Excessive Traffic on Port 445 between 2 Domain Controllers
Hi, my company has over 45 DC's across about 25 sites worldwide. We are noticing a lot of traffic using wireshark and Network Monitor on Microsoft-DS port 445. I have been searching if this is normal and what I see is that it is used for SMB File and
print sharing. Well, I don't have any file shares on these DC's other than the normal admin shares and sysvol share. I don't believe this is replication traffic since these 2 servers are not replication partners. I have checked sites and services to make sure
the intersite and intrasite connections look good. This traffic is constant over weeks and it is about 1 GB an hour between the 2 servers. This would not be a big deal if this was just on the local LAN but it is over the WAN and
that saturates the line. Should 2 DC's be talking that much that are not even replication partners? What type of traffic could it be. I am at a loss for troubleshooting this. I have done packet captures but that really does
not tell me much ( that I can read anyway). Oh, I have run AV scans alos and finding nothing.
Any help would be greatly appreciated.
Steve
Steve
Actually, DFS/FRS/DFSR replication is not related to NTDS replication. It uses a directory change notification event to trigger replication to a replica, and that is to all DCs in the domain. That's why you can have SYSVOL replication problems but AD replication
of the partitions do not have problems, such as when you create a user on one and it replicates to it's NTDS partner.
Below is a summary. You can read about how the whole process with NTFRS/DFSR works in the links below, if you like:
Introduction to Administering DFS-Replicated SYSVOL
"DFS Replication technology significantly improves replication of SYSVOL. ... When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated."
"To replicate only updates to files, DFS Replication uses an algorithm called remote differential compression (RDC). RDC detects changes ... without having to replicate the entire file. RDC detects insertions, removals, and rearrangements of data
in files. The DFS Replication service monitors SYSVOL, and, if a change occurs to any file that is stored in SYSVOL, DFS Replication automatically replicates the file updates to the SYSVOL folders on the other domain controllers in the domain. "
http://technet.microsoft.com/en-us/library/cc794837(v=WS.10).aspx
How FRS Works - Windows 2003
http://technet.microsoft.com/en-us/library/cc758169(v=WS.10).aspx
DFS Replication: Frequently Asked Questions (FAQ)
http://technet.microsoft.com/en-us/library/cc773238(v=WS.10).aspx
I think 316 MB in SYSVOL is a good amount of data. What is in there taking up that much space? Is something using SYSVOL to store it's data, such as an app that's constantly changing data?
The reason I'm asking is that this could be the cause of the issue, since if it changes on one DC, then it replicates, then another change occurs, etc., and it keeps going and it appears that a ton of data is being moved back and forth.
Quick story - I remember a customer was using SYSVOL to store data so they can access it across the WAN link. He said he did it because of its "cool" replication features. I said, yea, but it's meant for domain data (GPO policies, templates, etc.)
and not for custom data. Create a DFS share for that so it works independently of SYSVOL.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Similar Messages
-
Replication and AD Domain sevices errors between 2 Domain Controllers
Hi,
I've a 2 Domain Controllers (NJ-DC1-2K8 and NJ-DC2-2K8) setup in VMware Workstation 10. Recently, I've run into different errors in regards to Replication, DNS and AD Domain services. Both of my DC are setup with static IP pointing to each other for fault
tolerance. Initially, One of my DC had a lingering object error which I was able to fix after spending some time. The next day, when I tried to replicate 2 DC, the number of errors grew. Ran dcdiag, it produced a list of crazy errors that I never saw before.
I'm a newbie to the server environment, trying to gain knowledge so I can't get those errors sort out even I tried a lot. I read a lot of online articles on different forums like here Microsoft TechNet trying to overcome this problem but didn't work. I even
removed DNS role and re-added it but same problem. I guess removing the DNS role doesn't remove everything related to DNS. I'm going to upload pictures here of the different errors through the commands I got. I would appreciate if someone can help me to get
it fixed.
Other than that, I also would like to know what is the best way to remove DNS, AD Domain Services and then reinstall them without demoting the server. What are some of the things I would have to keep in mind before doing that. How can I make sure that doing
this wouldn't impact in AD data loss like user account, GP Policies, Computer account and etc....?
Errors are as follows:
1) C:\Users\Administrator>repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
CALLBACK MESSAGE: Error issuing replication: 8451 (0x2103):
The replication operation encountered a database error.
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 8451 (0x2103):
The replication operation encountered a database error.
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
2) C:\Users\Administrator>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
NewJersey\NJ-DC1-2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 16:16:49.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
29 consecutive failure(s).
Last success @ 2014-07-06 16:06:25.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
19 consecutive failure(s).
Last success @ 2014-07-06 16:10:47.
Source: NewJersey\NJ-DC2-2K8
******* 30 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
3) C:\Users\Administrator>dcdiag /replsum
Invalid Syntax: Invalid option /replsum. Use dcdiag.exe /h for help.
C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2014-07-06 21:03:28
Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
NJ-DC1-2K8 09d.22h:06m:34s 5 / 5 100 (8457) The destination server is currently rejecting replication requests.
NJ-DC2-2K8 05h:13m:34s 5 / 5 100 (8456) The source server is currently rejecting replication requests.
Destination DSA largest delta fails/total %% error
NJ-DC1-2K8 05h:13m:34s 5 / 5 100 (8456) The source server is currently rejecting replication requests.
NJ-DC2-2K8 09d.22h:06m:34s 5 / 5 100 (8457) The destination server is currently rejecting replication requests.
4) C:\Users\Administrator>dcdiag /test:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NJ-DC1-2K8
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Connectivity
......................... NJ-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... NJ-DC1-2K8 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : Fleet
Running enterprise tests on : Fleet.local
Starting test: DNS
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
......................... Fleet.local passed test DNS
5) C:\Users\Administrator>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NJ-DC1-2K8
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Connectivity
......................... NJ-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Advertising
......................... NJ-DC1-2K8 passed test Advertising
Starting test: FrsEvent
......................... NJ-DC1-2K8 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... NJ-DC1-2K8 failed test DFSREvent
Starting test: SysVolCheck
......................... NJ-DC1-2K8 passed test SysVolCheck
Starting test: KccEvent
......................... NJ-DC1-2K8 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... NJ-DC1-2K8 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... NJ-DC1-2K8 passed test MachineAccount
Starting test: NCSecDesc
......................... NJ-DC1-2K8 passed test NCSecDesc
Starting test: NetLogons
......................... NJ-DC1-2K8 passed test NetLogons
Starting test: ObjectsReplicated
......................... NJ-DC1-2K8 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=ForestDnsZones,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:10:47.
19 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=DomainDnsZones,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 21:04:16.
The last success occurred at 2014-07-06 15:49:54.
31 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: CN=Schema,CN=Configuration,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 15:49:54.
10 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: CN=Configuration,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:06:25.
29 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:16:49.
30 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
......................... NJ-DC1-2K8 failed test Replications
Starting test: RidManager
......................... NJ-DC1-2K8 passed test RidManager
Starting test: Services
......................... NJ-DC1-2K8 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/06/2014 20:17:29
Event String: Name resolution for the name 2.5.16.172.in-addr.arpa timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000168E
Time Generated: 07/06/2014 20:18:05
Event String:
The dynamic registration of the DNS record '9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local. 600 IN CNAME NJ-DC1-2K8.Fleet.local.'
failed on the following DNS server:
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/06/2014 21:04:01
Event String: Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.
......................... NJ-DC1-2K8 failed test SystemLog
Starting test: VerifyReferences
......................... NJ-DC1-2K8 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Fleet
Starting test: CheckSDRefDom
......................... Fleet passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Fleet passed test CrossRefValidation
Running enterprise tests on : Fleet.local
Starting test: LocatorCheck
......................... Fleet.local passed test LocatorCheck
Starting test: Intersite
......................... Fleet.local passed test Intersite
6) C:\Users\Administrator>repadmin /showrepl NJ-DC1-2K8
NewJersey\NJ-DC1-2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 16:16:49.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
29 consecutive failure(s).
Last success @ 2014-07-06 16:06:25.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 21:04:16 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
31 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
19 consecutive failure(s).
Last success @ 2014-07-06 16:10:47.
Source: NewJersey\NJ-DC2-2K8
******* 31 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
7) C:\Users\Administrator>repadmin /showrepl NJ-DC2-2K8
NewJersey\NJ-DC2-2K8
DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
Site Options: (none)
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
DSA invocationID: 3e8ee380-a165-4cef-b311-dadcf30f8406
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 21:04:22 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
53 consecutive failure(s).
Last success @ 2014-06-26 23:01:29.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-06-26 22:56:54.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
7 consecutive failure(s).
Last success @ 2014-06-26 22:56:56.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
7 consecutive failure(s).
Last success @ 2014-06-26 22:57:01.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
23 consecutive failure(s).
Last success @ 2014-06-26 22:57:03.
Source: NewJersey\NJ-DC1-2K8
******* 53 CONSECUTIVE FAILURES since 2014-06-26 23:01:29
Last error: 8457 (0x2109):
The destination server is currently rejecting replication requests.
Please someone go through these different errors and walk me through exactly what I got to do to fix them.
ThanksHi,
Actually, I made copies of those VMs to my external usb 3.0 hdd, so I can load up some of the VMs from it than from my internal hdd since it would freeze on my internal one sometimes. Copied ones worked fine for few days until recently when I started having
these different issues. I did look at USN rollback and applied the fix, didn't work. For the past few days, I been spending endless hours on fixing them but it doesn't look like they are going to be fixed. It's driving me crazy and the bad news is that I've
no backup of my data. I got 2 DC and both have these issues.
Building new domain controllers in VMs won't be a problem for me but I'm worried about losing my AD database in both DCs which includes user and computer accounts and a bunch GPOs.
I'm a newbie to the server environment. Can you please walk me through on exactly how can I save AD database if possible before I start doing the cleanup process on both of my DCs. I read some articles online which provide instructions on how can I cleanup
the AD with Metadata and take both DCs offline but it's all confusing to me. They don't explain anything about saving AD database rather demoting bad DCs. If you know a fix for my DCs that I can apply, so I won't have do it all over and save time. Please let
me know step by step process or whatever you could help me to bring those 2 DCs backup.
Thanks -
Difference between domain controllers and group policy objects in GPMC
Hello,
Am in confusion, someone can tel me the difference between
1.Domain controllers>default domain controller policy and
2.Group policy object>default domain controller policy
In Group policy management console and also i would like know where to define these categories. I normally use second option.
I have attached screenshot for your information.
regards,
Dharanesh,This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
(notice the link, has a shortcut arrow showing)
by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Setting a loopback policy setting for Domain Controllers/Preventing IE from accessing externally
Hello, we need to set a lookback policy for our domain controllers to ensure IE doesn't access externally. Is the loopback the best method, or do you all have recommendations?
As far as I'm aware, there's not a good Group Policy setting to do this.
If I understand your question correctly, you wish to prevent external Internet browsing from your Domain Controllers, but everyone else (other servers and workstations) should have full access.
If that's the case, I would recommend blocking port 80 for the Domain Controllers in your Firewall, as they (I hope) have static local IP addresses.
If you know of a good Group Policy setting however, it would be best to set it in the Default Domain Controller Policy, as that will only affect the Domain Controllers.
The "loopback" policy you're referring to is the "Configure user Group Policy loopback processing mode", which can be used to apply the computer configuration "instead of" or "merged with" the user configuration when
a user logs on to computers where this policy applies. Since the computer configuration is normally applied before the user configuration, that can be used to force rules on computers regardless of who's logging in.
Please mark as answer or vote
as helpful when
it applies. Thanks! -
Too many established connections on port 445 microsoft-ds
We have a 2008 r2 server as a application server on VM, there has been huge number of connections established to the port 445 with a system PID 4 all connections are from our domain, there are no roles for this server to be a file server or web server. sniffer
logs detect SMB traffic with similar pattern request from this server to other of our application servers & DC
0.000000 10.10.0.10
10.10.40.22 SMB2
316 Session Setup Response
0.000000 10.10.40.22
10.10.0.10 SMB2
170 Tree Connect Request Tree: \\appserv009\IPC$
0.000000 10.10.0.10
10.10.40.22 SMB2
138 Tree Connect Response
0.000000 10.10.40.22
10.10.0.10 SMB2
216 Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \appserv009\c$
0.000000 10.10.0.10
10.10.40.22 SMB2
131 Ioctl Response, Error: STATUS_FS_DRIVER_REQUIRED
0.000000 10.10.40.22
10.10.0.10 SMB2
166 Tree Connect Request Tree: \\appserv009\c$
0.000000 10.10.0.10
10.10.40.22 SMB2
131 Tree Connect Response, Error: STATUS_ACCESS_DENIED
0.000000 10.10.40.22
10.10.0.10 SMB2
166 Tree Connect Request Tree: \\appserv009\c$
0.000000 10.10.0.10
10.10.40.22 SMB2
131 Tree Connect Response, Error: STATUS_ACCESS_DENIED
0.000000 10.10.40.22
10.10.0.10 TCP
60 58203 > microsoft-ds [ACK] Seq=2650 Ack=1082 Win=64512 Len=0
12.000000 10.10.40.22
10.10.0.10 SMB2
126 Tree Disconnect Request
12.000000 10.10.0.10
10.10.40.22 SMB2
126 Tree Disconnect Response
12.000000 10.10.40.22
10.10.0.10 SMB2
126 Session Logoff Request
12.000000 10.10.0.10
10.10.40.22 SMB2
126 Session Logoff Response
There is no big traffic for these connections other than some bytes, but the number of the requests are going up in hundreds on the 445 port. On blocking the port 445 on the firewall rule same connections were seen to go on 139.
How to detect why this connections are being generated.Hi,
As far as I know, Ports 445 and 139 are used for TCP session establishment and file/printer sharing traffic. Besides, Port 445 is also used for AD access and authentication by Microsoft-DS.
In addition, if the client has NetBIOS over TCP/IP enabled, it will always try to connect to the server at both port 139 and 445 simultaneously. If there is a response from port 445, it sends a RST to port 139, and continues its SMB session to port 445 only.
If there is no response from port 445, it will continue its SMB session to port 139 only if it gets a response from there. If the client has NetBIOS over TCP/IP disabled, it will always try to connect to the server at port 445 only.
The link below may be helpful to you:
Service overview and network port requirements for Windows
Best regards,
Susie -
Port 445 taking up massive bandwidth, looking for explantion
Good morning fellow IT workers!
I was looking at my netflow data today and noticed that users on remote sites were bypassing their Domain Controllers and going right to the main office's. All of this traffic was on port 445 (MicrosoftAD) from user workstations and was just curious
as to why this may be happening. Within the past two weeks its taken up 13.9GB on the circuit. While I have some general knowledge of AD, I'm hoping you fine people could point me in a better direction as to why port 445 on user workstations is bypassing the
remote site DC and going straight to the main site DC.
Thank you in advance!Hi,
How many users are there in the remote sites?
Is there file sharing service on the domain controller? The file sharing service also use TCP/UDP port 445.
The TCP/UDP port 445 is not used by Active Directory directly. It is used by SMB. The AD uses SMB to transmit data.
Please run the command below on the client. It will tell us that which process sends the traffic.
netstat -abon
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
CCM cluster consist of publisher server (CCM 4.1(2)sr1 ) and three subscriber servers. Problem is that subscribers generate large traffic (microsoft-ds, port 445, 200-300 kbps) to publisher server, constantly.
What could be a problem and is this port needed for normal communication between CCM servers?
Where to look for more information?
thanks for any help...https, aka 445, is used for ccm communication in 4.1x.; this should be OK as the subscribers are constantly communicating with the publisher, especially under specific configurations/circumstances.
i wouldn't say 200-300kpbs is 'a really large amount of traffic' even for a 10mb link; but you could be on to something.
this traffic is most likely the SQL replication between the call managers as well as other ccm management/call processing traffic that flows between servers in the cluster.
why the traffic moves and how much between the servers is fully dependent on the configuration of your ccm environment.
one excellent way to verify if there is any traffic you should not have between the servers is to use a sniffer. http://ethereal.com has an excellent free sniffer tool.
capture the traffic to/from the publisher and you can see exactly what traffic there is. -
Q: How DNS traffic behaves when we have Enterprise Domains configured in RAP-NG(IAP VPN) deployment?
The four modes available in the RAP-NG architecture are
1.Local mode
2.Centralized L2 mode
3.Distributed L2 mode
4.Distributed L3 mode
In all the above mode the common behavior is, Internet traffic is source NATed with Master IAPs local IP. The DHCP and corporate traffic behavior changes depending up on mode used in the RAP-NG architecture.
A: Below is the behavior of the DNS traffic
By Default all the DNS requests from a client are forwarded to the clients DNS server.
In a typical IAP deployment without VPN configuration, client DNS requests are resolved by the clients' DNS server.
The DNS behavior of an IAP network (SSID/wired port) configured for RAPNG is determined by the enterprise domain settings.
The enterprise domain setting on the IAP defines the domains for which the DNS resolution must be forwarded to the clients' default DNS server.
Example:
internal-domains
domain-name arubanetworks.com
In the above example if the enterprise domain is configured for arubanetworks.com, then DNS resolution for hostnames in arubanetworks.com will be forwarded to the clients' default DNS server.
The DNS resolution for rest of all the hostnames domains ex. google.com, yahoo.com etc. will be Scr-NATed to the local DNS server of the IAP.
If you need to allow all the hostnames domains to be forwarded to the clients' default DNS server we need to use "*" in the enterprise domain configuration
internal-domains
domain-name *
From Web UI:
To create/ View
1. Hit settings
2. Click on Show advanced options
3.Select Enterprise Domains
To View Enterprise domain setting from CLI;
#show running-config | begin internal-domains
To Create Enterprise domain from CLI:
(config)#internal-domains
domain-name <domain-name> -
LACP port channel between 6509 and Nexus 7K
We are in the process of migrating from dual 6509's to dual 7010's. We have moved our 5k/2K's behind the 7K and have layer 2 up between the 6509 and 7K. This link is configured as a port channel with 2 1gig links using LACP. The port channel is up and working and traffic is passing but it doesn't appear the load it equally distributed between the links. Both the 7K and 6K are setup for src-dst-ip for the load balancing. The links have been in place for over 12 hours and I would have expected them to "equal" out. Has anyone had this issue in or is this to be expected? For clarification there is not VPC inolved in this configuration it is simply a port-channel between one 6509 and a 7010.
Thanks,
JoeWe are in the process of migrating from dual 6509's to dual 7010's. We have moved our 5k/2K's behind the 7K and have layer 2 up between the 6509 and 7K. This link is configured as a port channel with 2 1gig links using LACP. The port channel is up and working and traffic is passing but it doesn't appear the load it equally distributed between the links. Both the 7K and 6K are setup for src-dst-ip for the load balancing. The links have been in place for over 12 hours and I would have expected them to "equal" out. Has anyone had this issue in or is this to be expected? For clarification there is not VPC inolved in this configuration it is simply a port-channel between one 6509 and a 7010.
Thanks,
Joe -
Database mirror between two domain
I setting up database mirror between two domain that will help me migrate from SQL 2008R2 to SQL 2012 :
It is set up as follows:
Domain A(Old domain) - Server A
Domain B (New Domain for HA/DR setup) - Server B and Server C (Already configured as FCI and AG)
I want to migrate data from Server A to Server B using database mirror.
I set up the
Created Master key, endpoint and certificate on the Server A
Created Master key, endpoint and certificate on the Server B
Backup certificate on both sides and copy to each server
Create inbound connections on both principal and mirror partner. Here I created two SQL logins
SQLSrvA_login
SQLSrvB_logi
Grant connect on endpoint to both logins on both principal and mirror partner.
Everything seems ok as can be seen below
Principal partner:
grantee endpoint permission state_desc
SQLSrvA_login Hadr_endpointCONNECT GRANT
SQLSrvB_loginHadr_endpointCONNECT GRANT
Mirror partner:
grantee endpoint permission state_desc
SQLSrvA_login Hadr_endpoint CONNECT GRANT
SQLSrvB_login Hadr_endpoint CONNECT GRANT
Perform a full db backup and log backup on ServerA and restore to ServerB with norecovery
When trying to establish the partnership, it succeeded on the mirror partner ServerB but failed on the principal partner ServerA with the following error
Msg 1418, Level 16, State 1, Line 2
The server network address "TCP://ServerB:5022" can not be reached or does not exist. Check the network address name and that the ports for the local and remote endpoints are operational.
The following error is in the SQL errorlog:
Database Mirroring login attempt failed with error: 'Connection handshake failed. There is no compatible authentication protocol. State 21
Any ideal why this is occurring?
Thanks
Datawarehouse lead ArchitectHi,
Please see this link for possible solution.
http://blogs.msdn.com/b/grahamk/archive/2008/11/21/how-to-configure-database-mirroring-between-2-instances-on-a-standalone-server.aspx
Hope this helps
Bhanu -
Any known 'porting' issues between 8.2.2 and 9.0 ??
Hi all,
we are in the process of evaluating LS ES2 (9.0) and would like to know if there are any 'porting' issues between the two versions. Asked another way, are there any issues in deploying a 8.2.2. LCA onto 9.0 ?
Dan8.2 LCA's will run fine in 9.0 if they are just deployed into it. But in 9.0 a new application model has been introduced, so in order to make changes to anything after you've migrated it you'll need to create an application and migrate your processes and resources into it. You may want to take a look at the Leveraging Legacy Solution document available online. Here's the link: http://help.adobe.com/en_US/livecycle/9.0/workbenchHelp/help.htm?content=leveragingLegacy. html .
Chris -
Communication issues between domain controllers
Hi everyone,
I am experiencing some problems in communication between domain controllers in our organization
We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
service pack 1 and is virtual.
I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
Thank you very much.
Best regards.
David.This sounds like a NIC issue, which is odd since it is a virtual machine. Have you checked the host for any logs about the client?
I think the first thing I would do is destroy the current virtual NIC card and add a new one. Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights. -
One way trust relationship between different domain windows server 2012 in different forest
I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
connected to the same LAN. The forest level in A.local
machine is Windows Server 2008 and The forest level in B.int
is Windows server 2012.
I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
NOTE : Recently I
UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
it is ping by name and IP but from b.int ping by IP JUST >>>
ihabHi,
yes i already do it the setup conditional forwarding between the 2 domains and
the firewall it is off
ihab -
We recently purchased an EA6900 after our old WRT320N lost part of it's bandwidth. With the old router, people on the local wireless network (192.168.x.x) had no problem connecting via SMB to our Yosemite server (172.16.x.x) but we can no longer make that connection via SMB (AFP still functions correctly via wireless.)
Doing a port scan using the old router and comparing it to the new router, I can see port 445 is not open on the new router and given that it is a MS port, I would say that is the culprit. Is there anyway to get that port opened back up for the wireless users?
Thanks
ChrisCascading a router into a network basically turns it into an AP with most of the router features still available. When cascaded nothing ever gets plugged into the router's WAN\Internet Port and it's DHCP is disabled.
In bridge mode many router features are disabled but setup is super easy because you just connect the router to the network via it's WAN\Internet Port and everything connect to the router normally. The main thing to keep in mind in bridge mode is that the network DHCP or IP is transmitted through the router. Making one big network.
Connectivity => Internet Settings => Edit and choose Bridge Mode
If you keep the router with Internet Settings DHCP or Static IP and connect the network to it's WAN\Internet Port this creates two separate network subnets. The network behind the router can see the network on the WAN but not the reverse because of the router's firewall and NAT.
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Here is one that will make you pull your hair out.
T61p installed and worked perfectly for 2 months. Then one day, could not see the T61p from my desktop XP PC. After weeks of troubleshooting with serveral different "experts", it came down to this:
In Network Sharing Centre - Sharing & Discovery, all but the last 2 items are turned on.
When you select View Status of the Local Area Connection, click the Properties button , File & Print sharing for Microsoft Networks is NOT checked. Thus port 445 is NOT open. Thus other computers on local network CANNOT see the Vista PC. If you check the item, port 445 opens and all is well again in Netowrk land.
The problem is:
Everytime I boot the PC, why is File & Print Sharing for Microsoft Networks NOT checked?
Some very bright minds have not been able to solve this yet. But please, give it a go if you think you understand the intricacies of Vista networking. The only answer I have found so far ... the usual last resort with Microsoft OS's ... clean install ... AGAIN!
Thanks.
Moderator Note; added pic warning to title
Message Edited by andyP on 04-11-2008 11:24 PMSounds like the "Local Area Connection" you are using has lost it's BIND to file and print sharing.
Vista >
When you open network connections in your Control Panel (I'm using classic view btw) > open the icon "Network and Sharing Center" > then click in the left menu of that window "Manage Network Connections"
It will bring up the window with the old style box with all your network connections on your computer.
then follow this image attached to set the BINDING for file and print sharing on the matching local area connection that you use in your network. Just check the boxes for "File and Print Sharing for Microsoft Networks"
Also, sometimes Vista gets confused if you move your laptop around like I do from Home to Work and both have DHCP assigned addresses, sometimes it sets the connection to "Private Network" for the new DHCP address it aquires and then your can't see it. It should be set to PUBLIC for other machines to see it also.
Change that in your "Network and Sharing Center"
Message Edited by ThinkP on 04-11-2008 04:39 PM
Message Edited by ThinkP on 04-11-2008 05:42 PM
Message Edited by andyP on 04-11-2008 11:50 PM
T61P - 6459-CTO - T7500 2.2Ghz - 4G DDR2 RAM - NV Quadro FX 570M 256mb - 160G 7200 rpm - WSXGA+ 15.4" - Vista Ultimate 32bit
Maybe you are looking for
-
Hello everybody! Being Italian I apologise in advance for my english, if something isn't clear feel free to ask! Now, to the problem: since two days I'm unable to use iTunes Match at all. In the past days I was organising my library in playlists, whe
-
Ipod stops on some songs then restarts after 3 seconds?
Hi, im having a problem with my ipod, during a song the ipod sound fails, like its on pause, then it re starts again after a few seconds, does anyone know what the problem is?, ive already re set it a couple of time. cheers tim
-
Security check failed in Report services
Hi We are facing Errors in the Secured report services.We are able to login into the report server with url and its server name.but when the users access the reports then they are facing the below mentioned error.Pls help on this. Error : REP-56071:S
-
Revision: 4840 Author: [email protected] Date: 2009-02-04 13:20:07 -0800 (Wed, 04 Feb 2009) Log Message: Fix bug SDK-18904 Redudant APIs on UICompoennt and GraphicElement, SDK-17508 Applying a translation to a Rect causes shape to be scaled Fix: remo
-
I installed iLife '06 yesterday and I'm noticing the RAW images that I corrected in Photoshop CS then saved back to iPhoto are being reverted back to the original state before the RAW fix in Photoshop. I double click on a RAW edited photo to open up