Hi,
Hope someone can help.
Just some background on our environment. We have a Root Forest(2003 Forest Level) and then 1 Seperate Child Domain(2003 Domain level) in this forest.
the Child forest is where our clients main Active Directory is hosted. The Root Forest domain controllers sit in a Datacenter along with some Child Domain DC's. We then have multiple sites with Domain Controllers that connect over a WAN link.
We recently started Upgrading the Domain Controllers on the sites to Server 2012 Domain Controllers. Schema Version is confirmed to be on Server 2012.
We have noticed that our LDAP traffic over the WAN has increased Significantly since migrating to 2012 Domain Controllers, around 2GB of LDAP traffic is transferred over a 24 hour period from 1 DC to the Server hosting the Domain Naming Master Role, we have
2 DC's per site, that is 4GB of LDAP data over a WAN link in a 24 hour period.
To try see what was causing it or how we found that it was the 2012 DC's ONLY we ran a netstat -a on the server and saw a number of Connections to the Forest Root Server holding the Domain Naming Master and Schema Master role. then on the this Root Domain Controller we ran the same command and found that it had connections to all the new 2012 Domain controllers at the remote sites +/-10 DC's. The server holding these 2 roles was a 2003 server and at 1st we thought this might be the reason, so we proceeded to bring in a 2012 Domain Controller in the Root Forest where we had only 2008R2 and 2003 Domain Controllers. After we installed the 2012 Domain Controller we moved the Roles, we put the Domain naming master on the 2008 Server and the Schema Master on the new 2012 Server. We left it for a day or 2 to see if the traffic still showed up, but this time it started talking to the 2008 Domain Controller holding the Domain naming master role. We have now moved the role onto the 2012 Domain Controller. and run a Packet capture using Wireshark and as suspected the traffic has now started talking to the 2012 Domain Controller.
See image. Maybe this can help
Somehow it has something to do with the Domain naming master, just no idea what.
Any advice would be appreciated.