Port 80 traffic to my DC
I have two domain controllers. Serving the same domain for redundancy and
I have been sniffing the traffic going to and from my domain controllers
and I noticed something odd. I have a large number of domain client
machines that are sending traffic to port 80 to my DC's. Port 80 is not
open on either of the DC's and IIS is not installed. Also none of the
client machines are infected with a virus. Symantec Antivirus finds
no viruses. The port 80 traffic seems to be happening durring logon and
possibly logoff. Does anyone have any idea why this would be happening?
June 24th, 2010 8:11pm
Yes, most likely you domain name is the same internally as externally? Say your domain name is corp.com and your users open a browser (internally) and type
http://corp.com, well if you look at your DNS zone for corp.com, you will notice that your DCs have registered the domain name as a parent record for their IPs. This is by design.
This behavior can be modified if needed.
Active Directory Domain Name Considerations when Using the Same Internal and External Domain Name
http://www.anitkb.com/2010/03/active-directory-domain-name.html
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 8:44pm
Hi,
If you are not sure about which site the clients attempt to access, you may install the Network Monitor on the DC and capture the HTTP traffic to verify
which exactly web site/virtual directory the clients request.
Download the NetMon3.3 from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en
June 25th, 2010 5:59am
Actually our internal and external sites have different names. Our internal is a .local and our external is an .edu. This is what started our confusion. There would be no need for anything to browse to our .local web address, as it is
not configured nor is IIS installed. Any ideas?
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2010 4:13pm
My next recommendation is inline with Mile's posting. You should capture the network traffic and take a look at the contents. You can use Network Monitor, or which ever application you are comfortable using. I like using Wireshark.
Visit: anITKB.com, an IT Knowledge Base.
June 29th, 2010 8:14pm