I have a AD which deployed with Window Server 2008 R2 SP1 and my problem is AD try to connect to a client which is offline since about 6.25 PM and then I found in firewall's log that report at 6.36 PM, the source IP of AD server try to connect to a client with port 139/TCP, 445/TCP and ICMP but byte receive is '0' which mean client is no longer online on network, after that I found the same traffic from AD try to connect client again every 4 hour (10.00 PM, 02.00 AM and 06.00 AM of next day) at 09.00 AM the client is online again so this abnormal traffic is gone but at 06.00 PM it come again and so on. my question is "Do any services or somethings on AD server try to connect like this situation? and how I fix it?" Thanks you,

Hello, Usually the client computer connects to your DC for authentication and group policies appliance. I have seen the same behavior with a virus which uses shares to get spread. So, it was using port 445/TCP to connect to shares and used domain administrative privileges to get propagated. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Thanks for your answer. :) First, yes I know that clients connect to DC for authentication and group policies appliance. But I don't know why DC keep connect to 'a client' which already offline (because worker at that client clock out) as I said every 4 hours (06.00PM,10.00 PM, 02.00 AM and 06.00 AM) In case of malware try to propagate to other computers. I think it shouldn't try to propagate just only a client. I'd seen Firewall's log that How worm try to propagate it self not just a client but it try to connect every client that it can connect to. If I understand in wrong way please give me some knowledge to make me get your point. Thanks again :)My question at Technet

Please check the Firewall at client Side may be its blockKalpesh Patel If you find these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be click on the "Vote as helpful" button

Please check the Firewall at client Side may be its block Kalpesh Patel If you find these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be click on the "Vote as helpful" button Ahhh. I don't think so. As I already said that 'Client' is offline. And in working time (8.00AM - 5.00PM) everything is ok, Client can connect to DC and DC also connect to client well(traffic also use ICMP, 139/TCP, 445/TCP and others). but what I'm curious "why DC keep connect to 'a client' which already offline?(Since 06.00PM to 06.00AM of the next day).My question at Technet