Solved

Network traffic to domain controller and/or DHCP server every 15 minutes (incl. ethereal log)

Posted on 2006-11-07
11
2,572 Views
Last Modified: 2007-11-27
Hi

I'm having the following problem: Exactly every 15 minutes, my Windows XP English SP2 (and some patches) performs some communication a network servers. Characteristics of my working environment:
- I logon to a domain
- I get TCP/IP settings by dhcp
- my PC has IP xx.yy.11.95 (referred to as MyPc)
- The dhcp server has ip xx.yy.1.1 (referred to as Server) - ipconfig /all tells me that this server is my: dhcp-,dns- and primary wins server
Below I'll present you the traffic that occures every 15 minutes. My question to you is:
1. How can I disable this communication (or at least: make it happen less often) - by still having the full functionality (Changing policies on the domain controller IS possible)
2. (optionally): What exactly does this transfer(s) do? What are they needed for?

Now I present you the traffic that happens every 15 minutes in a stripped form similar to what ethereal showed me:
1.  MyPc -> Server> ICMP: Echo (ping) request
2.  Server -> MyPc> ICMP: Echo (ping) reply
3.  MyPc -> Server> TCP:  2461 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460
4.  MyPc -> Server> ICMP: Echo (ping) request
5.  Server -> MyPc> TCP:  micrsoft-ds > 2461 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
6.  MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECSUM INCORRECT] Len=0
7.  Server -> MyPc> ICMP: Echo (ping) reply
8.  MyPc -> Server> SMB:  Negotiate Protocol Request
9.  Server -> MyPc> SMB:  Negotiate Protocol Response
10. MyPc -> Server> SMB:  Session Setup AndX Request [Unreassembled Packet [incorrect TCP checksum]]
11. MyPc -> Server> NBSS: NBSS Continuation Message
12. Server -> MyPc> TCP:  microsoft-ds > 2461 [ACK] Seq=183 Ack=2812 Win=65535 Len=0
13. Server -> MyPc> SMB:  Session Setup AndX Response
14. MyPc -> Server> SMB:  Tree Connect AndX Request, Path: \\A_Domain_Controller.myhostname.net\IPC$
15. Server -> MyPc> SMB:  Tree Connect AndX Response
16. MyPc -> Server> SMB:  Trans2 Request, GET_DFS_REFERRAL, File:
17. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
18. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \myhostname.net
19. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
20. MyPc -> Server> SMB:  Trans2 Reqeuwest, GET_DFS_REFERRAL, File: \MYHOSTNAME
21. Server -> MyPc> SMB:  Trans2 Response, GET_DFS_REFERRAL
22. MyPc -> Server> TCP:  2461 > microsoft-ds [ACK] Seq=3182 Win=65179 [TCP CHECKSUM INCORRECT] Len=0
23. MyPc -> Server> SMB:  Logoff AndX Request
24. Server -> MyPc> SMB:  Logoff AndX Response
25. MyPc -> Server> SMB:  Tree Disconnect Request
26. Server -> MyPc> SMB:  Tree Disconnect Response
...
...
...

Note: Transfer 16. has reall no filename (I dindn't strip it away)

Thanks!
0
Comment
Question by:zulliger
  • 5
  • 4
11 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 17891371
The [SYN, ACK] is just a network host talking to a Server or DC (and the response).
In the old NT days, 15 minutes was the default time for this built-in function.

Can you access your Event Viewer and review the logs for Errors or Warnings?
Check all 3 and list some Event ID's.

We can move forward from there.


Vic
0
 

Author Comment

by:zulliger
ID: 17896004
1. In the meantime, I've found out that if I stop the NetLogon service (net stop netlogon), then those transfers will stop occuring (and, remember, thats exactly what I want)! So I suggest to now find out how I can increase the 15 minutes to, let's say, 24 hours.

2. Or an other way to the solution: How can I fully use the system by disabled netlogon service? In fact, I've now (after the netlogon service has been stopped) W32Time and Kerberos errors (IDs: 36, 7, 18, 29) And some more W32Time warnings with ID: 24, 25... Ok, I guess I have to think about disabling "time synching" with the server, but what about those Kerberos failures?

3. But to answer to your request: There are (almost) no errors/warnings. The only warnings were ID: 1517, 1524

==> Answer for 2. is most wanted.

Thanks!
0
 

Author Comment

by:zulliger
ID: 17897179
Oups... There's a mistake in my last comment

==> Answer fro 2. is most wanted is wrong!

*** Answer for 1. is most wanted ****
0
 
LVL 38

Expert Comment

by:younghv
ID: 17897437
zulliger,
If this computer is a member of a Domain (Network), you need to authenticate with a Domain Controller.
That is part of the NetLogon service.

Vic
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:zulliger
ID: 17905403
Ok. But I guess that those 15minutes can be increased, can't they?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17905644
Take a look at this TechNet article.
The short answer is 'yes' - it can be modified.
I've never done it and I never make changes to the default settings without really looking into the possible consequences.

Here you go: http://technet2.microsoft.com/WindowsServer/en/library/4d8388e6-6ba0-4f08-b1d9-525bf949fa761033.mspx?mfr=true


Vic
0
 

Author Comment

by:zulliger
ID: 18066253
First: Was on holiday the last 3 weeks - thats why I didn't resond. Sorry

Second: I've skimmed through the page above, but I'm not sure what you suggest to do now. The most useful (IMHO) is the "TTL Set in the DC Locator DNS SRV Records". Should I change this value? If yes, could you please give me a short explanation of how to do this with my Windows XP Prof. workstation (or can this value only be set on the server side?).
An other (probably) useful key could be the is the DnsAvoidRegisterRecords - but this would disable specific features instead of increasing the update-interval, wouldn't it?

Third: I have currently no access to the test-PC with which I've reproduced the effect. I will test your solution - but it may take an other 2 week (in worst case even more).
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 18068295
zulliger,
Let us know when you are actually on the computer and maybe we can make some good stuff happen.
0
 

Author Comment

by:zulliger
ID: 18383898
Unfortunately, I don't have access to the system anymore and the problem has been marked as "done", because "we can live" with this problem as it will "only" happen every 15 minutes...

So in short: I can't test the proposed solution anymore. I would have needed the solution earlier...

How should we go on? Is it ok (and is it technically possilbe) to reduce the points, say to 250? Would that be fair?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now