Excessive traffic between AD server and PC stations on port 445

Richard Eduardo Sánchez Castro 26 Reputation points
2022-02-07T17:33:44.95+00:00

We have about 250 coputers conected to our AD server, GPOs an authentication are aplied.

As shown on picture, while monitoring traffic on server, it sends about 500000 B/s to many hosts, about 15 of them.

171928-imagen.png

I run a netstat on server it show that connections are stablished on port 445

172021-imagen.png

When monitoring on my firewall all the traffic from my server 192.168.1.9 its ends up being a lot 416GB from 3 days.

171980-imagen.png

Here goes the question. Is it a normal behaivor from my AD server. Can I anyway reduce this traffic?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,621 Reputation points
    2022-02-08T07:38:47.57+00:00

    Hi @Richard Eduardo Sánchez Castro

    With the level of information provided, it's difficult to be able to confirm if this is normal or not. However, here are a few points that might help.

    The port 445 is for CIFS\file access, and as this is the DC, it's likely to be DFS\File share access. It's normal for a workstation to talk to the DC, as they will read the sysvol share when applying GPOs. The Computer Management console is able to provide some limited information on the sessions and files that are currently being accessed.

    As for the 416GB transferred over three days, it hard to say if this is normal or not, it depends on the network topology, and the workstation workloads. It could be backup traffic, files access, patching or any number of reasons. Without a breakdown of the traffic based on source and target addresses and ports it difficult to know what this is. If you want to get more details, check if the firewall provides more details on the traffic type, with source and target information or use a network capture software such as Wireshark to get more info.

    Is the volume of network traffic causing any issues, if not, and the server is working OK, I wouldn't be to concerned based on the information provided.

    Gary.

    4 people found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Limitless Technology 39,931 Reputation points
    2022-02-14T21:24:33.843+00:00

    Hello @Richard Eduardo Sánchez Castro

    The port 445 is commonly used by modern SMB traffic stack. If you have 250 computers, it doesn't sound strange to have 15 connections open (6%). It it highly depends from the access to shares in the .9 server and kind of data. For example is not the same if they edit Excel files, rather than they edit 4K video. My suggestion besides that, would be from the server to open Computer Management window, expand the System Tools on the navigation panel from the left, and then select Shared Folders. There you will find 3 folders:

    • Shares: Where are connections
    • Sessions: Who is connected
    • Open files: What is connected

    This may give you additional insight of the Share usage and explain the traffic.

    Hope this helps with your query,

    ---------
    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.

  2. stay puft 226 Reputation points
    2022-02-17T21:04:06.633+00:00

    my ¢2

    you can add a switch to net stat -abo for the exe and PID, then use procmon.exe to find out exactly what they are doing.

    1 person found this answer helpful.

  3. vinod priya 5 Reputation points
    2023-02-24T16:22:19.1733333+00:00

    Hi @Richard Eduardo Sánchez Castro Did u find sloution, im facing the same issue.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.