• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2616
  • Last Modified:

Network traffic to domain controller and/or DHCP server every 15 minutes (incl. ethereal log)

Hi

I'm having the following problem: Exactly every 15 minutes, my Windows XP English SP2 (and some patches) performs some communication a network servers. Characteristics of my working environment:
- I logon to a domain
- I get TCP/IP settings by dhcp
- my PC has IP xx.yy.11.95 (referred to as MyPc)
- The dhcp server has ip xx.yy.1.1 (referred to as Server) - ipconfig /all tells me that this server is my: dhcp-,dns- and primary wins server
Below I'll present you the traffic that occures every 15 minutes. My question to you is:
1. How can I disable this communication (or at least: make it happen less often) - by still having the full functionality (Changing policies on the domain controller IS possible)
2. (optionally): What exactly does this transfer(s) do? What are they needed for?

Now I present you the traffic that happens every 15 minutes in a stripped form similar to what ethereal showed me:
1.  MyPc -> Server> ICMP: Echo (ping) request
2.  Server -> MyPc> ICMP: Echo (ping) reply
3.  MyPc -> Server> TCP:  2461 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
4.  MyPc -> Server> ICMP: Echo (ping) request
5.  Server -> MyPc> TCP:  micrsoft-ds > 2461 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
6.  MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECSUM INCORRECT] Len=0
7.  Server -> MyPc> ICMP: Echo (ping) reply
8.  MyPc -> Server> SMB:  Negotiate Protocol Request
9.  Server -> MyPc> SMB:  Negotiate Protocol Response
10. MyPc -> Server> SMB:  Session Setup AndX Request [Unreassembled Packet [incorrect TCP checksum]]
11. MyPc -> Server> NBSS: NBSS Continuation Message
12. Server -> MyPc> TCP:  microsoft-ds > 2461 [ACK] Seq=183 Ack=2812 Win=65535 Len=0
13. Server -> MyPc> SMB:  Session Setup AndX Response
14. MyPc -> Server> SMB:  Tree Connect AndX Request, Path: \\A_Domain_Controller.myhostname.net\IPC$
15. Server -> MyPc> SMB:  Tree Connect AndX Response
16. MyPc -> Server> SMB:  Trans2 Request, GET_DFS_REFERRAL, File:
17. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
18. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \myhostname.net
19. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
20. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \MYHOSTNAME
21. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
22. MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=3182 Win=65179 [TCP CHECKSUM INCORRECT] Len=0
23. MyPc -> Server> SMB:  Logoff AndX Request
24. Server -> MyPc> SMB:  Logoff AndX Response
25. MyPc -> Server> SMB:  Tree Disconnect Request
26. Server -> MyPc> SMB:  Tree Disconnect Response
...
...
...

Note: Transfer 16. has reall no filename (I dindn't strip it away)

Thanks!
0
zulliger
Asked:
zulliger
  • 5
  • 4
1 Solution
 
younghvCommented:
The [SYN, ACK] is just a network host talking to a Server or DC (and the response).
In the old NT days, 15 minutes was the default time for this built-in function.

Can you access your Event Viewer and review the logs for Errors or Warnings?
Check all 3 and list some Event ID's.

We can move forward from there.


Vic
0
 
zulligerAuthor Commented:
1. In the meantime, I've found out that if I stop the NetLogon service (net stop netlogon), then those transfers will stop occuring (and, remember, thats exactly what I want)! So I suggest to now find out how I can increase the 15 minutes to, let's say, 24 hours.

2. Or an other way to the solution: How can I fully use the system by disabled netlogon service? In fact, I've now (after the netlogon service has been stopped) W32Time and Kerberos errors (IDs: 36, 7, 18, 29) And some more W32Time warnings with ID: 24, 25... Ok, I guess I have to think about disabling "time synching" with the server, but what about those Kerberos failures?

3. But to answer to your request: There are (almost) no errors/warnings. The only warnings were ID: 1517, 1524

==> Answer for 2. is most wanted.

Thanks!
0
 
zulligerAuthor Commented:
Oups... There's a mistake in my last comment

==> Answer fro 2. is most wanted is wrong!

*** Answer for 1. is most wanted ****
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
younghvCommented:
zulliger,
If this computer is a member of a Domain (Network), you need to authenticate with a Domain Controller.
That is part of the NetLogon service.

Vic
0
 
zulligerAuthor Commented:
Ok. But I guess that those 15minutes can be increased, can't they?
0
 
younghvCommented:
Take a look at this TechNet article.
The short answer is 'yes' - it can be modified.
I've never done it and I never make changes to the default settings without really looking into the possible consequences.

Here you go: http://technet2.microsoft.com/WindowsServer/en/library/4d8388e6-6ba0-4f08-b1d9-525bf949fa761033.mspx?mfr=true


Vic
0
 
zulligerAuthor Commented:
First: Was on holiday the last 3 weeks - thats why I didn't resond. Sorry

Second: I've skimmed through the page above, but I'm not sure what you suggest to do now. The most useful (IMHO) is the "TTL Set in the DC Locator DNS SRV Records". Should I change this value? If yes, could you please give me a short explanation of how to do this with my Windows XP Prof. workstation (or can this value only be set on the server side?).
An other (probably) useful key could be the is the DnsAvoidRegisterRecords - but this would disable specific features instead of increasing the update-interval, wouldn't it?

Third: I have currently no access to the test-PC with which I've reproduced the effect. I will test your solution - but it may take an other 2 week (in worst case even more).
0
 
younghvCommented:
zulliger,
Let us know when you are actually on the computer and maybe we can make some good stuff happen.
0
 
zulligerAuthor Commented:
Unfortunately, I don't have access to the system anymore and the problem has been marked as "done", because "we can live" with this problem as it will "only" happen every 15 minutes...

So in short: I can't test the proposed solution anymore. I would have needed the solution earlier...

How should we go on? Is it ok (and is it technically possilbe) to reduce the points, say to 250? Would that be fair?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now