none
A lot of network traffic from lsass.exe to DC

    Question

  • Hello,

    I noticed that some recently installed laptops (about a dozen) are doing a lot of traffic to our DC servers. CPU utilization on the DC servers are between 70-80% or even more because of these connections.

    Traffic is coming from lsass.exe (on the laptops) to our DC servers (lsass.exe as well). Traffic is between 5-10GB a day per laptop.

    C:\Users\Administrateur>netstat -an | findstr 49155
      TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
      TCP    laptop:49168    dc2:49155  ESTABLISHED
      TCP    [::]:49155             [::]:0                 LISTENING

    On each laptop, a connection is established by lsass to the port 49155 on a DC server. Network capture shows RPC traffic.

    I just upgraded one of this laptop but the problem is still here.

    Do you have any idea ? For now, I don't know what to do next ... :(

    Thank you!

    Thomas


    Tuesday, January 31, 2017 12:49 PM

All replies

  • Hi

     Check this similar case details;

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/caf97fc2-ad65-47d6-b8e2-38401dd31143/port-49155-and-49159-on-domain-controller?forum=winserverDS


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, January 31, 2017 1:14 PM
  • Thank you for your reply!

    I've read this topic already but it didn't really help.

    Thomas

    Tuesday, January 31, 2017 1:40 PM
  • Please collect the AD data collector set data and try to find out if you are getting any expensive queries which is been sent to Active directory DC's.

    Also you can have network monitor installed on domain controller and try to filter the data from one of the newly installed laptop in your environment to capture what shorts of queries being sent to domain controllers.\\

    Thursday, February 2, 2017 9:34 PM