DC preformaing DNS queryies on Workstations

[Chris]

Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller (2000
native mode) would be doing DNS queries to find workstations ?

What we are seeing is one of our DC's is doing massive DNS queries.

We see it looking for AD entries then about 2 doz workstations and then more
AD entries. Specifically the AD entries are about itself in DNS. What we
don't know is why the DC is looking for the workstations. Any one have an
idea ?

I believe it might be normal traffic but I need to be sure. I think the DNS
queries could be for workstations that are currently authenticated to the
domain buy this DC, but I not sure.

The DC is also a secondary DNS server to a BIND DNS server. The DC is not
pointing to itself for DNS but to the BIND server only.

Thanks

 

[Herb Martin]

Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller (2000
native mode) would be doing DNS queries to find workstations ?

Servers are frequently DNS clients too.

What we are seeing is one of our DC's is doing massive DNS queries.

Massive sounds odd. Have you tried capturing the packets and see
what is being requested and perhaps more usefully what program/service
is doing the requesting (related the listening/reply socket port to the
running process.)

We see it looking for AD entries then about 2 doz workstations and then
more AD entries. Specifically the AD entries are about itself in DNS.
What we don't know is why the DC is looking for the workstations. Any one
have an idea ?

I seldom suggest that a virus or trojan is involved during a
first report of such oddities but this does sound vaguely like
SOME application is trying to "map" your network.

I believe it might be normal traffic but I need to be sure. I think the
DNS queries could be for workstations that are currently authenticated to
the domain buy this DC, but I not sure.

Normal would be for the DC to be contacted by the Workstations,
not the other way around.

The DC is also a secondary DNS server to a BIND DNS server. The DC is not
pointing to itself for DNS but to the BIND server only.

This may be sub-optimal although it is common for some so-called
'experts' without a full understanding of DNS to recommend it.

It is unlikely to be directly related to your current symptoms though.

One would also wonder why you are using BIND (it is practically
never better and usually worse for an AD domain) when you have
a DC which can do the job (for an AD domain) better.

Again, that should NOT be your problem however.

 

[Chris]

I have more information regarding this:

It appears that all my DCs are looking for these workstation in and around
the time AD replication occurs. It is a specific set of workstations.
Around 2 doz of them. They are all in AD and so far we haven't found any
processes or software that would account for this.

Maybe this information might help shed some light on this.

Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller
(2000 native mode) would be doing DNS queries to find workstations ?

Servers are frequently DNS clients too.

What we are seeing is one of our DC's is doing massive DNS queries.

Massive sounds odd. Have you tried capturing the packets and see
what is being requested and perhaps more usefully what program/service
is doing the requesting (related the listening/reply socket port to the
running process.)

We see it looking for AD entries then about 2 doz workstations and then
more AD entries. Specifically the AD entries are about itself in DNS.
What we don't know is why the DC is looking for the workstations. Any
one have an idea ?

I seldom suggest that a virus or trojan is involved during a
first report of such oddities but this does sound vaguely like
SOME application is trying to "map" your network.

I believe it might be normal traffic but I need to be sure. I think the
DNS queries could be for workstations that are currently authenticated to
the domain buy this DC, but I not sure.

Normal would be for the DC to be contacted by the Workstations,
not the other way around.

The DC is also a secondary DNS server to a BIND DNS server. The DC is
not pointing to itself for DNS but to the BIND server only.

This may be sub-optimal although it is common for some so-called
'experts' without a full understanding of DNS to recommend it.

It is unlikely to be directly related to your current symptoms though.

One would also wonder why you are using BIND (it is practically
never better and usually worse for an AD domain) when you have
a DC which can do the job (for an AD domain) better.

Again, that should NOT be your problem however.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

I have more information regarding this:

It appears that all my DCs are looking for these workstation in and
around the time AD replication occurs.

When is that? Local replication happens (almost) immediately
and site-site (intersite) replication occurs on the schedule at the
frequency you set in the site link.

How are you actually noticing this?

It is a specific set of workstations. Around 2 doz of them. They are all
in AD and so far we haven't found any processes or software that would
account for this.

2 doz? Is that all or only some small portion of your workstations?
(Just looking for patterns.)

Maybe this information might help shed some light on this.

No, the only thing that has even come close to occuring to me
is perhaps something to do with "checking the clients IP"
during authentication but I have never heard of that so it's
not even a real hypothesis.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller
(2000 native mode) would be doing DNS queries to find workstations ?

Servers are frequently DNS clients too.

What we are seeing is one of our DC's is doing massive DNS queries.

Massive sounds odd. Have you tried capturing the packets and see
what is being requested and perhaps more usefully what program/service
is doing the requesting (related the listening/reply socket port to the
running process.)

We see it looking for AD entries then about 2 doz workstations and then
more AD entries. Specifically the AD entries are about itself in DNS.
What we don't know is why the DC is looking for the workstations. Any
one have an idea ?

I seldom suggest that a virus or trojan is involved during a
first report of such oddities but this does sound vaguely like
SOME application is trying to "map" your network.

I believe it might be normal traffic but I need to be sure. I think the
DNS queries could be for workstations that are currently authenticated
to the domain buy this DC, but I not sure.

Normal would be for the DC to be contacted by the Workstations,
not the other way around.

The DC is also a secondary DNS server to a BIND DNS server. The DC is
not pointing to itself for DNS but to the BIND server only.

This may be sub-optimal although it is common for some so-called
'experts' without a full understanding of DNS to recommend it.

It is unlikely to be directly related to your current symptoms though.

One would also wonder why you are using BIND (it is practically
never better and usually worse for an AD domain) when you have
a DC which can do the job (for an AD domain) better.

Again, that should NOT be your problem however.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Chris]

The DNS queries we see in our BIND DNS logs.

Then on the DC I see in the Security Logs the Event ID 565, Category:
"Directory Service Access" stating "Replication Synchronization" with all
it's replication partners at the time of the DNS queries to the workstations
takes place.

We have over 3500 workstations so no it is not all of them. But it is the
same workstations each it we see this. We are looking at the workstation
but have yet to find anythng different about them.

Also none of workstations are in DNS. They are in WINS though.

Any ideas whould be helpfull at this point.

I have more information regarding this:

It appears that all my DCs are looking for these workstation in and
around the time AD replication occurs.

When is that? Local replication happens (almost) immediately
and site-site (intersite) replication occurs on the schedule at the
frequency you set in the site link.

How are you actually noticing this?

It is a specific set of workstations. Around 2 doz of them. They are all
in AD and so far we haven't found any processes or software that would
account for this.

2 doz? Is that all or only some small portion of your workstations?
(Just looking for patterns.)

Maybe this information might help shed some light on this.

No, the only thing that has even come close to occuring to me
is perhaps something to do with "checking the clients IP"
during authentication but I have never heard of that so it's
not even a real hypothesis.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller
(2000 native mode) would be doing DNS queries to find workstations ?

Servers are frequently DNS clients too.


What we are seeing is one of our DC's is doing massive DNS queries.

Massive sounds odd. Have you tried capturing the packets and see
what is being requested and perhaps more usefully what program/service
is doing the requesting (related the listening/reply socket port to the
running process.)

We see it looking for AD entries then about 2 doz workstations and then
more AD entries. Specifically the AD entries are about itself in DNS.
What we don't know is why the DC is looking for the workstations. Any
one have an idea ?

I seldom suggest that a virus or trojan is involved during a
first report of such oddities but this does sound vaguely like
SOME application is trying to "map" your network.

I believe it might be normal traffic but I need to be sure. I think
the DNS queries could be for workstations that are currently
authenticated to the domain buy this DC, but I not sure.

Normal would be for the DC to be contacted by the Workstations,
not the other way around.

The DC is also a secondary DNS server to a BIND DNS server. The DC is
not pointing to itself for DNS but to the BIND server only.

This may be sub-optimal although it is common for some so-called
'experts' without a full understanding of DNS to recommend it.

It is unlikely to be directly related to your current symptoms though.

One would also wonder why you are using BIND (it is practically
never better and usually worse for an AD domain) when you have
a DC which can do the job (for an AD domain) better.

Again, that should NOT be your problem however.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

The DNS queries we see in our BIND DNS logs.

Then on the DC I see in the Security Logs the Event ID 565, Category:
"Directory Service Access" stating "Replication Synchronization" with all
it's replication partners at the time of the DNS queries to the
workstations takes place.

We have over 3500 workstations so no it is not all of them. But it is the
same workstations each it we see this. We are looking at the workstation
but have yet to find anythng different about them.

Also none of workstations are in DNS. They are in WINS though.

Any ideas whould be helpfull at this point.

Nothing concrete...my next thought (with the above detail)
is that perhaps those clients are using IPs formerly allocated
to some DC(s).

Running DCDiag (regularly) is always a good idea. Looking
for any references to those clients IP in DNS is another, e.g.,
oldDCName == Current.IP.of.Client.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

I have more information regarding this:

It appears that all my DCs are looking for these workstation in and
around the time AD replication occurs.

When is that? Local replication happens (almost) immediately
and site-site (intersite) replication occurs on the schedule at the
frequency you set in the site link.

How are you actually noticing this?

It is a specific set of workstations. Around 2 doz of them. They are
all in AD and so far we haven't found any processes or software that
would account for this.

2 doz? Is that all or only some small portion of your workstations?
(Just looking for patterns.)

Maybe this information might help shed some light on this.

No, the only thing that has even come close to occuring to me
is perhaps something to do with "checking the clients IP"
during authentication but I have never heard of that so it's
not even a real hypothesis.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller
(2000 native mode) would be doing DNS queries to find workstations ?

Servers are frequently DNS clients too.


What we are seeing is one of our DC's is doing massive DNS queries.

Massive sounds odd. Have you tried capturing the packets and see
what is being requested and perhaps more usefully what program/service
is doing the requesting (related the listening/reply socket port to the
running process.)

We see it looking for AD entries then about 2 doz workstations and
then more AD entries. Specifically the AD entries are about itself in
DNS. What we don't know is why the DC is looking for the workstations.
Any one have an idea ?

I seldom suggest that a virus or trojan is involved during a
first report of such oddities but this does sound vaguely like
SOME application is trying to "map" your network.

I believe it might be normal traffic but I need to be sure. I think
the DNS queries could be for workstations that are currently
authenticated to the domain buy this DC, but I not sure.

Normal would be for the DC to be contacted by the Workstations,
not the other way around.

The DC is also a secondary DNS server to a BIND DNS server. The DC is
not pointing to itself for DNS but to the BIND server only.

This may be sub-optimal although it is common for some so-called
'experts' without a full understanding of DNS to recommend it.

It is unlikely to be directly related to your current symptoms though.

One would also wonder why you are using BIND (it is practically
never better and usually worse for an AD domain) when you have
a DC which can do the job (for an AD domain) better.

Again, that should NOT be your problem however.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Chris]

I was one of the first things I did was to look for the IP and host names in
DNS. Nothing there. Also is or was occurring from all 19 of our DC not
just a few. What I mean by was is that it has mysteriously stopped since
this past weekend. With no explanation as to why. I will keep an eye on it
and go from there.

Thanks for everyones help on this.

The DNS queries we see in our BIND DNS logs.

Then on the DC I see in the Security Logs the Event ID 565, Category:
"Directory Service Access" stating "Replication Synchronization" with all
it's replication partners at the time of the DNS queries to the
workstations takes place.

We have over 3500 workstations so no it is not all of them. But it is
the same workstations each it we see this. We are looking at the
workstation but have yet to find anythng different about them.

Also none of workstations are in DNS. They are in WINS though.

Any ideas whould be helpfull at this point.

Nothing concrete...my next thought (with the above detail)
is that perhaps those clients are using IPs formerly allocated
to some DC(s).

Running DCDiag (regularly) is always a good idea. Looking
for any references to those clients IP in DNS is another, e.g.,
oldDCName == Current.IP.of.Client.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

I have more information regarding this:

It appears that all my DCs are looking for these workstation in and
around the time AD replication occurs.

When is that? Local replication happens (almost) immediately
and site-site (intersite) replication occurs on the schedule at the
frequency you set in the site link.

How are you actually noticing this?

It is a specific set of workstations. Around 2 doz of them. They are
all in AD and so far we haven't found any processes or software that
would account for this.

2 doz? Is that all or only some small portion of your workstations?
(Just looking for patterns.)

Maybe this information might help shed some light on this.

No, the only thing that has even come close to occuring to me
is perhaps something to do with "checking the clients IP"
during authentication but I have never heard of that so it's
not even a real hypothesis.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]




Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller
(2000 native mode) would be doing DNS queries to find workstations ?

Servers are frequently DNS clients too.


What we are seeing is one of our DC's is doing massive DNS queries.

Massive sounds odd. Have you tried capturing the packets and see
what is being requested and perhaps more usefully what program/service
is doing the requesting (related the listening/reply socket port to
the
running process.)

We see it looking for AD entries then about 2 doz workstations and
then more AD entries. Specifically the AD entries are about itself
in DNS. What we don't know is why the DC is looking for the
workstations. Any one have an idea ?

I seldom suggest that a virus or trojan is involved during a
first report of such oddities but this does sound vaguely like
SOME application is trying to "map" your network.

I believe it might be normal traffic but I need to be sure. I think
the DNS queries could be for workstations that are currently
authenticated to the domain buy this DC, but I not sure.

Normal would be for the DC to be contacted by the Workstations,
not the other way around.

The DC is also a secondary DNS server to a BIND DNS server. The DC
is not pointing to itself for DNS but to the BIND server only.

This may be sub-optimal although it is common for some so-called
'experts' without a full understanding of DNS to recommend it.

It is unlikely to be directly related to your current symptoms though.

One would also wonder why you are using BIND (it is practically
never better and usually worse for an AD domain) when you have
a DC which can do the job (for an AD domain) better.

Again, that should NOT be your problem however.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

I was one of the first things I did was to look for the IP and host names
in DNS. Nothing there. Also is or was occurring from all 19 of our DC not
just a few. What I mean by was is that it has mysteriously stopped since
this past weekend. With no explanation as to why. I will keep an eye on
it and go from there.

Thanks for everyones help on this.

It it returns or more IMPORTANTLY if you ever resolve it, please
post about that.

I remain interested whether I can help you solve it or not.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

The DNS queries we see in our BIND DNS logs.

Then on the DC I see in the Security Logs the Event ID 565, Category:
"Directory Service Access" stating "Replication Synchronization" with
all it's replication partners at the time of the DNS queries to the
workstations takes place.

We have over 3500 workstations so no it is not all of them. But it is
the same workstations each it we see this. We are looking at the
workstation but have yet to find anythng different about them.

Also none of workstations are in DNS. They are in WINS though.

Any ideas whould be helpfull at this point.

Nothing concrete...my next thought (with the above detail)
is that perhaps those clients are using IPs formerly allocated
to some DC(s).

Running DCDiag (regularly) is always a good idea. Looking
for any references to those clients IP in DNS is another, e.g.,
oldDCName == Current.IP.of.Client.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

I have more information regarding this:

It appears that all my DCs are looking for these workstation in and
around the time AD replication occurs.

When is that? Local replication happens (almost) immediately
and site-site (intersite) replication occurs on the schedule at the
frequency you set in the site link.

How are you actually noticing this?

It is a specific set of workstations. Around 2 doz of them. They are
all in AD and so far we haven't found any processes or software that
would account for this.

2 doz? Is that all or only some small portion of your workstations?
(Just looking for patterns.)

Maybe this information might help shed some light on this.

No, the only thing that has even come close to occuring to me
is perhaps something to do with "checking the clients IP"
during authentication but I have never heard of that so it's
not even a real hypothesis.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]




Does anyone know why a Windows 2000 Adv Server SP4 Domain Controller
(2000 native mode) would be doing DNS queries to find workstations ?

Servers are frequently DNS clients too.


What we are seeing is one of our DC's is doing massive DNS queries.

Massive sounds odd. Have you tried capturing the packets and see
what is being requested and perhaps more usefully what
program/service
is doing the requesting (related the listening/reply socket port to
the
running process.)

We see it looking for AD entries then about 2 doz workstations and
then more AD entries. Specifically the AD entries are about itself
in DNS. What we don't know is why the DC is looking for the
workstations. Any one have an idea ?

I seldom suggest that a virus or trojan is involved during a
first report of such oddities but this does sound vaguely like
SOME application is trying to "map" your network.

I believe it might be normal traffic but I need to be sure. I think
the DNS queries could be for workstations that are currently
authenticated to the domain buy this DC, but I not sure.

Normal would be for the DC to be contacted by the Workstations,
not the other way around.

The DC is also a secondary DNS server to a BIND DNS server. The DC
is not pointing to itself for DNS but to the BIND server only.

This may be sub-optimal although it is common for some so-called
'experts' without a full understanding of DNS to recommend it.

It is unlikely to be directly related to your current symptoms
though.

One would also wonder why you are using BIND (it is practically
never better and usually worse for an AD domain) when you have
a DC which can do the job (for an AD domain) better.

Again, that should NOT be your problem however.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]