T
Trust No One®
Hi Folks,
Hoping someone here can help. I've been searching around both on the Net and
in various technical references with no real luck so far.
I'm after information on the types of client - domain controller
communications that typically occur in an Active Directory domain. In
particular I'm interested in the traffic between Windows XP clients and
Active Directory domain controllers.
This is in relation to an ongoing problem regarding hundreds of thousands of
538/540 event ids being logged daily in the security logs of our domain
controllers. These are generated as a result of setting the logon events
Audit policy to success and failures.
I've been monitoring one of our XP workstation over the course of a day and
I've noticed that it appears to connect to each domain controller in the
domain at 15 minute intervals - resulting in the logging of 540 and 538
events. I installed a nifty Microsoft port logging utility on the
workstation and the log shows that a connection is made to port 445 on each
domain controller at roughly 15 minute intervals. The module initiating the
connection is called "SYSTEM" which I believe is shared by many OS specific
functions. Over 10,000 workstations generating 538/540 events every 15
minutes adds up to a huge total as you might have guessed
We disable the computer browser service as a matter of course on our client
workstations, but this could still be the culprit. I've thoroughly virus
checked the test workstation and checked for Trojans etc.
I'm left with the possibility that this communication is entirely normal and
that perhaps the auditing of the success of logon events does not scale well
in large networks. There seems to be precious little information available
on Windows XP client communication with domain controllers in an AD domain -
unless I'm not looking in the right places.
Can anyone advise any references I can try. Any advice in general on this
one would be appreciated.
Hoping someone here can help. I've been searching around both on the Net and
in various technical references with no real luck so far.
I'm after information on the types of client - domain controller
communications that typically occur in an Active Directory domain. In
particular I'm interested in the traffic between Windows XP clients and
Active Directory domain controllers.
This is in relation to an ongoing problem regarding hundreds of thousands of
538/540 event ids being logged daily in the security logs of our domain
controllers. These are generated as a result of setting the logon events
Audit policy to success and failures.
I've been monitoring one of our XP workstation over the course of a day and
I've noticed that it appears to connect to each domain controller in the
domain at 15 minute intervals - resulting in the logging of 540 and 538
events. I installed a nifty Microsoft port logging utility on the
workstation and the log shows that a connection is made to port 445 on each
domain controller at roughly 15 minute intervals. The module initiating the
connection is called "SYSTEM" which I believe is shared by many OS specific
functions. Over 10,000 workstations generating 538/540 events every 15
minutes adds up to a huge total as you might have guessed
We disable the computer browser service as a matter of course on our client
workstations, but this could still be the culprit. I've thoroughly virus
checked the test workstation and checked for Trojans etc.
I'm left with the possibility that this communication is entirely normal and
that perhaps the auditing of the success of logon events does not scale well
in large networks. There seems to be precious little information available
on Windows XP client communication with domain controllers in an AD domain -
unless I'm not looking in the right places.
Can anyone advise any references I can try. Any advice in general on this
one would be appreciated.