Ask Your Question
0

Identify Domain Controller specifically included in network request

asked 2020-12-15 16:25:52 +0000

Know I can't be the first to ask a question like this... Is there a way to filter a Wireshark capture to include only requests from network which are specifically to a named Domain Controller, and not to the domain namespace in general? Attempting to decommission a Physical Domain Controller and over the years, applications have been hardcoded for ldap authentication. Without breaking these applications, we want to proactively edit configurations to query the Domain namespace instead of the FQDN of the Domain Controller. Any thoughts?

edit retag flag offensive close merge delete

Comments

I tried to understand what you are looking for but the question was not clear to me.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2020-12-16 08:59:49 +0000 )edit

Current LDAP configuration: ldap://dc1.Contoso.org:389, should be configured ldap://contoso.org:389. Dc1 needs to be retired. While running a wire shark capture on Dc1, is there a way to determine queried to ldap://dc1.contusion.org:389 by filtering? Dc1 also responds to namespace ldap://contoso.org:389 requests. Thank you!

Bimpster gravatar imageBimpster ( 2020-12-16 12:21:02 +0000 )edit

Can't you capture on dc1 and look at the hosts making connection requests?

grahamb gravatar imagegrahamb ( 2020-12-16 20:48:30 +0000 )edit

Absolutely I can, and have. The issue is trying to filter out requests to the namespace and include only those requests to the domain controller specifically. As long as it a DC, it will always respond to namespace requests AND requests specifically addressed to it.

Bimpster gravatar imageBimpster ( 2020-12-16 21:50:16 +0000 )edit

Thank you @grahamb. It was a good thought but I had already identified dozens of applications hitting that one box.

Bimpster gravatar imageBimpster ( 2021-01-29 01:23:03 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-01-29 01:27:11 +0000

In any event, I have decommissioned DC and let the chips fall where they may. Two devices using ldap lookup specifically targeting the Domain Controller began failing. Not such a bad thing. a quick etc/hosts file entry and they were back on the air until their admin could associate another "specific" DC to use for ldap lookup. Don't you just hate it when they don't allow you to use the namespace but insist a DC be entered or IP address?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-12-15 16:25:52 +0000

Seen: 224 times

Last updated: Jan 29