Testing Domain Controller Connectivity Using PORTQRY
One common problem I see with Active Directory implementations is an Active Directory topology that is not fully routable. In a fully routable environment every domain controller (DC) can communicate with every other DC. While most customers "think" they have a fully routable environment in reality they do not. In some cases there are multiple firewalls between the DCs that are blocking ports or DCs connected across VPN links that do not have the proper ports open. For more information on how Active Directory replication works read the articles in the RESOURCES section below.
Here are the ports required by Active Directory as described in the "Service Overview" link below. The basic ports are TCP:
88 (Kerberos)
135 (RPC)
389 (LDAP)
445 (CIFS)
3268 (Global Catalog)
There are additional ports and protocols but these are enough to get started testint the basics.
The PORTQRY utility can be found in the Windows Server 2003 Support Tools and the newest version can be found in the links that follow. PORTQRY can be used to test connectivity on a port or range of ports from one server to another. For example to test TCP port 389 from the current computer to a server named VDC02 you would type the following command:
PORTQRY - n VDC02 -e 389 -p TCP
The query will return a great deal of information when you query 389 but you should see a line similar to the following if port 389 is reachable and able to respond:
TCP port 389 (ldap service): LISTENING
In order to speed up the process of testing you can use a batch file with a FOR loop in it to read server names from a text file and perform several ports test against a server. The sample script shown below will perform some basic testing but you might need to perform more detailed analysis if you are having problems (note somelines may be wrapped due to blog formatting).
:::::::::::::::::::::::::::: BEGIN SCRIPT :::::::::::::::::::::::::
@ECHO OFF
:: NAME: DCPortTest.CMD v1.0
:: DATE: 03/29/2009
:: PURPOSE: Test connectivity from one DC to one or more remote DCs
:: using PORTQRY utility.
:: The SERVERS.TXT contains a list of servers (one server per line)
:: to check connectivity to.
ECHO DATE: %DATE% > DC_PORTQRY.TXT
ECHO TIME: %TIME% >> DC_PORTQRY.TXT
ECHO USER: %USERNAME% >> DC_PORTQRY.TXT
ECHO COMPUTER: %COMPUTERNAME% >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
FOR /F "tokens=1" %%i in (servers.txt) DO (
ECHO :::::::::::::::::::::: %%i :::::::::::::::::::::::::: >> DC_PORTQRY.TXT
ECHO Testing %%i
ECHO. >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 88 -p TCP | findstr /i "88" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 445 -p TCP | findstr /i "445" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 389 -p TCP | findstr /i "389" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 3268 -p TCP | findstr /i "3268" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 135 -p TCP | findstr /i "135" >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
)
:::::::::::::::::::::::: END SCRIPT :::::::::::::::::::::::::
RESOURCES
How Active Directory Replication Topology Works
https://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx
Service overview and network port requirements for the Windows Server system
https://support.microsoft.com/kb/832017
New features and functionality in PortQry version 2.0
https://support.microsoft.com/kb/832919
Download PortQry Command Line Port Scanner Version 2.0
https://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en
Comments
Anonymous
March 29, 2009
PingBack from http://www.anith.com/?p=24184Anonymous
January 01, 2016
Excellent article, Already I have mention the Open Ports Scanner where on a different types of the machine using only a modem.Anonymous
February 24, 2017
If you copy and paste the script, you need to replace all the quotes with standard quotes because this document uses the slanted double quotes which will not work in batch files.