• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1736
  • Last Modified:

Burst of NetBIOS traffic going to retired DC

Recently we noticed bursts of NetBIOS traffic that is originating from our Domain Controllers and going to an old domain controller that has been retired.  The old DC was on a network that has been removed from our network and is no longer accessible, so essentially these packets are going no where.  

When the domain controller was removed, we removed AD with dcpromo.  We then did a metadata clean up.  Then finally manually purged the DNS for any reference to the old DC.  When we noticed this occurring, I went back into the remaining DC’s, ran the meta data clean up again and the old DC still does not exist.  

I sniffed traffic off our LAN and inspected the NetBIOS packets and I see bursts of a lot of NetBIOS traffic going from our current DC’s to the old DC.  We are talking like 1500 packets in the course of 5 seconds.  There are three basic packets I see, these were taken with a tcpdump –vvv:


18:06:20.655165 IP (tos 0x0, ttl   1, id 28553, offset 0, flags [none], proto: UDP (17), length: 78) A.A.A.A.61452 > X.X.X.X.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0xFA21
OpCode=0
NmFlags=0x10
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=AUTODISCOVER    NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1



18:14:19.463478 IP (tos 0x0, ttl   1, id 29257, offset 0, flags [none], proto: UDP (17), length: 78) A.A.A.A.53064 > X.X.X.X.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0x8110
OpCode=0
NmFlags=0x10
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WPAD            NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1



18:16:52.553095 IP (tos 0x0, ttl 109, id 2072, offset 0, flags [none], proto: UDP (17), length: 78) A.A.A.A.61452 > X.X.X.X.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0xFA51
OpCode=0
NmFlags=0x10
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=ISATAP          NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1



I have searched the interwebs for a solution but to no avail.  Can anyone tell me how I can stop this form occurring?

0
logicb0mb
Asked:
logicb0mb
  • 2
1 Solution
 
Bruno PACIIT ConsultantCommented:
Hi,

These look like WINS queries... Your current DCs search for NetBIOS names "AUTODISCOVER", "WPAD" and "ISATAP"... As these queries are sent to a specific IP address, not a broadcast address, this means your old server is still appearing as a WINS server on the IP configuration of a netcard on your new DC.

What is also possible is that the DNS server service on your new DC is configured to interrogate WINS server in case of unknown DNs name...

Go on DNS management console on your new DC. Select the DNS zone and open properties. Click on the "WINS" tab to check if WINS search is enable.

Have a good day
0
 
logicb0mbAuthor Commented:
I found one of our zones with a WINS forwarder to the old server.  I have removed it and the traffic seems to have stopped.  I am monitoring the traffic to confirm that I no longer see the NetBIOS traffic.

0
 
logicb0mbAuthor Commented:
I have been monitoring the traffic and it appears to have disappeared.

There was 1 record out of 50 that had the setting described.  That was enough to cause this problem.  

Thanks for the help.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now