 25... Ok, I guess I have to think about disabling "time synching" with the server, but what about those Kerberos failures?

3. But to answer to your request: There are (almost) no errors/warnings. The only warnings were ID: 1517, 1524

==> Answer for 2. is most wanted.

Thanks!
0
 

Author Comment

by:zulliger
Comment Utility
Oups... There's a mistake in my last comment

==> Answer fro 2. is most wanted is wrong!

*** Answer for 1. is most wanted ****
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
zulliger,
If this computer is a member of a Domain (Network), you need to authenticate with a Domain Controller.
That is part of the NetLogon service.

Vic
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:zulliger
Comment Utility
Ok. But I guess that those 15minutes can be increased, can't they?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Take a look at this TechNet article.
The short answer is 'yes' - it can be modified.
I've never done it and I never make changes to the default settings without really looking into the possible consequences.

Here you go: http://technet2.microsoft.com/WindowsServer/en/library/4d8388e6-6ba0-4f08-b1d9-525bf949fa761033.mspx?mfr=true


Vic
0
 

Author Comment

by:zulliger
Comment Utility
First: Was on holiday the last 3 weeks - thats why I didn't resond. Sorry

Second: I've skimmed through the page above, but I'm not sure what you suggest to do now. The most useful (IMHO) is the "TTL Set in the DC Locator DNS SRV Records". Should I change this value? If yes, could you please give me a short explanation of how to do this with my Windows XP Prof. workstation (or can this value only be set on the server side?).
An other (probably) useful key could be the is the DnsAvoidRegisterRecords - but this would disable specific features instead of increasing the update-interval, wouldn't it?

Third: I have currently no access to the test-PC with which I've reproduced the effect. I will test your solution - but it may take an other 2 week (in worst case even more).
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
Comment Utility
zulliger,
Let us know when you are actually on the computer and maybe we can make some good stuff happen.
0
 

Author Comment

by:zulliger
Comment Utility
Unfortunately, I don't have access to the system anymore and the problem has been marked as "done", because "we can live" with this problem as it will "only" happen every 15 minutes...

So in short: I can't test the proposed solution anymore. I would have needed the solution earlier...

How should we go on? Is it ok (and is it technically possilbe) to reduce the points, say to 250? Would that be fair?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now