2

I've been doing some sniffing on my company's network to try to clean up some of traffic and have noticed that one of our Server 2008 Domain Controllers is sending out ARP's every second or two to about 15 different addresses in the 169.254.0.0/16 subnet. The domain controller is in the 10.10.0.0/23 subnet. Anyone have any idea what could be causing these ARP's? As far as I can tell there aren't any clients on the network with 169.254.x.x addresses so I have no idea why the DC is trying to locate them.

The server does have two NICs but only one of them is connected. I disabled the unused NIC yesterday when I noticed the ARPing to see if that would change anything but from looking again today it has not.

The ipconfig /all output is:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : server-snip
   Primary Dns Suffix  . . . . . . . : snip.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : snip.com

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::885:cbff:b468:f229%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.0.63(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.0.6
   DNS Servers . . . . . . . . . . . : 10.10.0.63
                                       10.10.0.64
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{CD1C279E-711E-4426-84F6-FD1FF423B
521}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Andrew S
  • 508
  • 3
  • 7
  • 12
  • Is the DC multi-homed? If so, is one of the interfaces configured to use DHCP? – joeqwerty Jan 15 '14 at 22:32
  • As initial help - those IP are autoconfig. I.e. in this network you find computers that fail to get DHCP addresses. Check the server's network setup. – TomTom Jan 15 '14 at 22:33
  • Post the output of an `ipconfig /all` on that server here, please. There are no "PDC" computers in Active Directory. They're just DCs. There's a machine that holds a "PDC Emulator" role, but that doesn't somehow make that machine "primary"-- that's an NT 4.0 compatibility holdover. – Evan Anderson Jan 15 '14 at 22:45
  • a 169.154.x.x address is called an apipa address automatically assigned by Windows if a DHCP server cannot be contacted so that it can have at least local network connectivity. It's just an Automatic Private IP Address that Windows configures automatically when there is no DHCP to assign it one. – Mackenzie Carr Mar 13 '14 at 02:13

2 Answers2

2

If all else fails to identify the cause, and ipconfig /all does not show any adapters bound on that range, you can use Network Monitor to identify the process originating traffic.

If the process turns out to be spoolsv.exe, for example, you would be able to know to look for printers configured on those addresses.

Mitch
  • 2,363
  • 14
  • 23
1

The cause of the ARPs turned out to be that there are some hosts on other subnets with the 169.254.0.0/16 addresses and they are trying to reach NTP on the Windows Server. Our router is routing the traffic but of course the Windows Server has no idea how to reply. I still have to track down why these hosts are not getting DHCP addresses but at least I know the Windows Server is not the culprit.

Andrew S
  • 508
  • 3
  • 7
  • 12