Home / server / Questions / 567559
Accepted
Andrew S
Asked: 2014-01-16 14:10:05 +0800 CST

Windows Domain controller ARPing for 169.254.0.0/16 addresses

  • 772

I've been doing some sniffing on my company's network to try to clean up some of traffic and have noticed that one of our Server 2008 Domain Controllers is sending out ARP's every second or two to about 15 different addresses in the 169.254.0.0/16 subnet. The domain controller is in the 10.10.0.0/23 subnet. Anyone have any idea what could be causing these ARP's? As far as I can tell there aren't any clients on the network with 169.254.x.x addresses so I have no idea why the DC is trying to locate them.

The server does have two NICs but only one of them is connected. I disabled the unused NIC yesterday when I noticed the ARPing to see if that would change anything but from looking again today it has not.

The ipconfig /all output is:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : server-snip
   Primary Dns Suffix  . . . . . . . : snip.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : snip.com

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::885:cbff:b468:f229%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.0.63(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.0.6
   DNS Servers . . . . . . . . . . . : 10.10.0.63
                                       10.10.0.64
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{CD1C279E-711E-4426-84F6-FD1FF423B
521}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
networking

2 Answers

  1. If all else fails to identify the cause, and ipconfig /all does not show any adapters bound on that range, you can use Network Monitor to identify the process originating traffic.

    If the process turns out to be spoolsv.exe, for example, you would be able to know to look for printers configured on those addresses.

    • 2
  2. Best Answer

    The cause of the ARPs turned out to be that there are some hosts on other subnets with the 169.254.0.0/16 addresses and they are trying to reach NTP on the Windows Server. Our router is routing the traffic but of course the Windows Server has no idea how to reply. I still have to track down why these hosts are not getting DHCP addresses but at least I know the Windows Server is not the culprit.

    • 1