Snow Leopard and microsoft-ds (SMB) traffic

I work for a school district that has a mixed environment of macs and PC's. We just recently deployed 160 iMacs with SL 10.6.4. We are behind a state managed firewall. Recently I was contacted by a network engineer from the state office telling me that we were flooding our connection with microsoft-ds traffic. Once I looked at the log I found that it was several of my new iMacs sending this traffic. Many had not even been logged into yet. They had just been imaged and were sitting there powered up. We forced a reboot on all iMacs and the traffic dropped to normal. After the macs sit for a day the traffic picks right back up and floods our network again. Some are being used and others just sitting there. Updating have been turned off. Any suggestions on how to solve is much appreciated.

What is the destination of the traffic?

It's hitting our Domain Controller. We have SMB file sharing turned on in all our iMacs. Would this cause this kind of traffic? If so seems like a bug in SL.

Check the DC events that may be failed login attempts.

The DC is managed by our state technology department. Getting these events would be like pulling teeth.

What are the DNS servers for these iMacs? Try 8.8.8.8 and 8.8.4.4 Those are googles public DNS servers.

I assume the DC is behind a firewall, so that would rule out Bonjour broadcasts.

Were the iMacs imaged locally or right out of the box?

Turning off file sharing on all our iMacs solved our traffic issue. Now my question is who's to blame? Is it an issuw with Apple's file sharing protocol or an issue with Windows AD setup?

Try netstat from the Terminal.

With nothing open to see what traffic is leaving the Mac. Then turn on the sharing service to see what changes.

If the DC is on the same subnet it will receive bonjour broadcasts for services supplied by the Mac. 160 Macs broadcasting would be a little silly dontcha think.