OK, I’ve done some more testing. I loaded WireShark on a domain controller, and restarted a member server, and filtered for udp.port==389 . It is working as expected in all domains. So that is good. What I don’t understand is why a test using LDP fails in my production domains, but not in the new domain I just stood up. In Wireshark the UDP request is received by the DC, but it never responds.
From: Christopher Bodnar Sent: Friday, November 04, 2016 10:14 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] LDAP Ping question Now I’m really confused. After doing some more research on this, it looks like LDP is a good tool for testing. From a new forest that I just spun up, it works fine: ld = cldap_open("x.x.x.x", 389); Established connection to x.x.x.x. Retrieving base DSA information... Getting 1 entries: Dn: (RootDSE) configurationNamingContext: CN=Configuration,DC=widgets,DC=com; currentTime: 11/4/2016 1:17:52 AM Coordinated Universal Time; defaultNamingContext: DC=widgets,DC=com; But in our production domains, from every client machine I’ve tested from, against every domain controller, it fails: 0x0 = ldap_unbind(ld); ld = cldap_open("x.x.x.x", 389); Established connection to x.x.x.x. Retrieving base DSA information... Server error: <empty> Error<94>: ldap_parse_result failed: No result present in message Getting 0 entries: Yet as far as I can tell everything in the domain is working as expected. From the reading I did on the DC Locator process, it’s my understanding that if you can’t find a DC using this process….. it should fail. Which would mean nobody would be able to logon. Is it possible that this is working, but the test I’m doing from client machines isn’t really a valid test? Is it possible that it flips to TCP if it can’t connect over UDP? I plan on putting Wireshark on a domain controller and looking for this. Very strange. Thanks Chris From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, November 03, 2016 9:19 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] LDAP Ping question As I understand it, LDAP Ping is more of a handshake test - not an open port check. -- Espi On Thu, Nov 3, 2016 at 2:56 PM, Christopher Bodnar <christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote: I understand the function of an LDAP Ping over UDP/389 in the DC Locator process, but shouldn’t that respond to a Portqry? When I test this I receive the following: UDP port 389 (unknown service): LISTENING or FILTERED I’ve tested this in 3 separate forests against multiple domain controllers and I have gotten the same results in every case. All are 2008 R2 DFL/FFL. A Netstat –an does show this: UDP x.x.x.x:389 *:* Which seems to be correct for a UDP port that is also listening on TCP? I don’t notice anything wrong in the domains, was just going through some firewall port requests and tested this. Is Portqry not a real test of this function? My next step will be to run a WireShark trace on a DC to look for this traffic. Thanks Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459<tel:610-807-6459> 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:christopher_bod...@glic.com> [cid:image001.png@01D1326B.600058E0] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.