Servers attempting to connect to APIPA address over internet

[Guest Shawn McCabe]

Seeing some strange activity from 3 of our exchange servers and one DC (A

global catalog server) all Windows Server 2003.

 

Firewall logs are showing multiple blocked attempted connections to the

internet by servers to mainly APIPA addresses - over multiple different

ports. i.e.

 

Source: DC

Service: TCP 1270 (ports always varies)

Destination: 169.254.241.60 (address always varies but is usually APIPA).

 

When running port reporter, netstat, or TCPView on offending servers -

traffic can not be seen...

 

Initially considered spoofing but firewall was able to determine correct MAC

address of NIC.

 

Anyone ever seen this or anything like it?

[Guest Ryan Hanisco]

RE: Servers attempting to connect to APIPA address over internet

 

Make sure that you have any unused NICs disabled on your domain controllers.

If you just leave them unplugged, they will assume an APIPA address and

advertize in DNS. Once they are disabled, restart the netlogon service and

clean DNS.

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

http://www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

 

 

"Shawn McCabe" wrote:

> Seeing some strange activity from 3 of our exchange servers and one DC (A

> global catalog server) all Windows Server 2003.

>

> Firewall logs are showing multiple blocked attempted connections to the

> internet by servers to mainly APIPA addresses - over multiple different

> ports. i.e.

>

> Source: DC

> Service: TCP 1270 (ports always varies)

> Destination: 169.254.241.60 (address always varies but is usually APIPA).

>

> When running port reporter, netstat, or TCPView on offending servers -

> traffic can not be seen...

>

> Initially considered spoofing but firewall was able to determine correct MAC

> address of NIC.

>

> Anyone ever seen this or anything like it?