none
MSA installation on the client failing

    Question

  • Hello COllegues,

    we have created an MSA account in out AD and trying to install in one of the client.

    The client and domain controller are in different subnet  and there is firewall 

    we are getting the below error while installing and testing the account


    Test-ADServiceAccount : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not

    have the Active Directory Web Services running.

    At line:1 char:1

    + Test-ADServiceAccount MSATest102 -Verbose

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : ResourceUnavailable: (:) [Test-ADServiceAccount], ADServerDownException

        + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.TestADServiceAccount  

    Is there any port needed to be open for the MSA communication?

    Thanks

    krishna

     


    Monday, April 17, 2017 10:16 AM

All replies

  • Hi

     Check the necessary ports on these articles then check on firewall for accessibility;

    UDP Port 88 for Kerberos authentication
    UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
    TCP and UDP Port 445 for File Replication Service
    TCP and UDP Port 464 for Kerberos Password Change
    TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

    https://technet.microsoft.com/tr-tr/library/dd772723%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html

    Also you can check accessibility with ms network monitor or 3.rd party tools like wireshark,etc..;

    https://www.microsoft.com/en-us/download/details.aspx?id=4865


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    Monday, April 17, 2017 2:06 PM
  • Windows 7 and Windows Server 2008 and above default to TCP port 88 for Kerberos authentication, vice UDP 88.

    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, April 18, 2017 1:17 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, April 23, 2017 3:14 AM
    Moderator