![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 11%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Microsoft Security | Active Directory Federation Services
Federated identity management using Active Directory Federation Services
The observed behavior of continuous TCP communication between your Active Directory Domain Controller and Microsoft Exchange Server, specifically involving the lsass.exe process, can be considered normal under certain circumstances. The lsass.exe process is responsible for enforcing the security policy on the system, handling authentication, and managing user sessions, which includes communication with other servers such as Exchange.
In your case, the constant source port from the Domain Controller and the changing destination ports on the Exchange Server indicate that the Domain Controller is initiating multiple sessions to the Exchange Server, likely for authentication or service requests. This pattern of communication is typical in environments where Exchange relies on Active Directory for user authentication and other directory services.
However, to ensure that this behavior is not indicative of lateral movement or malicious activity, it is important to monitor the nature and frequency of these connections. If the traffic volume is unusually high or if there are other signs of suspicious activity, further investigation may be warranted. Regular monitoring and logging of these sessions can help in identifying any anomalies in the traffic patterns.
In summary, while the communication pattern you described can be normal, maintaining vigilance and monitoring for unusual behavior is essential in any network environment.
References: