Excessive Traffic on Port 445 between 2 Domain Controllers

Similar Messages

• Replication and AD Domain sevices errors between 2 Domain Controllers

  Hi,
  I've a 2 Domain Controllers (NJ-DC1-2K8 and NJ-DC2-2K8) setup in VMware Workstation 10. Recently, I've run into different errors in regards to Replication, DNS and AD Domain services. Both of my DC are setup with static IP pointing to each other for fault
  tolerance. Initially, One of my DC had a lingering object error which I was able to fix after spending some time. The next day, when I tried to replicate 2 DC, the number of errors grew. Ran dcdiag, it produced a list of crazy errors that I never saw before.
  I'm a newbie to the server environment, trying to gain knowledge so I can't get those errors sort out even I tried a lot. I read a lot of online articles on different forums like here Microsoft TechNet trying to overcome this problem but didn't work. I even
  removed DNS role and re-added it but same problem. I guess removing the DNS role doesn't remove everything related to DNS. I'm going to upload pictures here of the different errors through the commands I got. I would appreciate if someone can help me to get
  it fixed.
  Other than that, I also would like to know what is the best way to remove DNS, AD Domain Services and then reinstall them without demoting the server. What are some of the things I would have to keep in mind before doing that. How can I make sure that doing
  this wouldn't impact in AD data loss like user account, GP Policies, Computer account and etc....?
  Errors are as follows:
  1) C:\Users\Administrator>repadmin /syncall
      CALLBACK MESSAGE: The following replication is in progress:
      From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
      To  : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
      CALLBACK MESSAGE: Error issuing replication: 8451 (0x2103):
      The replication operation encountered a database error.
      From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
      To  : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
      CALLBACK MESSAGE: SyncAll Finished.
      SyncAll reported the following errors:
      Error issuing replication: 8451 (0x2103):
      The replication operation encountered a database error.
      From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
      To  : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
  2) C:\Users\Administrator>repadmin /showrepl
  Repadmin: running command /showrepl against full DC localhost
  NewJersey\NJ-DC1-2K8
  DSA Options: IS_GC
  Site Options: (none)
  DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  ==== INBOUND NEIGHBORS ======================================
  DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          30 consecutive failure(s).
          Last success @ 2014-07-06 16:16:49.
  CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          29 consecutive failure(s).
          Last success @ 2014-07-06 16:06:25.
  CN=Schema,CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          10 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=DomainDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          30 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=ForestDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          19 consecutive failure(s).
          Last success @ 2014-07-06 16:10:47.
  Source: NewJersey\NJ-DC2-2K8
  ******* 30 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
  Last error: 8456 (0x2108):
              The source server is currently rejecting replication requests.
  3) C:\Users\Administrator>dcdiag /replsum
  Invalid Syntax: Invalid option /replsum. Use dcdiag.exe /h for help.
  C:\Users\Administrator>repadmin /replsum
  Replication Summary Start Time: 2014-07-06 21:03:28
  Beginning data collection for replication summary, this may take awhile:
  Source DSA          largest delta    fails/total %%   error
   NJ-DC1-2K8        09d.22h:06m:34s    5 /   5  100  (8457) The destination server is currently rejecting replication requests.
   NJ-DC2-2K8            05h:13m:34s    5 /   5  100  (8456) The source server is currently rejecting replication requests.
  Destination DSA     largest delta    fails/total %%   error
   NJ-DC1-2K8            05h:13m:34s    5 /   5  100  (8456) The source server is currently rejecting replication requests.
   NJ-DC2-2K8        09d.22h:06m:34s    5 /   5  100  (8457) The destination server is currently rejecting replication requests.
  4) C:\Users\Administrator>dcdiag /test:DNS
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = NJ-DC1-2K8
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: Connectivity
           ......................... NJ-DC1-2K8 passed test Connectivity
  Doing primary tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           ......................... NJ-DC1-2K8 passed test DNS
     Running partition tests on : ForestDnsZones
     Running partition tests on : DomainDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : Fleet
     Running enterprise tests on : Fleet.local
        Starting test: DNS
           Summary of test results for DNS servers used by the above domain controllers:
              DNS server: 128.8.10.90 (d.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
           ......................... Fleet.local passed test DNS
  5) C:\Users\Administrator>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = NJ-DC1-2K8
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: Connectivity
           ......................... NJ-DC1-2K8 passed test Connectivity
  Doing primary tests
     Testing server: NewJersey\NJ-DC1-2K8
        Starting test: Advertising
           ......................... NJ-DC1-2K8 passed test Advertising
        Starting test: FrsEvent
           ......................... NJ-DC1-2K8 passed test FrsEvent
        Starting test: DFSREvent
           There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause
           Group Policy problems.
           ......................... NJ-DC1-2K8 failed test DFSREvent
        Starting test: SysVolCheck
           ......................... NJ-DC1-2K8 passed test SysVolCheck
        Starting test: KccEvent
           ......................... NJ-DC1-2K8 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... NJ-DC1-2K8 passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... NJ-DC1-2K8 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... NJ-DC1-2K8 passed test NCSecDesc
        Starting test: NetLogons
           ......................... NJ-DC1-2K8 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... NJ-DC1-2K8 passed test ObjectsReplicated
        Starting test: Replications
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: DC=ForestDnsZones,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 16:10:47.
              19 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: DC=DomainDnsZones,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 21:04:16.
              The last success occurred at 2014-07-06 15:49:54.
              31 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: CN=Schema,CN=Configuration,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 15:49:54.
              10 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: CN=Configuration,DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 16:06:25.
              29 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           [Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
              From NJ-DC2-2K8 to NJ-DC1-2K8
              Naming Context: DC=Fleet,DC=local
              The replication generated an error (8456):
              The source server is currently rejecting replication requests.
              The failure occurred at 2014-07-06 20:49:06.
              The last success occurred at 2014-07-06 16:16:49.
              30 failures have occurred since the last success.
              Replication has been explicitly disabled through the server options.
           ......................... NJ-DC1-2K8 failed test Replications
        Starting test: RidManager
           ......................... NJ-DC1-2K8 passed test RidManager
        Starting test: Services
           ......................... NJ-DC1-2K8 passed test Services
        Starting test: SystemLog
           A warning event occurred.  EventID: 0x000003F6
              Time Generated: 07/06/2014   20:17:29
              Event String: Name resolution for the name 2.5.16.172.in-addr.arpa timed out after none of the configured DNS servers responded.
           An error event occurred.  EventID: 0x0000168E
              Time Generated: 07/06/2014   20:18:05
              Event String:
              The dynamic registration of the DNS record '9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local. 600 IN CNAME NJ-DC1-2K8.Fleet.local.'
   failed on the following DNS server:
           A warning event occurred.  EventID: 0x000003F6
              Time Generated: 07/06/2014   21:04:01
              Event String: Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.
           ......................... NJ-DC1-2K8 failed test SystemLog
        Starting test: VerifyReferences
           ......................... NJ-DC1-2K8 passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : Fleet
        Starting test: CheckSDRefDom
           ......................... Fleet passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Fleet passed test CrossRefValidation
     Running enterprise tests on : Fleet.local
        Starting test: LocatorCheck
           ......................... Fleet.local passed test LocatorCheck
        Starting test: Intersite
           ......................... Fleet.local passed test Intersite
  6) C:\Users\Administrator>repadmin /showrepl NJ-DC1-2K8
  NewJersey\NJ-DC1-2K8
  DSA Options: IS_GC
  Site Options: (none)
  DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
  ==== INBOUND NEIGHBORS ======================================
  DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          30 consecutive failure(s).
          Last success @ 2014-07-06 16:16:49.
  CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          29 consecutive failure(s).
          Last success @ 2014-07-06 16:06:25.
  CN=Schema,CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          10 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=DomainDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 21:04:16 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          31 consecutive failure(s).
          Last success @ 2014-07-06 15:49:54.
  DC=ForestDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC2-2K8 via RPC
          DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
          Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
              The source server is currently rejecting replication requests.
          19 consecutive failure(s).
          Last success @ 2014-07-06 16:10:47.
  Source: NewJersey\NJ-DC2-2K8
  ******* 31 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
  Last error: 8456 (0x2108):
              The source server is currently rejecting replication requests.
  7) C:\Users\Administrator>repadmin /showrepl NJ-DC2-2K8
  NewJersey\NJ-DC2-2K8
  DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
  Site Options: (none)
  DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
  DSA invocationID: 3e8ee380-a165-4cef-b311-dadcf30f8406
  ==== INBOUND NEIGHBORS ======================================
  DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 21:04:22 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          53 consecutive failure(s).
          Last success @ 2014-06-26 23:01:29.
  CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          10 consecutive failure(s).
          Last success @ 2014-06-26 22:56:54.
  CN=Schema,CN=Configuration,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          7 consecutive failure(s).
          Last success @ 2014-06-26 22:56:56.
  DC=DomainDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          7 consecutive failure(s).
          Last success @ 2014-06-26 22:57:01.
  DC=ForestDnsZones,DC=Fleet,DC=local
      NewJersey\NJ-DC1-2K8 via RPC
          DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
          Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
              The destination server is currently rejecting replication requests.
          23 consecutive failure(s).
          Last success @ 2014-06-26 22:57:03.
  Source: NewJersey\NJ-DC1-2K8
  ******* 53 CONSECUTIVE FAILURES since 2014-06-26 23:01:29
  Last error: 8457 (0x2109):
              The destination server is currently rejecting replication requests.
  Please someone go through these different errors and walk me through exactly what I got to do to fix them.
  Thanks

  Hi,
  Actually, I made copies of those VMs to my external usb 3.0 hdd, so I can load up some of the VMs from it than from my internal hdd since it would freeze on my internal one sometimes. Copied ones worked fine for few days until recently when I started having
  these different issues. I did look at USN rollback and applied the fix, didn't work. For the past few days, I been spending endless hours on fixing them but it doesn't look like they are going to be fixed. It's driving me crazy and the bad news is that I've
  no backup of my data. I got 2 DC and both have these issues.
  Building new domain controllers in VMs won't be a problem for me but I'm worried about losing my AD database in both DCs which includes user and computer accounts and a bunch GPOs.
  I'm a newbie to the server environment. Can you please walk me through on exactly how can I save AD database if possible before I start doing the cleanup process on both of my DCs. I read some articles online which provide instructions on how can I cleanup
  the AD with Metadata and take both DCs offline but it's all confusing to me. They don't explain anything about saving AD database rather demoting bad DCs. If you know a fix for my DCs that I can apply, so I won't have do it all over and save time. Please let
  me know step by step process or whatever you could help me to bring those 2 DCs backup.
  Thanks

• Difference between domain controllers and group policy objects in GPMC

  Hello,
  Am in confusion, someone can tel me the difference between
  1.Domain controllers>default domain controller policy  and
  2.Group policy object>default domain controller policy
  In Group policy management console and also i would like know where to define these categories. I normally use second option.
  I have attached screenshot for your information.
   regards,
  Dharanesh,

  This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
  (notice the link, has a shortcut arrow showing)
  by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
  Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Setting a loopback policy setting for Domain Controllers/Preventing IE from accessing externally

  Hello, we need to set a lookback policy for our domain controllers to ensure IE doesn't access externally. Is the loopback the best method, or do you all have recommendations?

  As far as I'm aware, there's not a good Group Policy setting to do this. 
  If I understand your question correctly, you wish to prevent external Internet browsing from your Domain Controllers, but everyone else (other servers and workstations) should have full access.
  If that's the case, I would recommend blocking port 80 for the Domain Controllers in your Firewall, as they (I hope) have static local IP addresses.
  If you know of a good Group Policy setting however, it would be best to set it in the Default Domain Controller Policy, as that will only affect the Domain Controllers.
  The "loopback" policy you're referring to is the "Configure user Group Policy loopback processing mode", which can be used to apply the computer configuration "instead of" or "merged with" the user configuration when
  a user logs on to computers where this policy applies. Since the computer configuration is normally applied before the user configuration, that can be used to force rules on computers regardless of who's logging in.
  Please mark as answer or vote
  as helpful when
  it applies. Thanks!

• Too many established connections on port 445 microsoft-ds

  We have a 2008 r2 server as a application server on VM, there has been huge number of connections established to the port 445 with a system PID 4 all connections are from our domain, there are no roles for this server to be a file server or web server. sniffer
  logs detect SMB traffic with similar pattern request from this server to other of our application servers & DC
  0.000000 10.10.0.10
  10.10.40.22 SMB2
  316 Session Setup Response
  0.000000 10.10.40.22
  10.10.0.10 SMB2
  170 Tree Connect Request Tree: \\appserv009\IPC$
  0.000000 10.10.0.10
  10.10.40.22 SMB2
  138 Tree Connect Response
  0.000000 10.10.40.22
  10.10.0.10 SMB2
  216 Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \appserv009\c$
  0.000000 10.10.0.10
  10.10.40.22 SMB2
  131 Ioctl Response, Error: STATUS_FS_DRIVER_REQUIRED
  0.000000 10.10.40.22
  10.10.0.10 SMB2
  166 Tree Connect Request Tree: \\appserv009\c$
  0.000000 10.10.0.10
  10.10.40.22 SMB2
  131 Tree Connect Response, Error: STATUS_ACCESS_DENIED
  0.000000 10.10.40.22
  10.10.0.10 SMB2
  166 Tree Connect Request Tree: \\appserv009\c$
  0.000000 10.10.0.10
  10.10.40.22 SMB2
  131 Tree Connect Response, Error: STATUS_ACCESS_DENIED
  0.000000 10.10.40.22
  10.10.0.10 TCP
  60 58203 > microsoft-ds [ACK] Seq=2650 Ack=1082 Win=64512 Len=0
  12.000000 10.10.40.22
  10.10.0.10 SMB2
  126 Tree Disconnect Request
  12.000000 10.10.0.10
  10.10.40.22 SMB2
  126 Tree Disconnect Response
  12.000000 10.10.40.22
  10.10.0.10 SMB2
  126 Session Logoff Request
  12.000000 10.10.0.10
  10.10.40.22 SMB2
  126 Session Logoff Response
  There is no big traffic for these connections other than some bytes, but the number of the requests are going up in hundreds on the 445 port. On blocking the port 445 on the firewall rule same connections were seen to go on 139.
  How to detect why this connections are being generated.

  Hi,
  As far as I know, Ports 445 and 139 are used for TCP session establishment and file/printer sharing traffic. Besides, Port 445 is also used for AD access and authentication by Microsoft-DS.
  In addition, if the client has NetBIOS over TCP/IP enabled, it will always try to connect to the server at both port 139 and 445 simultaneously. If there is a response from port 445, it sends a RST to port 139, and continues its SMB session to port 445 only.
  If there is no response from port 445, it will continue its SMB session to port 139 only if it gets a response from there. If the client has NetBIOS over TCP/IP disabled, it will always try to connect to the server at port 445 only.
  The link below may be helpful to you:
  Service overview and network port requirements for Windows
  Best regards,
  Susie

• Port 445 taking up massive bandwidth, looking for explantion

  Good morning fellow IT workers!
  I was looking at my netflow data today and noticed that users on remote sites were bypassing their Domain Controllers and going right to the main office's. All of this traffic was on port 445 (MicrosoftAD) from user workstations and was just curious
  as to why this may be happening. Within the past two weeks its taken up 13.9GB on the circuit. While I have some general knowledge of AD, I'm hoping you fine people could point me in a better direction as to why port 445 on user workstations is bypassing the
  remote site DC and going straight to the main site DC.
  Thank you in advance!

  Hi,
  How many users are there in the remote sites?
  Is there file sharing service on the domain controller? The file sharing service also use TCP/UDP port 445.
  The TCP/UDP port 445 is not used by Active Directory directly. It is used by SMB. The AD uses SMB to transmit data.
  Please run the command below on the client. It will tell us that which process sends the traffic. 
  netstat -abon
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Microsoft-ds port 445

  CCM cluster consist of publisher server (CCM 4.1(2)sr1 ) and three subscriber servers. Problem is that subscribers generate large traffic (microsoft-ds, port 445, 200-300 kbps) to publisher server, constantly.
  What could be a problem and is this port needed for normal communication between CCM servers?
  Where to look for more information?
  thanks for any help...

  https, aka 445, is used for ccm communication in 4.1x.; this should be OK as the subscribers are constantly communicating with the publisher, especially under specific configurations/circumstances.
  i wouldn't say 200-300kpbs is 'a really large amount of traffic' even for a 10mb link; but you could be on to something.
  this traffic is most likely the SQL replication between the call managers as well as other ccm management/call processing traffic that flows between servers in the cluster.
  why the traffic moves and how much between the servers is fully dependent on the configuration of your ccm environment.
  one excellent way to verify if there is any traffic you should not have between the servers is to use a sniffer. http://ethereal.com has an excellent free sniffer tool.
  capture the traffic to/from the publisher and you can see exactly what traffic there is.

• How DNS traffic behaves when we have Enterprise Domains configured in RAP-NG(IAP VPN) deployment?

  Q: How DNS traffic behaves when we have Enterprise Domains configured in RAP-NG(IAP VPN) deployment?
  The four modes available in the RAP-NG architecture are
  1.Local mode
  2.Centralized L2 mode
  3.Distributed L2 mode
  4.Distributed L3 mode
  In all the above mode the common behavior is, Internet traffic is source NATed with Master IAPs local IP. The DHCP and corporate traffic behavior changes depending up on mode used in the RAP-NG architecture.
  A: Below is the behavior of the DNS traffic
  By Default all the DNS requests from a client are forwarded to the clients DNS server.
  In a typical IAP deployment without VPN configuration, client DNS requests are resolved by the clients' DNS server. 
  The DNS behavior of an IAP network (SSID/wired port) configured for RAPNG is determined by the enterprise domain settings. 
  The enterprise domain setting on the IAP defines the domains for which the DNS resolution must be forwarded to the clients' default DNS server. 
  Example:
  internal-domains
   domain-name arubanetworks.com
  In the above example if the enterprise domain is configured for arubanetworks.com, then DNS resolution for hostnames in arubanetworks.com will be forwarded to the clients' default DNS server.
  The DNS resolution for rest of all the hostnames domains ex. google.com, yahoo.com etc. will be Scr-NATed to the local DNS server of the IAP.
  If you need to allow all the hostnames domains to be forwarded to the clients' default DNS server we need to use "*" in the enterprise domain configuration
  internal-domains
   domain-name *
  From Web UI:
  To create/ View 
  1. Hit settings
  2. Click on Show advanced options
  3.Select Enterprise Domains
  To View Enterprise domain setting from CLI;
  #show running-config | begin  internal-domains
  To Create Enterprise domain from CLI:
  (config)#internal-domains
   domain-name <domain-name>

• LACP port channel between 6509 and Nexus 7K

  We are in the process of migrating from dual 6509's to dual 7010's.  We have moved our 5k/2K's behind the 7K and have layer 2 up between the 6509 and 7K.  This link is configured as a port channel with 2 1gig links using LACP.  The port channel is up and working and traffic is passing but it doesn't appear the load it equally distributed between the links.  Both the 7K and 6K are setup for src-dst-ip for the load balancing.  The links have been in place for over 12 hours and I would have expected them to "equal" out.  Has anyone had this issue in or is this to be expected?  For clarification there is not VPC inolved in this configuration it is simply a port-channel between one 6509 and a 7010.
  Thanks,
  Joe

  We are in the process of migrating from dual 6509's to dual 7010's.  We have moved our 5k/2K's behind the 7K and have layer 2 up between the 6509 and 7K.  This link is configured as a port channel with 2 1gig links using LACP.  The port channel is up and working and traffic is passing but it doesn't appear the load it equally distributed between the links.  Both the 7K and 6K are setup for src-dst-ip for the load balancing.  The links have been in place for over 12 hours and I would have expected them to "equal" out.  Has anyone had this issue in or is this to be expected?  For clarification there is not VPC inolved in this configuration it is simply a port-channel between one 6509 and a 7010.
  Thanks,
  Joe

• Database mirror between two domain

  I setting up database mirror between two domain that will help me migrate from SQL 2008R2 to SQL 2012 :
  It is set up as follows:
  Domain A(Old domain) - Server A
  Domain B (New Domain for HA/DR setup) - Server B and Server C (Already configured as FCI and AG)
  I want to migrate data from Server A to Server B using database mirror.
  I set up the
  Created Master key, endpoint and certificate on the Server A
  Created Master key, endpoint and certificate on the Server B
  Backup certificate on both sides and copy to each server
  Create inbound connections on both principal and mirror partner. Here I created two SQL logins
  SQLSrvA_login
  SQLSrvB_logi
  Grant connect on endpoint to both logins on both principal and mirror partner.
  Everything seems ok as can be seen below
  Principal partner:
  grantee　　　　　　　 endpoint　　　　 permission　 state_desc
  SQLSrvA_login        Hadr_endpointCONNECT      GRANT
  SQLSrvB_loginHadr_endpointCONNECT GRANT
  Mirror partner:
  grantee　　　　　　　 endpoint　　　　 permission　 state_desc
  SQLSrvA_login        Hadr_endpoint　　CONNECT      GRANT
  SQLSrvB_login　　 Hadr_endpoint　　CONNECT GRANT
  Perform a full db backup and log backup on ServerA and restore to　 ServerB with norecovery
  When trying to establish the partnership, it succeeded on the mirror partner ServerB 　　but failed on the principal partner ServerA with the following error
  Msg 1418, Level 16, State 1, Line 2
  The server network address "TCP://ServerB:5022" can not be reached or does not exist. Check the network address name and that the ports for the local and remote endpoints are operational.
  The following error is in the SQL errorlog:
  Database Mirroring login attempt failed with error: 'Connection handshake failed. There is no compatible authentication protocol. State 21
  Any ideal why this is occurring?
  Thanks
  Datawarehouse lead Architect

  Hi,
  Please see this link for possible solution.
  http://blogs.msdn.com/b/grahamk/archive/2008/11/21/how-to-configure-database-mirroring-between-2-instances-on-a-standalone-server.aspx
  Hope this helps
  Bhanu

• Any known 'porting' issues between 8.2.2 and 9.0 ??

  Hi all,
  we are in the process of evaluating LS ES2 (9.0) and would like to know if there are any 'porting' issues between the two versions.   Asked another way, are there any issues in deploying a 8.2.2. LCA onto 9.0 ?
  Dan

  8.2 LCA's will run fine in 9.0 if they are just deployed into it.  But in 9.0 a new application model has been introduced, so in order to make changes to anything after you've migrated it you'll need to create an application and migrate your processes and resources into it.  You may want to take a look at the Leveraging Legacy Solution document available online.  Here's the link:  http://help.adobe.com/en_US/livecycle/9.0/workbenchHelp/help.htm?content=leveragingLegacy. html .
  Chris

• Communication issues between domain controllers

  Hi everyone,
  I am experiencing some problems in communication between domain controllers in our organization
  We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
  service pack 1 and is virtual.
  I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
  This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
  I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
  Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
  Thank you very much.
  Best regards.
  David.

  This sounds like a NIC issue, which is odd since it is a virtual machine.  Have you checked the host for any logs about the client? 
  I think the first thing I would do is destroy the current virtual NIC card and add a new one.  Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• One way trust relationship between different domain windows server 2012 in different forest

  I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
  connected to the same LAN. The forest level in A.local
  machine is Windows Server 2008 and The forest level in B.int
  is Windows server 2012.
  I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
  my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
   The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
  NOTE : Recently I
  UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
  it is ping by name and IP but from b.int ping by IP JUST >>>
  ihab

  Hi,
  yes i already do it the setup conditional forwarding between the 2 domains and
  the firewall it is off 
  ihab

• EA6900 and Port 445

  We recently purchased an EA6900 after our old WRT320N lost part of it's bandwidth.  With the old router, people on the local wireless network (192.168.x.x) had no problem connecting via SMB to our Yosemite server (172.16.x.x) but we can no longer make that connection via SMB (AFP still functions correctly via wireless.)
  Doing a port scan using the old router and comparing it to the new router, I can see port 445 is not open on the new router and given that it is a MS port, I would say that is the culprit.  Is there anyway to get that port opened back up for the wireless users?
  Thanks
  Chris

  Cascading a router into a network basically turns it into an AP with most of the router features still available. When cascaded nothing ever gets plugged into the router's WAN\Internet Port and it's DHCP is disabled.
  In bridge mode many router features are disabled but setup is super easy because you just connect the router to the network via it's WAN\Internet Port and everything connect to the router normally. The main thing to keep in mind in bridge mode is that the network DHCP or IP is transmitted through the router. Making one big network.
  Connectivity => Internet Settings => Edit and choose Bridge Mode
  If you keep the router with Internet Settings DHCP or Static IP and connect the network to it's WAN\Internet Port this creates two separate network subnets. The network behind the router can see the network on the WAN but not the reverse because of the router's firewall and NAT.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Port 445 NOT Open BIG PIC

  Here is one that will make you pull your hair out.
  T61p installed and worked perfectly for 2 months. Then one day, could not see the T61p from my desktop XP PC. After weeks of troubleshooting with serveral different "experts", it came down to this:
  In Network Sharing Centre - Sharing & Discovery, all but the last 2 items are turned on.
  When you select View Status of the Local Area Connection, click the Properties button , File & Print sharing for Microsoft Networks is NOT checked. Thus port 445 is NOT open. Thus other computers on local network CANNOT see the Vista PC. If you check the item, port 445 opens and all is well again in Netowrk land.
  The problem is:
  Everytime I boot the PC, why is File & Print Sharing for Microsoft Networks NOT checked?
  Some very bright minds have not been able to solve this yet. But please, give it a go if you think you understand the intricacies of Vista networking. The only answer I have found so far ... the usual last resort with Microsoft OS's ... clean install ... AGAIN!
  Thanks.
  Moderator Note; added pic warning to title
  Message Edited by andyP on 04-11-2008 11:24 PM

  Sounds like the "Local Area Connection" you are using has lost it's BIND to file and print sharing.
  Vista >
  When you open network connections in your Control Panel (I'm using classic view btw) > open the icon "Network and Sharing Center" >  then click in the left menu of that window "Manage Network Connections"
  It will bring up the window with the old style box with all your network connections on your computer.
  then follow this image attached to set the BINDING for file and print sharing on the matching local area connection that you use in your network.    Just check the boxes for "File and Print Sharing for Microsoft Networks"
  Also, sometimes Vista gets confused if you move your laptop around like I do from Home to Work and both have DHCP assigned addresses, sometimes it sets the connection to "Private Network" for the new DHCP address it aquires and then your can't see it.   It should be set to PUBLIC for other machines to see it also.
  Change that in your "Network and Sharing Center"
  Message Edited by ThinkP on 04-11-2008 04:39 PM
  Message Edited by ThinkP on 04-11-2008 05:42 PM
  Message Edited by andyP on 04-11-2008 11:50 PM
  T61P - 6459-CTO - T7500 2.2Ghz - 4G DDR2 RAM - NV Quadro FX 570M 256mb - 160G 7200 rpm - WSXGA+ 15.4" - Vista Ultimate 32bit