UDP 137 from domain contoller to Internet?

[dave]

I have a domain controller running Windows 2000 server. It
is patched and scanned clean for virus. I periodically see
it trying to send udp port 137 to an IP address of
172.16.2.100, which does not exist on my private network,
so it heads out the firewall looking for this private IP
address on the Internet (which of couse it can't). We are
172.16.1.x internally. Is this just normal windoes
sloppiness or should I look deeper. I've looked everywhere
I can think of on this server and it keeps trying to send
out udp 137 to this single address.

 

[Steven L Umbach]

I believe the address it is trying to send to is also a "private" block address which
makes me believe you have a misconfiguration on that server somewhere. Port 137 upd
is used for netbios naming. I would check wins configuration in tcp/ip properties,
lmhosts file, hosts file, wins server configuration including replication partners
and wins database, dns configuration including zone wins lookups and even dns records
for a possible misconfigured static record, any unc mappings on server that may use
ip address. Do you have a 172.16.2.100 on your network? Maybe if you do it will give
you a clue as what to check. Look in Event Viewer for any errors that may be
related. Yes I know I listed hosts file and dns records, but in a netbios name
resolution attempt they can also be used if normal methods fail so they are worth
checking if nothing else pans out.--- Steve

 

[Steven L Umbach]

Oops, I meant do you have a 172.16.1.100 on your network. --- Steve