Obscurum per Obscurius : Active Directory

Testing Domain Controller Connectivity Using PORTQRY

MuadDib — Mon, 30 Mar 2009 03:23:00 GMT

One common problem I see with Active Directory implementations is an Active Directory topology that is not fully routable. In a fully routable environment every domain controller (DC) can communicate with every other DC. While most customers "think" they have a fully routable environment in reality they do not. In some cases there are multiple firewalls between the DCs that are blocking ports or DCs connected across VPN links that do not have the proper ports open. For more information on how Active Directory replication works read the articles in the RESOURCES section below.

Here are the ports required by Active Directory as described in the "Service Overview" link below. The basic ports are TCP:

88 (Kerberos)
135 (RPC)
389 (LDAP)
445 (CIFS)
3268 (Global Catalog)

There are additional ports and protocols but these are enough to get started testint the basics.

The PORTQRY utility can be found in the Windows Server 2003 Support Tools and the newest version can be found in the links that follow. PORTQRY can be used to test connectivity on a port or range of ports from one server to another. For example to test TCP port 389 from the current computer to a server named VDC02 you would type the following command:

PORTQRY - n VDC02 -e 389 -p TCP

The query will return a great deal of information when you query 389 but you should see a line similar to the following if port 389 is reachable and able to respond:

TCP port 389 (ldap service): LISTENING

In order to speed up the process of testing you can use a batch file with a FOR loop in it to read server names from a text file and perform several ports test against a server. The sample script shown below will perform some basic testing but you might need to perform more detailed analysis if you are having problems (note somelines may be wrapped due to blog formatting).

:::::::::::::::::::::::::::: BEGIN SCRIPT :::::::::::::::::::::::::

@ECHO OFF
:: NAME: DCPortTest.CMD v1.0
:: DATE: 03/29/2009
:: PURPOSE: Test connectivity from one DC to one or more remote DCs
:: using PORTQRY utility.
:: The SERVERS.TXT contains a list of servers (one server per line)
:: to check connectivity to.

ECHO     DATE: %DATE% > DC_PORTQRY.TXT
ECHO     TIME: %TIME% >> DC_PORTQRY.TXT
ECHO     USER: %USERNAME% >> DC_PORTQRY.TXT
ECHO COMPUTER: %COMPUTERNAME% >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
FOR /F "tokens=1" %%i in (servers.txt) DO (
ECHO :::::::::::::::::::::: %%i :::::::::::::::::::::::::: >> DC_PORTQRY.TXT
ECHO Testing %%i
ECHO. >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 88 -p TCP | findstr /i "88" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 445 -p TCP | findstr /i "445" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 389 -p TCP | findstr /i "389" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 3268 -p TCP | findstr /i "3268" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 135 -p TCP | findstr /i "135" >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
)

:::::::::::::::::::::::: END SCRIPT :::::::::::::::::::::::::

RESOURCES

How Active Directory Replication Topology Works
http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/kb/832017

New features and functionality in PortQry version 2.0
http://support.microsoft.com/kb/832919

Download PortQry Command Line Port Scanner Version 2.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en

Active Directory LDAP Searches

MuadDib — Wed, 25 Oct 2006 01:10:00 GMT

A nice feature in Windows Server 2003 Active Directory is the ability for an administrator to create saved queries in their admin console. The queries you can create through the GUI are pretty basic so to get the real benefit you need to create a "Custom Search", click the Advanced tab and enter an LDAP query. The only problem is... you have to enter an LDAP query.

For a lot of administrators, you come up against the LDAP query box, start to research how to write an LDAP query, get interrupted and never finish learning how to create an LDAP query. I know in my case I am not doing AD administration everyday so when the task of creating an LDAP query for a customer arises it has usually been so long since the last time I wrote one that I have forgotten how. So I was creating some queries for a customer today and decided I would post them here for future use. The LDAP code listed below can be cut and pasted into the the query editor in AD and saved.

First LDAP reference material:

LDAP Query Basics
http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/ldapquery.mspx

XADM: Browsing and Querying Using the LDP
http://support.microsoft.com/?id=255602

Search Filter Syntax
http://msdn2.microsoft.com/en-us/library/aa746475.aspx

Creating More Efficient Microsoft Active Directory-Enabled Applications (create efficient LDAP queries)
http://msdn.microsoft.com/en-us/library/ms808539.aspx

How to use the UserAccountControl flags to manipulate user account properties
http://support.microsoft.com/kb/305144

How to query Active Directory by using a bitwise filter
http://support.microsoft.com/kb/269181

Now on to the queries.

All XP Computers
Although this can be done easy enough with the GUI, I wanted to show the syntax so it can be used as a building block for more complex theories. One thing to notice is the query parameter "objectCategory=computer". By including this as part of our query we reduce the number of objects that have to be searched making for a faster query and less performance impact on the DC performing the query.
(&(objectCategory=computer)(operatingSystem=Windows XP*))

Windows XP Computers with Service Pack 2 Installed
(&(objectCategory=computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))

Windows XP Computers with Service Pack 1 Installed
(&(operatingSystem=Windows XP*l)(operatingSystemServicePack=Service Pack 1)))

Windows XP Computers with No Service Pack Installed
This one is structured a Little different. Notice the "!" before operating SystemServicePack and the "*". The "!" means NOT so the statement reads "NOT equal to anything" instead of NULL or empty quotes ("") like some other languages.
(&(operatingSystem=Windows XP Professional)(!operatingSystemServicePack=*)))

Windows Server 2003 No Service Pack 1
(&((objectCategory=computer))(operatingSystem=Windows Server 2003)(!operatingSystemServicePack=*)))

Windows Server 2003 Service Pack 1 Installed
(&(objectCategory=computer)(operatingSystem=Windows Server 2003)(operatingSystemServicePack=Service Pack 1))

Windows 2000 Professional
(&(objectCategory=computer)(operatingSystem=Windows 2000 Professional))

Windows 2000 Server
(&(objectCategory=computer)(operatingSystem=Windows 2000 Server))

All Windows Server 2003 Servers
(&((objectCategory=computer))(operatingSystem=Windows Server 2003))

SQL Servers (running on Windows 2003) (please verify in your environment)
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server 2003))

SQL Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))

Windows Vista SP1
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))

Windows Server 2008 Enterprise
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))

Windows Server 2008 (all versions)
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))

Sample User Attribute Query (ExtensionAtrribute5)
(&(objectCategory=user)(&(extensionAttribute5>=20080101)(extensionAttribute5<=20080520)))

USER ACCOUNT CONTROL EXAMPLES

UAC - Smart Card Login Enforced on The User Object
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=262144) )

UAC - PWD Never Expires
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))

UAC - CAC Enabled Accounts (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=262144)(userPrincipalName=1*@mil))

UAC - Not CAC Enabled (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userPrincipalName=1*@mil))

So you get the idea of the basic syntax When you create your own queries make sure you use the the actual attribute name and not the label visible in the Active Directory Users and Computers interface. You can find the attribute names by using ADSIEDIT.MSC. Right click an object and select properties from the context menu. Scroll through the list of attributes till you find the one you are looking for. You should also copy the actual value from within ADSIEDIT.MSC and paste it into you query string to prevent typing errors (in case you type as bad as I do). Make sure when you enter the search string into the query editor there are no carriage returns or extra characters after the last parenthesis.

Read the article "Creating More Efficient Microsoft Active Directory-Enabled Applications" referenced above to make sure you are writing efficient queries that won't bring your LDAP server to its knees.

One other useful tip. Once you have created some saved queries, you can export them as XML files and share them with others. They can be imported into another management console in the same domain or a different domain.

One final tip. You can copy and paste the code from the samples above. Paste it into a text editor like Notepad first to remove all the formatting imposed by the HTML page.

Active Directory Troubleshooting Resources

MuadDib — Sun, 01 Oct 2006 19:50:00 GMT

Articles

Troubleshooting Active Directory—Related DNS Problems
http://blogs.msdn.com/controlpanel/blogs/posteditor.aspx?SelectedNavItem=NewPost&sectionid=7213&bpt=1

Troubleshooting Active Directory Replication Problems
http://technet2.microsoft.com/WindowsServer/en/library/4f504103-1a16-41e1-853a-c68b77bf3f7e1033.mspx

Additional Resources for Troubleshooting Active Directory
http://technet2.microsoft.com/WindowsServer/en/library/019a8a46-05eb-4969-b0e7-df48355184c11033.mspx

Repadmin Examples
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/a103036b-5d82-4d99-8e61-23d434a8e6eb.mspx

How to configure Active Directory diagnostic event logging in Windows Server
http://support.microsoft.com/kb/314980/en-us

332199 - Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

216498 - How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

Troubleshooting "RPC Server is Unavailable" in Windows
http://support.microsoft.com/kb/224370/EN-US/

839880 How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003
http://support.microsoft.com/?id=839880

Improvements to Domain Controller Name Resolution in SP1
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/43e6f617-fb49-4bb4-8561-53310219f997.mspx

Useful shelf life of a system-state backup of Active Directory
http://support.microsoft.com/?id=216993

Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
http://technet2.microsoft.com/WindowsServer/en/Library/4a1f420d-25d6-417c-9d8b-6e22f472ef3c1033.mspx

Event ID 2042: It has been too long since this machine replicated
http://technet2.microsoft.com/WindowsServer/en/Library/34c15446-b47f-4d51-8e4a-c14527060f901033.mspx

Best Practices for Adding Domain Controllers in Remote Sites
http://technet2.microsoft.com/WindowsServer/en/Library/6405bc5f-b8bf-449e-b11a-f116d22f858a1033.mspx

279156 - The Effects of Setting the File System Policy on a Disk Drive or Folder Replicated by the File Replication Service
http://support.microsoft.com/default.aspx?scid=kb;en-us;279156

Recommendations for managing Group Policy administrative template (.adm) files
http://support.microsoft.com/default.aspx?scid=kb;EN-US;816662

Configuration and operational recommendations for the File Replication service in Windows Server 2003 and Windows 2000 Server - http://support.microsoft.com/Default.aspx?kbid=840675

185786 - Recommended Practices for WINS
http://support.microsoft.com/default.aspx?scid=kb;en-us;185786

How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042

Tools

Repadmin Examples
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/a103036b-5d82-4d99-8e61-23d434a8e6eb.mspx

Active Directory Management Tools
http://technet2.microsoft.com/WindowsServer/en/library/4b9fbbc8-2b3d-4758-85c7-b08caf6583eb1033.mspx

Description of the DNSLint utility
http://support.microsoft.com/?kbid=321045

USing NSlookup.exe
http://support.microsoft.com/?kbid=200525

NBLookup.exe command-line tool
http://support.microsoft.com/default.aspx?scid=kb;en-us;830578

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Documentation

Active Directory Daily Operations Guide
http://www.microsoft.com/resources/documentation/msa/edc/all/solution/en-us/pak/sog/edcops08.mspx