Solved

Network traffic to domain controller and/or DHCP server every 15 minutes (incl. ethereal log)

Posted on 2006-11-07
11
2,576 Views
Last Modified: 2007-11-27
Hi

I'm having the following problem: Exactly every 15 minutes, my Windows XP English SP2 (and some patches) performs some communication a network servers. Characteristics of my working environment:
- I logon to a domain
- I get TCP/IP settings by dhcp
- my PC has IP xx.yy.11.95 (referred to as MyPc)
- The dhcp server has ip xx.yy.1.1 (referred to as Server) - ipconfig /all tells me that this server is my: dhcp-,dns- and primary wins server
Below I'll present you the traffic that occures every 15 minutes. My question to you is:
1. How can I disable this communication (or at least: make it happen less often) - by still having the full functionality (Changing policies on the domain controller IS possible)
2. (optionally): What exactly does this transfer(s) do? What are they needed for?

Now I present you the traffic that happens every 15 minutes in a stripped form similar to what ethereal showed me:
1.  MyPc -> Server> ICMP: Echo (ping) request
2.  Server -> MyPc> ICMP: Echo (ping) reply
3.  MyPc -> Server> TCP:  2461 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
4.  MyPc -> Server> ICMP: Echo (ping) request
5.  Server -> MyPc> TCP:  micrsoft-ds > 2461 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
6.  MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECSUM INCORRECT] Len=0
7.  Server -> MyPc> ICMP: Echo (ping) reply
8.  MyPc -> Server> SMB:  Negotiate Protocol Request
9.  Server -> MyPc> SMB:  Negotiate Protocol Response
10. MyPc -> Server> SMB:  Session Setup AndX Request [Unreassembled Packet [incorrect TCP checksum]]
11. MyPc -> Server> NBSS: NBSS Continuation Message
12. Server -> MyPc> TCP:  microsoft-ds > 2461 [ACK] Seq=183 Ack=2812 Win=65535 Len=0
13. Server -> MyPc> SMB:  Session Setup AndX Response
14. MyPc -> Server> SMB:  Tree Connect AndX Request, Path: \\A_Domain_Controller.myhostname.net\IPC$
15. Server -> MyPc> SMB:  Tree Connect AndX Response
16. MyPc -> Server> SMB:  Trans2 Request, GET_DFS_REFERRAL, File:
17. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
18. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \myhostname.net
19. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
20. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \MYHOSTNAME
21. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
22. MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=3182 Win=65179 [TCP CHECKSUM INCORRECT] Len=0
23. MyPc -> Server> SMB:  Logoff AndX Request
24. Server -> MyPc> SMB:  Logoff AndX Response
25. MyPc -> Server> SMB:  Tree Disconnect Request
26. Server -> MyPc> SMB:  Tree Disconnect Response
...
...
...

Note: Transfer 16. has reall no filename (I dindn't strip it away)

Thanks!
0
Comment
Question by:zulliger
  • 5
  • 4
11 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 17891371
The [SYN, ACK] is just a network host talking to a Server or DC (and the response).
In the old NT days, 15 minutes was the default time for this built-in function.

Can you access your Event Viewer and review the logs for Errors or Warnings?
Check all 3 and list some Event ID's.

We can move forward from there.


Vic
0
 

Author Comment

by:zulliger
ID: 17896004
1. In the meantime, I've found out that if I stop the NetLogon service (net stop netlogon), then those transfers will stop occuring (and, remember, thats exactly what I want)! So I suggest to now find out how I can increase the 15 minutes to, let's say, 24 hours.

2. Or an other way to the solution: How can I fully use the system by disabled netlogon service? In fact, I've now (after the netlogon service has been stopped) W32Time and Kerberos errors (IDs: 36, 7, 18, 29) And some more W32Time warnings with ID: 24, 25... Ok, I guess I have to think about disabling "time synching" with the server, but what about those Kerberos failures?

3. But to answer to your request: There are (almost) no errors/warnings. The only warnings were ID: 1517, 1524

==> Answer for 2. is most wanted.

Thanks!
0
 

Author Comment

by:zulliger
ID: 17897179
Oups... There's a mistake in my last comment

==> Answer fro 2. is most wanted is wrong!

*** Answer for 1. is most wanted ****
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 38

Expert Comment

by:younghv
ID: 17897437
zulliger,
If this computer is a member of a Domain (Network), you need to authenticate with a Domain Controller.
That is part of the NetLogon service.

Vic
0
 

Author Comment

by:zulliger
ID: 17905403
Ok. But I guess that those 15minutes can be increased, can't they?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17905644
Take a look at this TechNet article.
The short answer is 'yes' - it can be modified.
I've never done it and I never make changes to the default settings without really looking into the possible consequences.

Here you go: http://technet2.microsoft.com/WindowsServer/en/library/4d8388e6-6ba0-4f08-b1d9-525bf949fa761033.mspx?mfr=true


Vic
0
 

Author Comment

by:zulliger
ID: 18066253
First: Was on holiday the last 3 weeks - thats why I didn't resond. Sorry

Second: I've skimmed through the page above, but I'm not sure what you suggest to do now. The most useful (IMHO) is the "TTL Set in the DC Locator DNS SRV Records". Should I change this value? If yes, could you please give me a short explanation of how to do this with my Windows XP Prof. workstation (or can this value only be set on the server side?).
An other (probably) useful key could be the is the DnsAvoidRegisterRecords - but this would disable specific features instead of increasing the update-interval, wouldn't it?

Third: I have currently no access to the test-PC with which I've reproduced the effect. I will test your solution - but it may take an other 2 week (in worst case even more).
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 18068295
zulliger,
Let us know when you are actually on the computer and maybe we can make some good stuff happen.
0
 

Author Comment

by:zulliger
ID: 18383898
Unfortunately, I don't have access to the system anymore and the problem has been marked as "done", because "we can live" with this problem as it will "only" happen every 15 minutes...

So in short: I can't test the proposed solution anymore. I would have needed the solution earlier...

How should we go on? Is it ok (and is it technically possilbe) to reduce the points, say to 250? Would that be fair?
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question