Microsoft KB Archive/247656

From BetaArchive Wiki
Knowledge Base

XADM: How to Locate the Source of a Rogue Server Monitor

Article ID: 247656

Article Last Modified on 10/27/2006


  • Microsoft Exchange Server 5.0 Standard Edition
  • Microsoft Exchange Server 5.5 Standard Edition

This article was previously published under Q247656


One of the features of Exchange Server is server monitors. One of the key features of a server monitor is time synchronization between Exchange Server computers. However, server monitors can change the Exchange Server computer's time to an unwanted value, and it can be difficult to track the source of this server monitor. This article explains how to find the rogue server monitor.


You can locate the IP address of the rogue monitor by using Network Monitor.

NOTE: If you need the full Microsoft Systems Management Server version of Netmon.exe, contact Microsoft Product Support Services (PSS) to request a trial version.

  1. Set the Exchange Server computer to the correct time.
  2. Using Network Monitor, capture all traffic inbound to and outbound from the Exchange Server computer that is experiencing the time changes.
  3. Observe the time on the Exchange Server computer. As soon as the time is changed, stop the Network Monitor trace.
  4. In Network Monitor, click Display Captured Data on the Capture menu (or press F12) to display the captured data.

Next, filter for the MSRPC traffic:

  1. On the toolbar, click the Edit Display Filter icon (funnel).
  2. In the Display Filter dialog box, double-click Protocol==Any.
  3. Click Disable All.
  4. In the Disabled Protocols list, click MSRPC, and then click Enable.
  5. Click OK to clear the Expression window, and then click OK to clear the Display Filter window.

You now have MSRPC traffic.

Next, locate the Admin universally unique identifier (UUID) that indicates that a server monitor is connecting to this server:

  1. On the toolbar, click the Find icon (binoculars) to open the Find Frame Expression window.
  2. In the Protocol:Property list, click MSRPC, and then click the plus sign (+) to expand the RPC options.
  3. Just below MSRPC, click Abstract Interface UUID, and paste the following UUID in the Value (Array of Bytes) field:

        F0 2B D7 83 89 0D CE 11 B1 3F 00 AA 00 3B AC 6C

  4. Click OK. This will take you to the frame where the Admin program is connecting to this server.
  5. Continue to click the Find Next icon until you locate a frame that contains an opnum of 0x3. This opnum indicates that you are setting the remote system time.
  6. Double-click on this frame and expand the frame information. Scroll up to display the IP header.
  7. Expand the IP header, and scroll down to the IP: Source Address. This is the IP address of the rogue server monitor.

For additional information about capturing and interpreting network traffic withNetwork Monitor, click the article numbers below to view the articles in the Microsoft Knowledge Base:

148942 How to Capture Network Traffic with Network Monitor

159298 Analyzing Exchange RPC Traffic Over TCP/IP

169292 The Basics of Reading TCP/IP Traces

Keywords: kbhowto KB247656