Try with a query via ldp.exe and record the network session with Wireshark. Then evaluate the packet capture and replay it with tcpreplay from security onion to verify that the DC responds.
That would be a more accurate test imho. Ez On Nov 3, 2016 5:59 PM, "Christopher Bodnar" <[email protected]> wrote: I understand the function of an LDAP Ping over UDP/389 in the DC Locator process, but shouldn’t that respond to a Portqry? When I test this I receive the following: UDP port 389 (unknown service): LISTENING or FILTERED I’ve tested this in 3 separate forests against multiple domain controllers and I have gotten the same results in every case. All are 2008 R2 DFL/FFL. A Netstat –an does show this: UDP x.x.x.x:389 *:* Which seems to be correct for a UDP port that is also listening on TCP? I don’t notice anything wrong in the domains, was just going through some firewall port requests and tested this. Is Portqry not a real test of this function? My next step will be to run a WireShark trace on a DC to look for this traffic. Thanks *Christopher Bodnar* Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] [image: cid:[email protected]] * The Guardian Life Insurance Company of America* * www.guardianlife.com <http://www.guardianlife.com/>* ------------------------------ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
