DC floods LAN

Hi All:

Hope this is the correct forum for this post.

We have experienced the following problem on a number of occasions now and
up until this point have not found a solution.

After patching a Server 2003 R2 Domain Controller and rebooting the DC
essentially runs a DOS on the LAN. After a reboot the problem clears again. I
have captured this traffic on one of the DC's that caused this problem. The
capture showed thousands of packets per second.

The packets were all UDP from the DC to 224.0.1.24, the source and
destination port was 42.

Has anyone else experienced this or perhaps know what the cause may be?

Thanks
SB

In news:8319A987-42B5-4978-B000-(E-Mail Removed),
sir-bob <(E-Mail Removed)>, posted the following:
> Hi All:
>
> Hope this is the correct forum for this post.
>
> We have experienced the following problem on a number of occasions
> now and up until this point have not found a solution.
>
> After patching a Server 2003 R2 Domain Controller and rebooting the DC
> essentially runs a DOS on the LAN. After a reboot the problem clears
> again. I have captured this traffic on one of the DC's that caused
> this problem. The capture showed thousands of packets per second.
>
> The packets were all UDP from the DC to 224.0.1.24, the source and
> destination port was 42.
>
> Has anyone else experienced this or perhaps know what the cause may
> be?
>
> Thanks
> SB

I have not seen this, but FYI, TCP and UDP port 42 are the WINS replication
ports. WINS uses these ports for communication between replication partners.
And IP 224.0.0.0 through 239.255.255.255 is the multicast range.

Are you using WINS? If so, do you have more than one WINS server? If so, are
they replication partners?

If WINS is not installed, can use netstat, or TCPView (free download) to
identify which exe is broadcasting.

Do you remember which patch was installed that you believe started the
broadcasts?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Thanks for the reply Ace.

The first time around I don't remember which patches they were, the second
time around was yesterday with the lates patches from MS. The problem seems
to have happened only at the first reboot after the patches. After rebooting
again the problem disappears.

We aren't using WINS across the network, there are no replication partners
configured.

I guess a workaround is to ensure rebooting any server twice rather than
once

SB

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> In news:8319A987-42B5-4978-B000-(E-Mail Removed),
> sir-bob <(E-Mail Removed)>, posted the following:
> > Hi All:
> >
> > Hope this is the correct forum for this post.
> >
> > We have experienced the following problem on a number of occasions
> > now and up until this point have not found a solution.
> >
> > After patching a Server 2003 R2 Domain Controller and rebooting the DC
> > essentially runs a DOS on the LAN. After a reboot the problem clears
> > again. I have captured this traffic on one of the DC's that caused
> > this problem. The capture showed thousands of packets per second.
> >
> > The packets were all UDP from the DC to 224.0.1.24, the source and
> > destination port was 42.
> >
> > Has anyone else experienced this or perhaps know what the cause may
> > be?
> >
> > Thanks
> > SB
>
> I have not seen this, but FYI, TCP and UDP port 42 are the WINS replication
> ports. WINS uses these ports for communication between replication partners.
> And IP 224.0.0.0 through 239.255.255.255 is the multicast range.
>
> Are you using WINS? If so, do you have more than one WINS server? If so, are
> they replication partners?
>
> If WINS is not installed, can use netstat, or TCPView (free download) to
> identify which exe is broadcasting.
>
> Do you remember which patch was installed that you believe started the
> broadcasts?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> (E-Mail Removed)
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

"sir-bob" <(E-Mail Removed)> wrote in message
news:9860CE73-7EC0-4525-88EC-(E-Mail Removed)...
> Thanks for the reply Ace.
>
> The first time around I don't remember which patches they were, the second
> time around was yesterday with the lates patches from MS. The problem
> seems
> to have happened only at the first reboot after the patches. After
> rebooting
> again the problem disappears.
>
> We aren't using WINS across the network, there are no replication partners
> configured.
>
> I guess a workaround is to ensure rebooting any server twice rather than
> once
>
> SB

Hmm, I guess if that works, keep with it!

It's just odd that the WINS port is causing the flooding, and WINS is not
installed. Hmmm again!

Cheers!

Ace