Announcement

Collapse
No announcement yet.

LDAP Responding on TCP but not UDP - Win 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP Responding on TCP but not UDP - Win 2008

    Hi All,

    I've a Windows 2008 domain controller. Using portqry to test LDAP connectivity it responds to TCP but not UDP.
    Code:
    C:\PortQryV2>portqry -n dc1 -p udp -e 389
    Querying target system called:
     dc1
    Attempting to resolve name to IP address...
     
    Name resolved to 10.0.0.17
    querying...
    UDP port 389 (unknown service): LISTENING or FILTERED
    Using ephemeral source port
    Sending LDAP query to UDP port 389...
    LDAP query to port 389 failed
    Server did not respond to LDAP query
    There is nothing but a switch between me and the DC, no firewalls (hardware or software).

    Has anyone got any idea what the problem is here?

    Thanks,

    Tim

  • #2
    Re: LDAP Responding on TCP but not UDP - Win 2008

    Can you run dcdiag, netdiag and paste us the results?

    Also, what happens if you run portqry from the DC itself ?
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

    Comment


    • #3
      Re: LDAP Responding on TCP but not UDP - Win 2008

      I get the same error on all of the 2008 domain controllers I have tested. If you restarted ADDS and retest UDP 389 will respond back. I have goofed around with uninstalling updated/turning off windows firewall/etd and no luck. I enabled auditpol to grab extra logging and enabled NTDS logging but haven't come across anything that helps.

      Comment


      • #4
        Re: LDAP Responding on TCP but not UDP - Win 2008

        Just to be clear, did you test running the portqry command right on the DC, pointing to itself? I'm not sure if that is what you mean.

        If not please try it, also, dcdiag and netdiag, what do they look like?
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: LDAP Responding on TCP but not UDP - Win 2008

          Yes that is exactly correct, running portqry on the local machine does not get a response back on UDP 389 on the domain controller. I have used the FQDN and IP to see if that would make a difference which it doesnt lol. However doing a netstat -an shows UDP is listening prior to restarting ADDS, and a TCPView shows likewise. It is very strange issue and I believe I have done all due diligence thus far and we have engaged MS on the issue. The main concern I have is that DFS root referrals for the site specific domain controllers keep going cross site, and even the DCs themselves which are root replicas even go cross site, but after restarting ADDS ont eh 2k8 boxes and doing a dfsutil pktflush and hitting DFS again, it then pulls DFS from appropriately.

          Also I have just setup a new VM for testing (the actual issue happens onhardware) and I have the same issue even after doing a full update, no other utilities are installed so its just a plain vanilla Windows 2008 VM. I will post the dcdiag results here shortly, but with Windows 2008 netdiag is deprecated.

          dcdiag came back relatively clean only systemlog errors were the dynamic deletion of srv records.
          Last edited by spencerdm; 28th March 2009, 21:36. Reason: Updated

          Comment


          • #6
            Re: LDAP Responding on TCP but not UDP - Win 2008

            Per Microsoft support after 3 escalations, this is supposedly a non relevant return response and unlike 2000, 2003, 2003R2, this is an somewhere expected and can be ignored.

            Comment


            • #7
              Re: LDAP Responding on TCP but not UDP - Win 2008

              Hi Spencerdm,

              Just to be clear, Microsoft are saying this is expected behaviour? So is it that portqry is somehow incompatible with Win2008 or that Win2008 just isn't supposed to respond to UDP?

              Unlike your situation restarting ADDS doesn't make any difference to me. Still the same result, no response to UDP whether portqry is run locally on the DC or on a remote machine.

              Here is the output of a dcdiag

              Code:
              C:\PortQryUI>dcdiag
              Directory Server Diagnosis
              Performing initial setup:
                 Trying to find home server...
                 Home Server = DC1
                 * Identified AD Forest.
                 Done gathering initial info.
              Doing initial required tests
                 Testing server: Main-Office\DC1
                    Starting test: Connectivity
                       ......................... DC1 passed test Connectivity
              Doing primary tests
                 Testing server: Main-Office\DC1
                    Starting test: Advertising
                       ......................... DC1 passed test Advertising
                    Starting test: FrsEvent
                       ......................... DC1 passed test FrsEvent
                    Starting test: DFSREvent
                       ......................... DC1 passed test DFSREvent
                    Starting test: SysVolCheck
                       ......................... DC1 passed test SysVolCheck
                    Starting test: KccEvent
                       An Warning Event occurred.  EventID: 0x80000B46
                          Time Generated: 03/30/2009   09:43:40
                          EvtFormatMessage failed, error 15100 Win32 Error 15100.
                          (Event String (event log = Directory Service) could not be
                          retrieved, error 0x3afc)
                       An Warning Event occurred.  EventID: 0x80000B46
                          Time Generated: 03/30/2009   09:46:08
                          EvtFormatMessage failed, error 15100 Win32 Error 15100.
                          (Event String (event log = Directory Service) could not be
                          retrieved, error 0x3afc)
                       ......................... DC1 passed test KccEvent
                    Starting test: KnowsOfRoleHolders
                       ......................... DC1 passed test KnowsOfRoleHolders
                    Starting test: MachineAccount
                       ......................... DC1 passed test MachineAccount
                    Starting test: NCSecDesc
                       ......................... DC1 passed test NCSecDesc
                    Starting test: NetLogons
                       [DC1] User credentials does not have permission to perform this
                       operation.
                       The account used for this test must have network logon privileges
                       for this machine's domain.
                       ......................... DC1 failed test NetLogons
                    Starting test: ObjectsReplicated
                       ......................... DC1 passed test ObjectsReplicated
                    Starting test: Replications
                       [Replications Check,DC1] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
                       error 0x2105 "Win32 Error 8453"
                       ......................... DC1 failed test Replications
                    Starting test: RidManager
                       ......................... DC1 passed test RidManager
                    Starting test: Services
                          Could not open NTDS Service on DC1, error 0x5 "Win32 Error 5"
                       ......................... DC1 failed test Services
                    Starting test: SystemLog
                       An Error Event occurred.  EventID: 0x0000041E
                          Time Generated: 03/30/2009   09:46:03
                          EvtFormatMessage failed, error 15100 Win32 Error 15100.
                          (Event String (event log = System) could not be retrieved, error
                          0x3afc)
                       ......................... DC1 failed test SystemLog
                    Starting test: VerifyReferences
                       ......................... DC1 passed test VerifyReferences
              
                 Running partition tests on : ForestDnsZones
                    Starting test: CheckSDRefDom
                       ......................... ForestDnsZones passed test CheckSDRefDom
                    Starting test: CrossRefValidation
                       ......................... ForestDnsZones passed test
                       CrossRefValidation
                 Running partition tests on : DomainDnsZones
                    Starting test: CheckSDRefDom
                       ......................... DomainDnsZones passed test CheckSDRefDom
                    Starting test: CrossRefValidation
                       ......................... DomainDnsZones passed test
                       CrossRefValidation
                 Running partition tests on : Schema
                    Starting test: CheckSDRefDom
                       ......................... Schema passed test CheckSDRefDom
                    Starting test: CrossRefValidation
                       ......................... Schema passed test CrossRefValidation
                 Running partition tests on : Configuration
                    Starting test: CheckSDRefDom
                       ......................... Configuration passed test CheckSDRefDom
                    Starting test: CrossRefValidation
                       ......................... Configuration passed test CrossRefValidation
                 Running partition tests on : ors
                    Starting test: CheckSDRefDom
                       ......................... ors passed test CheckSDRefDom
                    Starting test: CrossRefValidation
                       ......................... ors passed test CrossRefValidation
                 Running enterprise tests on : ors.org.uk
                    Starting test: LocatorCheck
                       ......................... ors.org.uk passed test LocatorCheck
                    Starting test: Intersite
                       ......................... ors.org.uk passed test Intersite
              C:\PortQryUI>

              Comment


              • #8
                Re: LDAP Responding on TCP but not UDP - Win 2008

                Why not simply running netstat -an |find "389" to see if he is listening on the ports
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: LDAP Responding on TCP but not UDP - Win 2008

                  Yeah, the 389 is shwoing up in teh netstat, adn that showed ok, however the DFS issue and the 389 unresponsiveness on top of the DCs going cross site for DFS root when they are current replicas added up to some very strange shit. And for the love of god MS never could give me a straight freaking answer and they all kept back tracking so basically it boils down to 389 UDP and for that fact all ephermeral ports won't respond back so it you have to use portqry or any other number of tools to verify ACLs etc you can just skip that point, 88 UDP always that way anyways. The bullshit story is that even though I had reprod it a dozen times to MS support they still couldn't give me a definitive answer on why it responds back to portqry and LDAP ping specific apps after ADDS is restarted and why it didn't work prior ot the service restart.

                  Comment

                  Working...
                  X