none
UDP 389 LDAP did not respond ???

    Question

  • Hi All,

    I've three Windows 2008 domain controllers. Using portqry to test LDAP connectivity it responds to TCP but not UDPtest in domain controller , no firewall .  I restart ADDS  and retest UDP 389 are the same error .

    Test returns the results are as follows:

     Starting portqry.exe -n computerIP -e 389 -p UDP ...

    Querying target system called:

    computerIP

    Attempting to resolve IP address to a name...

    IP address resolved to computerIP

    querying...

    UDP port 389 (unknown service): LISTENING or FILTERED

    Using ephemeral source port

    Sending LDAP query to UDP port 389...

    LDAP query to port 389 failed

    Server did not respond to LDAP query

    portqry.exe -n computerIP -e 389 -p UDP exits with return code 0x00000001.


    isoft

    Wednesday, January 16, 2013 2:32 AM

All replies

  • 389/UDP is used for LDAP ping (Used by the DCLocator).

    For more information:
    http://msdn.microsoft.com/en-us/library/cc223799.aspx

    Also see ths thread:
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a6d07279-6852-4dfb-afc7-f06f5b1034c2/

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, January 16, 2013 3:06 AM
  • Can you say detailed steps? I didn't quite understand ,thanks.

    The problem is so, I have a total of two domain forest DomainA, DomainB, DomainA and DomainB have forest trust, use the SCOM to monitor DomainA, the computer can be installed Agent and monitor, but DomainB computer can be installed Agent, but there is error event ID: 20070 21016, SCOM Server find EventID 20002 error, I google find http://blogs.technet.com/b/operationsmgr/archive/2009/02/17/opsmgr-2007-port-requirements-for-scom-agents-in-a-dmz.aspx   "we also need to have port 88 and port 389 opened between the Agent and the RMS if they 're separated by a firewall"  ,how to open 389 UDP port ?


    isoft

    Wednesday, January 16, 2013 3:53 AM
  • I can't find that the documentation your refering to explictly states that you need to open 389 UDP (as far I know it's as stated ealier only used by LDAP ping) - For the requirement of SCOM you should be fine with 389 TCP. I suggest that you may ask this question in the System Center Operations Manager forum as well: http://social.technet.microsoft.com/Forums/en-US/category/systemcenteroperationsmanager

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, January 16, 2013 3:58 AM
  • Thanks ,why test UDP 389 port failed in this DC ? I test another domain DC UDP 389 is ok.

    isoft

    Wednesday, January 16, 2013 12:07 PM
  • It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

    Check windows firewall rule too.Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, January 16, 2013 12:27 PM
  • I Uninstall symantec from AD  ,but 389 UDP not fine,

    use portqry tools test 389 UDP port  ,results : LDAP query to port 389 failed   .

    have other way to repair ?


    isoft

    Friday, January 18, 2013 2:51 AM
  • Thanks ,why test UDP 389 port failed in this DC ? I test another domain DC UDP 389 is ok.

    isoft

    UDP 389 is not actively listening, rather as Christoffer said, that's an ldap ping by a client. We usually ignore that part in the Domains and Trust PortQry test.

    Maybe the info below may help and possibly the doc that Christoffer was looking for?

    "At times you may see errors such as The RPC server is unavailable or There are no more endpoints available from the endpoint mapper ..."
    Also, if you get return codes 0x0000002 or 0x0000001, it may simply mean that PortQRY is checking the UDP port and not TCP, which that service may be listening on. Quoted from the blog in the following link...
    "[...] If you get a LISTENING or FILTERED response, check and see whether we are checking TCP or UDP, most likely it was attempting to use UDP and this would be a normal response as UDP is connectionless. An example of this would be if you query port 88 for Kerberos against a DC and use the following syntax:
    Portqry –n server1 –e 88 –p both [...]"
    Using PortQry for Troubleshooting, by the DS Team [MSFT]
    http://blogs.technet.com/b/askds/archive/2009/01/22/using-portqry-for-troubleshooting.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, January 18, 2013 4:21 AM
  • TCPView is another great tool to monitor the active UDP ports - usually portqry should provide u the info.

    I would get on to the network sniffer and filter for UDP traffic. If port isn't open , there couldn't be any socket communication occurring so you can trust these tools .

    Based on the analysis you will get the indication about the problem

    Friday, January 18, 2013 12:49 PM
  • I have learned one thing about UDP 389, that port needs to be open to the DC's within the default site when a server first attempts to join the domain.  I non-members can't contact any of the DC's in this site, the member server will never be able to join the domain.  After that I don't think this port is used.

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, January 18, 2013 1:01 PM
    Moderator
  • Thanks all

    I  can find UDP 389 is work use "neststat -a -p udp " ,but use LDAP query to port 389 failed ,I have three DC ,two test fail ,one test fine .All tests are in DC local  and closed windows firewall in DC .

    I Create new DC in Demo environment ,Using portqry to test LDAP 389 UDP is fine.

    The UDP 389 port for Trust Domain SCOM  Agent is a must .  I Tested.

    So I want to know why it happened this problem(UDP 389 responds failed ), how to repair ?


    isoft

    Saturday, January 19, 2013 1:53 AM
  • Have a look the link, it may help you. As you stated "neststat -a -p udp " is working.

    What Port is that Service using?

    ___________________________________________________________________

    HTH

    Biswajit

    My Blogs | MCC | TNWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Saturday, January 19, 2013 3:18 AM
    • Is RRAS installed?
    • Are there other applications or services installed on the DC?
    • Does the DC have more than one NIC or IP?
    • If teamed, have you tried disssovling the team?
    • Is IPv6 enabled? I know this may not make sense, but disabling IPv6 causes numerous issues since it's tied into the OS.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, January 19, 2013 4:14 AM