Share via

Why are our PCs generating excessive network traffic on TCP 445 to the DCs?

Mark Frickle 0 Reputation points
2025-10-01T19:52:49.06+00:00

Second time this has happened this year. Different site each time. Only affecting the one site.
LAN/WAN performance severely degraded due to multiple clients 445 traffic to the DCs for this site. Started overnight, previous day was normal. Newly booted clients seem to connect for the regular scheduled GPO update after about 90 minutes or so, then switch into a state where they are checking every 5 minutes and doing a full resync of their policies. WAN performance degrades to the point where Teams audio is garbled, screen sharing or video doesn't work at all. Users are unable to open files from SharePoint. Rebooting the clients or the DCs does not change the problem. Validated Site was configured correctly. Validated there were no Silver Peak issues on either end. Deploying a new GPO to the OU now that is supposed to disable caching for improvements in sites with slow networks.
We're also working on getting Wireshark pulls from some of the clients that are causing most of the issues.

We're not sure what actually fixed it last time. We built and promoted a new DC for the site and demoted the old one, along with reimaging some of the clients, but no true root cause was identified.

Just wondering if anyone has seen this before in sites connected to the domain over a WAN.

Windows for business | Windows Server | Directory services | Deploy group policy objects
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 11,150 Reputation points Independent Advisor
    2025-10-02T00:10:49.72+00:00

    Dear Mark,

    Based on your observations, the surge in SMB (port 445) traffic from multiple clients to the domain controllers, followed by frequent Group Policy resyncs, suggests a possible issue with Group Policy caching, client-side policy evaluation, or domain controller responsiveness over WAN links.

    We recommend to:

    1. Group Policy Caching Behavior Since you've already deployed a GPO to disable caching, we recommend monitoring client behavior post-deployment to confirm whether polling intervals normalize. Ensure the setting “Enable Group Policy Caching” is disabled for clients in slow-link scenarios.
    2. Client-Side Logging Review gpsvc.log and eventvwr.msc > Applications and Services Logs > Microsoft > Windows > GroupPolicy on affected clients to identify abnormal refresh cycles or policy failures.
    3. DC Performance and Replication Validate that the promoted DC is healthy and replicating properly. Use dcdiag and repadmin /replsummary to check for replication delays or errors.
    4. Network Traffic Analysis Your plan to capture Wireshark traces is excellent. Focus on SMB traffic patterns, policy retrieval intervals, and any signs of retries or timeouts. Also consider enabling SMB signing or throttling if traffic volume is unusually high.
    5. DFS or SYSVOL Access Confirm that SYSVOL and Netlogon shares are accessible without delay. If DFS is in use, validate referral behavior and namespace health.
    6. If the issue is isolated to specific subnets or VLANs, consider testing with a temporary local DC or adjusting site link costs.
    7. Review any recent changes to antivirus, endpoint protection, or network inspection tools that may interfere with SMB or RPC traffic.

    If this guidance proves helpful, feel free to click “Accept Answer” so we know we’re heading in the right direction 😊. And of course, I’m here if you need further clarification or support.

    Warm regards,

    Domic

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.