Active Directory try to connect client which is offline
I have a AD which deployed with Window Server 2008 R2 SP1 and my problem is AD try to connect to a client which is offline since about 6.25 PM and then I found in firewall's log that report at 6.36 PM, the source IP of AD server try to connect to a client
with port 139/TCP, 445/TCP and ICMP but byte receive is '0' which mean client is no longer online on network, after that I found the same traffic from AD try to connect client again every 4 hour (10.00 PM, 02.00 AM and 06.00 AM of next day)
at 09.00 AM the client is online again so this abnormal traffic is gone but at 06.00 PM it come again and so on.
my question is "Do any services or somethings on AD server try to connect like this situation? and how I fix it?"
Thanks you,
July 23rd, 2012 2:59am
Hello,
Usually the client computer connects to your DC for authentication and group policies appliance.
I have seen the same behavior with a virus which uses shares to get spread. So, it was using port 445/TCP to connect to shares and used domain administrative privileges to get propagated.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2012 4:13am
Thanks for your answer. :)
First, yes I know that clients connect to DC for authentication and group policies appliance. But I don't know why DC keep connect to 'a client' which already offline (because worker at that client clock out) as I said every 4 hours (06.00PM,10.00 PM, 02.00
AM and 06.00 AM)
In case of malware try to propagate to other computers. I think it shouldn't try to propagate just only a client. I'd seen Firewall's log that How worm try to propagate it self not just a client but it try to connect every client that it can connect to.
If I understand in wrong way please give me some knowledge to make me get your point. Thanks again :)My question at Technet
July 23rd, 2012 7:13am
Please check the Firewall at client Side may be its blockKalpesh Patel If you find these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be click on the "Vote as helpful" button
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2012 9:07am
Please check the Firewall at client Side may be its block
Kalpesh Patel If you find these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be click on the "Vote as helpful" button
Ahhh. I don't think so. As I already said that 'Client' is offline.
And in working time (8.00AM - 5.00PM) everything is ok, Client can connect to DC and DC also connect to client well(traffic also use ICMP, 139/TCP, 445/TCP and others). but what I'm curious "why DC keep connect to 'a client' which already offline?(Since 06.00PM
to 06.00AM of the next day).My question at Technet
July 23rd, 2012 11:34pm