Hi,
I'm attempting to track down some DA clients which are hitting an internal web page - the page is a simple found.htm page which displays an old intranet site. The page used to be used as the connectivity verifier. I have since changed this via GPO, but some clients are still hitting the old NCA. In the server's IIS logs I can see "Client+DCA" as well as "Client+NCA".
DA is being provided by 3 Windows 2012 R2 servers across 2 sites. The servers are configured in a unicast NLB array. I've installed Network monitor on my old intranet server and I can see the DA servers are polling my old intranet server - specifically requesting the found.htm page for the "Client+DCA" and "Client+NCA". The traffic source always shows as the DA server and nothing in the packet identifies the client as far as I can see.
I tried installing Network monitor on the DA server itself, but the experience is horrendous as a 10 second packet capture took 4 minutes to save. In addition pinging 192.168.0.10 from the DA server and then filtering the corresponding packet for "ipv4.destinationaddress==192.168.0.10" fails to find the packet. I've tweaked netmon for performance, but that hasn't helped.
Is there a reliable and straightforward way to find which clients are requesting the old intranet page?
Thanks