I just noticed that my dc (W2k3 R2 Enterprise SP2) is sending ldap queries to an IP address that is assigned to a NAS device (snapserver). The snapserver is in another AD site and has Active Directory integration listed as a feature. I have no idea how it is configured since I have no access to it.
TCP SRC: 172.20.20.50:389 dest: 172.22.50.100:34252 TIME_WAIT 0 TCP SRC: 172.20.20.50:389 dest: 172.22.50.100:35846 ESTABLISHED 392 TCP SRC: 172.20.20.50:389 dest: 172.22.50.100:35847 ESTABLISHED 392
PID 392: lsass.exe
An example 1858 47.661264 Src=172.20.20.50 Dest=172.22.50.100 LDAP searchResEntry(69) "CN=Harry Potter,OU=LaLaLand,OU=Space,,DC=company,DC=com"
All the queries run up to 2 GB of outgoing traffic over a couple of hours. How can I troubleshoot this further?
If ip address 172.20.20.50 is the DC then it's not the source of the LDAP traffic it's the destination of the LDAP traffic. My guess is that the NAS is configured for AD integration/authentication and that it's trying to communicate with the DC.
Also, it appears that you're misinterpreting the packet capture. If you're running the packet capture from the DC (which is what it looks like) the capture will always show the DC as the source and the remote host as the destination because the packet capture sees the traffic from the perspective of the host it's running on. This does not meant that the DC is the host that initiated the connection. If you were running netstat the DC would appear as the local address and the NAS would appear as the foreign address.