RE: Sniffer information to track LSASS activity.

• Previous message: Roger Abell: "Re: Establish auditing for 600 users"
• In reply to: Bill-MT: "Sniffer information to track LSASS activity."
• Next in thread: Ezra Herman: "Re: Sniffer information to track LSASS activity."
• Reply: Ezra Herman: "Re: Sniffer information to track LSASS activity."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 10 Apr 2005 19:37:02 -0700

First, Thanks to all of you for responding.

Per your recommendations I have done the following.
- Enabled specific auditing of failures for certain events on the DC in
question.
- Downloaded and tried both Process Explorer and TcpView.
- -Examined/modified my capture filter by selecting on specific MS TCP/UDP
ports.

Yesterday (Saturday) I rebooted the DC in question. So far (Sunday night)
more than 24hours later the unusual CPU activity associated with this event
has not re-occurred (which tells me that this event is not caused by any
systems normally running on the weekend (i.e. the 24x7 systems) so I have not
been able to use any of your advice yet.

Although at this point I have nothing to report per your recommendations
above, I do have an one additional question at this time. Per the response I
got to my original posting on this issue, do any of you believe it is good
practice to install Anti Virus software on a Domain Controller. And if yes,
are there any caveats to doing so.

Thanks again for your suggestions. - bill

• Previous message: Roger Abell: "Re: Establish auditing for 600 users"
• In reply to: Bill-MT: "Sniffer information to track LSASS activity."
• Next in thread: Ezra Herman: "Re: Sniffer information to track LSASS activity."
• Reply: Ezra Herman: "Re: Sniffer information to track LSASS activity."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]