>The only other weird frame is later (not appended below) a NTLMSSP DCERPC >auth request which may be optional.
Could be setting up the NETLOGON secure channel; what is the RPC authentication flavor? 0x44? You can disable this in the registry with the usual instructions. >After join the boot and logon includes only two frames that require >further analysis - the DCE/RPC request to the NETLOGON pipe for unknown >opcode 0x1a (once during boot, once during logon) and request to NETLOGON >pipe for unknown opcode 0x1D (during boot I think). 0x1A may be NetrServerAuthenticate3(). Note sure about 0x1D; could it be the PAC verification RPC? Fairly sure we saw it at domain logon. -- Luke -- Luke Howard | lukehoward.com PADL Software | www.padl.com
