Testing Domain Controller Connectivity Using PORTQRY
One common problem I see with Active Directory implementations is an Active Directory topology that is not fully routable. In a fully routable environment every domain controller (DC) can communicate with every other DC. In reality what while most customer “think” they have a fully routable environment in reality they do not. In some cases there are multiple firewalls between the DCs that are blocking ports or DCs connected across VPN links that do not have the proper ports open. For more information on how Active Directory replication works read the articles in the RESOURCES section below. Here are the ports required by Active Directory as described in the “Service Overview” link below. Application protocol Protocol Ports Global Catalog Server TCP 3269 Global Catalog Server TCP 3268 LDAP Server TCP 389 LDAP Server UDP 389 LDAP SSL TCP 636 LDAP SSL UDP 636 IPsec ISAKMP UDP 500 NAT-T UDP 4500 RPC TCP 135 RPC randomly allocated high TCP 1024 – 65535 The PORTQRY utility can be found in the Windows Server 2003 Support Tools and the newest version can be found in the links that follow. PORTQRY can be used to test connectivity on a port or range of ports from one server to another. For example to test TCP port 389 from the current computer to a server named VDC02 you would type the following command: PORTQRY – n VDC02 -e 389 -p TCP The query will return a great deal of information when you query 389 but you should see a line similar to the following if port 389 is reachable and able to respond: TCP port 389 (ldap service): LISTENING In order to speed up the process of testing you can use a batch file with a FOR loop in it to read server names from a text file and perform several ports test against a server. The sample script shown below will perform some basic testing but you might need to perform more detailed analysis if you are having problems.
Read more:
Testing Domain Controller Connectivity Using PORTQRY
