Solved

Network traffic to domain controller and/or DHCP server every 15 minutes (incl. ethereal log)

Posted on 2006-11-07
11
2,583 Views
Last Modified: 2007-11-27
Hi

I'm having the following problem: Exactly every 15 minutes, my Windows XP English SP2 (and some patches) performs some communication a network servers. Characteristics of my working environment:
- I logon to a domain
- I get TCP/IP settings by dhcp
- my PC has IP xx.yy.11.95 (referred to as MyPc)
- The dhcp server has ip xx.yy.1.1 (referred to as Server) - ipconfig /all tells me that this server is my: dhcp-,dns- and primary wins server
Below I'll present you the traffic that occures every 15 minutes. My question to you is:
1. How can I disable this communication (or at least: make it happen less often) - by still having the full functionality (Changing policies on the domain controller IS possible)
2. (optionally): What exactly does this transfer(s) do? What are they needed for?

Now I present you the traffic that happens every 15 minutes in a stripped form similar to what ethereal showed me:
1.  MyPc -> Server> ICMP: Echo (ping) request
2.  Server -> MyPc> ICMP: Echo (ping) reply
3.  MyPc -> Server> TCP:  2461 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
4.  MyPc -> Server> ICMP: Echo (ping) request
5.  Server -> MyPc> TCP:  micrsoft-ds > 2461 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
6.  MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECSUM INCORRECT] Len=0
7.  Server -> MyPc> ICMP: Echo (ping) reply
8.  MyPc -> Server> SMB:  Negotiate Protocol Request
9.  Server -> MyPc> SMB:  Negotiate Protocol Response
10. MyPc -> Server> SMB:  Session Setup AndX Request [Unreassembled Packet [incorrect TCP checksum]]
11. MyPc -> Server> NBSS: NBSS Continuation Message
12. Server -> MyPc> TCP:  microsoft-ds > 2461 [ACK] Seq=183 Ack=2812 Win=65535 Len=0
13. Server -> MyPc> SMB:  Session Setup AndX Response
14. MyPc -> Server> SMB:  Tree Connect AndX Request, Path: \\A_Domain_Controller.myhostname.net\IPC$
15. Server -> MyPc> SMB:  Tree Connect AndX Response
16. MyPc -> Server> SMB:  Trans2 Request, GET_DFS_REFERRAL, File:
17. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
18. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \myhostname.net
19. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
20. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \MYHOSTNAME
21. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
22. MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=3182 Win=65179 [TCP CHECKSUM INCORRECT] Len=0
23. MyPc -> Server> SMB:  Logoff AndX Request
24. Server -> MyPc> SMB:  Logoff AndX Response
25. MyPc -> Server> SMB:  Tree Disconnect Request
26. Server -> MyPc> SMB:  Tree Disconnect Response
...
...
...

Note: Transfer 16. has reall no filename (I dindn't strip it away)

Thanks!
0
Comment
Question by:zulliger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 17891371
The [SYN, ACK] is just a network host talking to a Server or DC (and the response).
In the old NT days, 15 minutes was the default time for this built-in function.

Can you access your Event Viewer and review the logs for Errors or Warnings?
Check all 3 and list some Event ID's.

We can move forward from there.


Vic
0
 

Author Comment

by:zulliger
ID: 17896004
1. In the meantime, I've found out that if I stop the NetLogon service (net stop netlogon), then those transfers will stop occuring (and, remember, thats exactly what I want)! So I suggest to now find out how I can increase the 15 minutes to, let's say, 24 hours.

2. Or an other way to the solution: How can I fully use the system by disabled netlogon service? In fact, I've now (after the netlogon service has been stopped) W32Time and Kerberos errors (IDs: 36, 7, 18, 29) And some more W32Time warnings with ID: 24, 25... Ok, I guess I have to think about disabling "time synching" with the server, but what about those Kerberos failures?

3. But to answer to your request: There are (almost) no errors/warnings. The only warnings were ID: 1517, 1524

==> Answer for 2. is most wanted.

Thanks!
0
 

Author Comment

by:zulliger
ID: 17897179
Oups... There's a mistake in my last comment

==> Answer fro 2. is most wanted is wrong!

*** Answer for 1. is most wanted ****
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 38

Expert Comment

by:younghv
ID: 17897437
zulliger,
If this computer is a member of a Domain (Network), you need to authenticate with a Domain Controller.
That is part of the NetLogon service.

Vic
0
 

Author Comment

by:zulliger
ID: 17905403
Ok. But I guess that those 15minutes can be increased, can't they?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17905644
Take a look at this TechNet article.
The short answer is 'yes' - it can be modified.
I've never done it and I never make changes to the default settings without really looking into the possible consequences.

Here you go: http://technet2.microsoft.com/WindowsServer/en/library/4d8388e6-6ba0-4f08-b1d9-525bf949fa761033.mspx?mfr=true


Vic
0
 

Author Comment

by:zulliger
ID: 18066253
First: Was on holiday the last 3 weeks - thats why I didn't resond. Sorry

Second: I've skimmed through the page above, but I'm not sure what you suggest to do now. The most useful (IMHO) is the "TTL Set in the DC Locator DNS SRV Records". Should I change this value? If yes, could you please give me a short explanation of how to do this with my Windows XP Prof. workstation (or can this value only be set on the server side?).
An other (probably) useful key could be the is the DnsAvoidRegisterRecords - but this would disable specific features instead of increasing the update-interval, wouldn't it?

Third: I have currently no access to the test-PC with which I've reproduced the effect. I will test your solution - but it may take an other 2 week (in worst case even more).
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 18068295
zulliger,
Let us know when you are actually on the computer and maybe we can make some good stuff happen.
0
 

Author Comment

by:zulliger
ID: 18383898
Unfortunately, I don't have access to the system anymore and the problem has been marked as "done", because "we can live" with this problem as it will "only" happen every 15 minutes...

So in short: I can't test the proposed solution anymore. I would have needed the solution earlier...

How should we go on? Is it ok (and is it technically possilbe) to reduce the points, say to 250? Would that be fair?
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question