I run a small cluster of VMs (both Windows and Linux) under Hyper-V on Windows Server 2016 (with the Hypervisor also being the DC) and using Resource Monitor I've recently noticed an irregular amount of outbound traffic originating from lsass.exe to many residential hosts (20+), most of these connections are consistently around ~3,000b/sec but a couple are as high as 250,000b/s, the connections stay for a while and then new ones come and go.
A bit of searching indicates lsass.exe is responsible for VM traffic, so I inspected every VM (using Resource Monitor/bmon) and none of them are consistently pushing that level of traffic. Upon some more research, the process responsible appears to be "Local Security Authority Process" which has 6 sub processes (Credential Manager, Security Accounts Manager, Active Directory Domain Services, Netlogon, CNG Key Isolation, Kerberos Key Distribution Center) - so it seems like a safe bet to say the traffic is coming from the Hypervisor.
So my question is, why is my Hypervisor/DC sending a large amount of traffic to seemingly random residential hosts?
Edit: It may also be worth mentioning that lsass.exe is listening on TCP 88, 389, 464, 636, 3268, 49667, 49669, 49670 and UDP 88, 389, 464, 50725
residential hosts.