Jump to content


Photo

Account Lockout Examiner - high bandwidth usage


  • Please log in to reply
2 replies to this topic

#1 JeffP

JeffP

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 26 May 2014 - 07:25 PM

Just trying out Account Lockout Examiner. It's installed on Server 2012 (the PDC), however its reading logs from remote DCs, some are server 2008, some are server 2003. The 2003 servers are using up around 2meg of constant upload to the PDC (where ALE exists). The 2008 servers have no such issue.

Can anyone provide me with insight as to why this may be happening? the traffic just looks to be a lot of RPC traffic.

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 27 May 2014 - 01:18 PM

Just trying out Account Lockout Examiner. It's installed on Server 2012 (the PDC), however its reading logs from remote DCs, some are server 2008, some are server 2003. The 2003 servers are using up around 2meg of constant upload to the PDC (where ALE exists). The 2008 servers have no such issue.

Can anyone provide me with insight as to why this may be happening? the traffic just looks to be a lot of RPC traffic.


Jeff,

You can choose to only collect security event logs from your PDC if you would like by going into File -> Settings -> Select your domain and hit edit -> choose the Only PDC Emulator option. My guess is that most of your invalid logins are targeting the 2003 servers and thus they have more traffic to send over (assuming the traffic is being sent to the ALService rather than to the actual PDC itself. The only disadvantage to only collecting from the PDC is lockouts will be reported in a delayed fashion.

Also this may be of interest to you:
https://www.netwrix.com/kb/1531

#3 JeffP

JeffP

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 27 May 2014 - 08:34 PM

Jeff,

You can choose to only collect security event logs from your PDC if you would like by going into File -> Settings -> Select your domain and hit edit -> choose the Only PDC Emulator option. My guess is that most of your invalid logins are targeting the 2003 servers and thus they have more traffic to send over (assuming the traffic is being sent to the ALService rather than to the actual PDC itself. The only disadvantage to only collecting from the PDC is lockouts will be reported in a delayed fashion.

Also this may be of interest to you:
https://www.netwrix.com/kb/1531


Thanks very much "other" Jeff. I tried the steps in the knowledge base link you sent and that seems to have solved it. I looked through the knowledge base etc before but somehow missed that article.
We have a couple dozen remote 2008 and 2012 servers, and only 4 2003 servers. Only the 2003 servers were being affected, and not because they were generating any more events. But anyway, things seem to be working well now.




0 user(s) are reading this topic

0 members, guests, anonymous users