Heavy traffic on port 445 from DC

  • 173 Views
  • Last Post 29 July 2016
nidhin_ck posted this 28 July 2016

Hi Experts
Recently we did a network analysis of the smaller sites where they do not have local AD servers and we found that a majority of the WAN traffic during office hours come from the AD servers from other sites (> 50% of the traffic is WAN related). This has contributed to the network congestion to the site. We saw port 445 (CIFS) which is normally used for file sharing is consuming high bandwidth but the source is showing DC names. Why this is showing that this is coming from the AD servers.
we crosschecked the GPO for any misconfiguration or any file server usage but no luck. what we found is that each user has diff logon script to connect to map network drive. Also there is no domain level DFS namespace
Could you please provide some guideline to troubleshoot this issue

Regards,
Nidhin CK

Order By: Standard | Newest | Votes
g4ugm posted this 28 July 2016

Do you have site affinity set?Group Policy Refresh? Dave  

show

ken posted this 29 July 2016

When you say “from the DC”, do you mean the traffic is originating from the DC? If so, where is it going?

Or are you saying that the traffic is to the DC? If so, from where?

 

show

nidhin_ck posted this 29 July 2016

Group Policy Refresh is the default value.. i didn't understand your first question :( 
Regards,
Nidhin CK

show

nidhin_ck posted this 29 July 2016

It is between the clients and DC. 
for eg:- In below screenshot Source is DC and destination is client machines.. client machines are varying but source is single DC.    
Regards,
Nidhin CK

show

g4ugm posted this 29 July 2016

The first question was how have you defined the site structure for the sub-nets in the locations with no DC’s? Also I quess I  need to ask is “Have you installed any third party software on the DC’s”? Dave 

show

ken posted this 29 July 2016

It would be very unusual if the DCs were initiating these connections – what tool are you using to analyse these netflows? Is it possible

the clients are initiating the connections, and the reporting is just wrong? If so, I would look at your AD sites and services configuration – ensure that clients are connecting to the most appropriately located DC.

 

If it’s really the DCs initiating the connections, I would try to see (in order):

a)     

What’s the listening process on the clients that’s accepting the data

b)     

What’s the process on the DC that’s sending the data

c)      

Get a packet capture of the data to see if there’s any clues as to what’s being transferred

 

show

Rajeev Chauhan posted this 29 July 2016

These are all CIFS. Is the sysvol UNC hardening


show

Close