Audit faliures on 2008 DC's 1

[pinkpanther56]

I'm receiving loads of faliure audits from the firewall logs on our new DC's, I wonder if anyone who is familiar with 2008 could assist. We've only just moved from 2003 and i've not got the hang of the firewall logs yet.

The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		1248
	Application Name:	\device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		224.0.0.252
	Source Port:		5355
	Destination Address:	*.*.*.11 (Another DC)
	Destination Port:		59969
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	0
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

also

Network Information:
Direction: Inbound
Source Address: 169.254.194.1
Source Port: 53542
Destination Address: 169.254.194.1
Destination Port: 389
Protocol: 6

I've had thousands today, we have almost every client on the network turned off and we are all on one subnet.

Anyone able to help?

Cheers.

 

[theravager]

The first one is vista/2008 Link Local Multicast resolution, allow it in the firewall or turn it off in registry or group policy.

Second one is normal ldap, probibly being an alert as the ip its from is not in your local networks. Its a machine that didnt get a dhcp address and self assigned. I'd even take a guess that its a 2nd nic on the server thats not disabled (bad on a DC)

 

[pinkpanther56]

I'll take a look at the Link Local Multicast resolution thanks, I suppose I could set the security log not to audit these as well?

Two of these DC's are virtual and only have one NIC as far as Windows is concerned but the physical unit has two NICs in a team. I thought that IP looked like an APIPA address.

Some things to be looking at there thanks.