Port 80 traffic to my DC
I have two domain controllers. Serving the same domain for redundancy and I have been sniffing the traffic going to and from my domain controllers and I noticed something odd. I have a large number of domain client machines that are sending traffic to port 80 to my DC's. Port 80 is not open on either of the DC's and IIS is not installed. Also none of the client machines are infected with a virus. Symantec Antivirus finds no viruses. The port 80 traffic seems to be happening durring logon and possibly logoff. Does anyone have any idea why this would be happening?
June 24th, 2010 8:11pm

Yes, most likely you domain name is the same internally as externally? Say your domain name is corp.com and your users open a browser (internally) and type http://corp.com, well if you look at your DNS zone for corp.com, you will notice that your DCs have registered the domain name as a parent record for their IPs. This is by design. This behavior can be modified if needed. Active Directory Domain Name Considerations when Using the Same Internal and External Domain Name http://www.anitkb.com/2010/03/active-directory-domain-name.html Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 8:44pm

Hi, If you are not sure about which site the clients attempt to access, you may install the Network Monitor on the DC and capture the HTTP traffic to verify which exactly web site/virtual directory the clients request. Download the NetMon3.3 from the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en
June 25th, 2010 5:59am

Actually our internal and external sites have different names. Our internal is a .local and our external is an .edu. This is what started our confusion. There would be no need for anything to browse to our .local web address, as it is not configured nor is IIS installed. Any ideas?
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2010 4:13pm

My next recommendation is inline with Mile's posting. You should capture the network traffic and take a look at the contents. You can use Network Monitor, or which ever application you are comfortable using. I like using Wireshark. Visit: anITKB.com, an IT Knowledge Base.
June 29th, 2010 8:14pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics