Well, what I meant by AD-leveraging is any third-party or
home-grown app that uses AD-awareness. This is either
happening due to MS software, or something that wants
to locate an ldap server and knows how to go about it.
For example, any code that tries to use an ldap moniker
in an ASs or Adsi binding action, etc..
For example, the following docs a new flag added at SP1
to avoid the problem when a servername is given to an
ldap bind action. However, it is up to the developer to
use the flag, and also if you read closely, to make sure
that they no longer use GetObject, replacing those with
OpenObject.
http://support.microsoft.com/default.aspx?scid=kb;en-us;258507&Product=win2000
The records you just quoted show it (on 10.10.20.86 )
trying to find an Ldap service in its site, and then to find
one for the forestroot domain.
The problem is simply that it (whatever it is) thinks that
the forestroot domain is DC3 instead of the correct value.
The records in your original post showed the same thing
happening, except it exampled it cycling through about
8 or 9 names in place of the DC3.
The records you posted in reply to Ace elsewhere in this
thread show it doing this, following a pattern of normal
DNS suffix appending, hence first
<host>.anydomain.com is tried, then simply <host>
Now, in initial post, the salt-and-peppered about
examples, where it used for the domain such as
(3)dc1(9)adexpedia(3)com(0)
are 1) most bizzard, 2) in this example from the same
machine (10.10.20.86 ) as the DC3 records exampled
in this post, and 3) perhap a very big clue as to what is
originating this (why adexpedia.com - others like this,
or always this?).
When you look at the (non-salt-and-peppered) queries
is there any correspondance between sender's IP and
hostname ??
Ex.
here we have
10.10.20.86 DC3
or in initial post
10.10.20.97 PV3
10.10.21.41 LSSE2
192.168.1.161 P2
10.10.20.59 SQL2
10.10.21.36 LPUB1
10.10.21.30 DEVADMIN
10.10.20.45 NS2
10.10.20.83 SSE1
10.10.20.95 SSE3
We are not that lucky are we, as to have this hostname
of the sender being used in place as its domain ?
Is there any rhyme or reason why the machine indicated
by IP would be trying to ldap bind to the host they try?
From their hostnames I would guess they are not all DCs.
Following up on your stating that you have raked the
KBs over, we then need to be creative in absence of
info from relevant articles. Is there any ability to watch
(sysmon trace) a machine to profile CPU time by process
over a time period during it might be possible to timestamp
correlate with its sending to Tcp to port 53 at your DNS
server IP ? (Probably impossible to do if a given machine
just does the 4 or so malformed queries in a short time and
then does not do it again for a lengthy time).
I am just trying to get at what it is that is doing this.
--
Roger
relay_denied said:
These requests are coming from multiple machines. There seems to be very
little common ground between them other than W2K, SP4, all latest updates
installed (we try to stay on top of this). The type of ill formation that
gets no domain name at the end do get forwarded to root servers (no fowarder
set). The ill formation that injects the machines name in the center of SRV
lookup stay local but just never get a correct response. I have even seen
the machines change the request, working farther up the folder structure of
the SRV records. Seems like they keep trying for some sort of an answer to
no avail.
Rcv 10.10.20.86 bdba Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 3c64 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Rcv 10.10.20.86 5abc Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 1c6d Q [0000 NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Nothing really strange in the services list, a couple have some home grown
services but not consistant across all machines. Some certainly get used
more than others. We collect performance statistics every 15 minutes and
query it at the end of the day. Most machines stay below our thresholds:
Processor 50%, Paging 20%, commited RAM in use 50%, etc... . These are
mainly HP DL320 and DL380s.
I am not sure what you mean by AD leveraging application?
Really wish I was listing something really weird here, but we are a pretty
straight forward shop. Have you given you anything you can use? any ideas?
This at times really generates a lot of traffic.
Roger Abell said:
Hi Paul,
It looked as if you have multiple machines sending these requests
that in turn were forwarded.
Can you generalize what is the same in terms of the software load
between these machines ? OS versions ? Services started ?
AD leveraging application installed ?
Roger
I apologize, maybe I should rephrase my response and question. If the
requests are coming from the W2K servers on the local network, and I know
the address of the offender, what would be the next step to figuring out
why
this is happening.
Thank You,
Paul
In my mind, I would first want to track down where these are comming
from.
I would start with NetMon (or other) and filter on DNS packets and try
catch
some of these comming or going on the DNS server. You should then be
able
to determine the IP address (and hence box) where these are comming
from.
--
William Stacey, MVP
First of all thank you for reading and especially for any assistance.
We experience odd pauses at times in some network services such as
MSMQ,
mail delivery, or others that at least led me to look at the DNS
logging
for
any information I may find. although I am not convinced yet my problem
lies
completely in DNS, there certainly is a peculiarity.
I first starting seeing misconfigured SRV lookups scattered
about,
but
I
now
have seen little storms of these like as many as 150 or so right
in
a
row.
It is not only a nuisance to us but these get forwarded to root
servers
since the lookup ends in a machine name instead of a known domain
name.
I have looked quite exhaustively for an explanation or even an
explanation
of what I am looking at when I have complete logging on. There seems
to
be
very little describing the logs and nothing on these misconfigured
lookups.
I have included just a few examples, it is just a few from the
top
of
one
of
the storms. There are two types of error.
Machine name at end instead of domain name, these come in storms
Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Snd 202.12.27.33 188d Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)
Snd 202.12.27.33 2094 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)
Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Snd 202.12.27.33 289a Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Rcv 10.10.20.59 93fa Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)
Snd 202.12.27.33 18a0 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)
Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)
Snd 202.12.27.33 28ac Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)
Rcv 10.10.21.30 476f Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN
(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN
(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Snd 202.12.27.33 38bd Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)
Snd 202.12.27.33 28c0 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)
Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)
Machine name injected into path, dc1(9) these are scattered about:
Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad
expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad
expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K
DNS
or
reading the logs I would welcome the reading.
), but you can see all machine names, all forwarded requests and the full answers. You can watch the prgression from the domain lookup to as you say the forest lookup.