none
Port 389/UDP

    Question

  • Hi,

    It seems, that between two locations with domain controllers Port 389/UDP was filtered by external firewall (TCP works fine)

    -------------------

    Portqry:

    UDP port 389 (unknown service): LISTENING or FILTERED

    Sending LDAP query to UDP port 389...

    LDAP query to port 389 failed
    Server did not respond to LDAP query

    -------------------

    I know, that MS recommends to open Port 389/UDP.

    But is this really relevant? What problems can occur with Port 389/UDP filtered?

    The AD seems to work fine.

    thanks in advance Boris

    Friday, July 1, 2011 8:28 AM

Answers

  • It's in my first post, in the link

    In the first phase, DCs publish data about themselves (in DNS, or in NBNS, or by local configuration of the responder to NetBIOS broadcasts, depending on which version of publication is being used). In the second phase, clients look up this static data to determine a set of possible DCs and then send small messages to some or all of the set, examining the responses in order to determine liveness, reachability, and suitability. Given their conceptual similarity to an Internet Control Message Protocol (ICMP) ping message, these small messages are referred to as "LDAP ping" and "mailslot ping".

    http://msdn.microsoft.com/en-us/library/cc223799(v=PROT.10).aspx

     


    Sukh
    • Proposed as answer by Sukh828 Friday, July 1, 2011 3:13 PM
    • Marked as answer by Boris Birneder Tuesday, August 2, 2011 3:28 PM
    Friday, July 1, 2011 12:07 PM

All replies

  • verify the aliveness of the domain controller and also check whether the domain controller matches a specific set of requirements. This operation is commonly referred to as LDAP ping.

    http://msdn.microsoft.com/en-us/library/cc223811(v=PROT.10).aspx


    Sukh
    Friday, July 1, 2011 9:00 AM
  • Port 389 is a must post, without that you can't perform an ldap query or an object search. Ldap is used for locating a srv records in DNS, GC, DC etc. Ldap is extensively used by AD for performing search operations,locating dns records etc, so make sure this port is not filtered out else your AD will not behave properly.

    Active Directory and Active Directory Domain Services Port Requirements

    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, July 1, 2011 9:44 AM
    Moderator
  • verify the aliveness of the domain controller and also check whether the domain controller matches a specific set of requirements. This operation is commonly referred to as LDAP ping.

    http://msdn.microsoft.com/en-us/library/cc223811(v=PROT.10).aspx


    Sukh


    LDAP-Querys (f.e. via ldp) works fine - but IMO these are using TCP

    My question is about UDP and portqry says UDP did not respond. All other internal DC respond on Port 389/UDP

    Friday, July 1, 2011 9:52 AM
  • Your original question was "But is this really relevant? What problems can occur with Port 389/UDP filtered"

    You question now is "My question is about UDP and portqry says UDP did not respond. All other internal DC respond on Port 389/UDP"

    So there are a few questions, not just the one.  I believe my 1st response answers your first quesiotns posted in your 1st post. Agree?

    Now to the question on the 2nd post. Then there must be some sort of filtering in placw whcih is preventing 389/UDP.  If all others DC can responsd on 389/UDP and this one DC cant, then there's something in the way, which is obvious.

    1. Speak with your network team if you have one, ask to setup a capture between the source and destination.  This will be the quickest to identofy the cause.

    2. Check for any firewall/ACL filtering in between,

     


    Sukh
    Friday, July 1, 2011 10:04 AM
  • Sorry for confusion. I try to rephrase my question

    I know, that Port 389/UDP is filtered by external firewall. And i know, that disabling the filter for Port 389/UDP is the only solution

    But everything seems to work fine only with Port 389/TCP.

    It is more a technical interest:

    For what service i need Port 389 with protocol UDP

    It seems, that all services are using Port 389 protocol TCP


    Friday, July 1, 2011 12:01 PM
  • It's in my first post, in the link

    In the first phase, DCs publish data about themselves (in DNS, or in NBNS, or by local configuration of the responder to NetBIOS broadcasts, depending on which version of publication is being used). In the second phase, clients look up this static data to determine a set of possible DCs and then send small messages to some or all of the set, examining the responses in order to determine liveness, reachability, and suitability. Given their conceptual similarity to an Internet Control Message Protocol (ICMP) ping message, these small messages are referred to as "LDAP ping" and "mailslot ping".

    http://msdn.microsoft.com/en-us/library/cc223799(v=PROT.10).aspx

     


    Sukh
    • Proposed as answer by Sukh828 Friday, July 1, 2011 3:13 PM
    • Marked as answer by Boris Birneder Tuesday, August 2, 2011 3:28 PM
    Friday, July 1, 2011 12:07 PM
  • I have sent out an inquiry to some folks, if I get a response I'll post it.  For now I would leave it open.  I know it is needed but can't tell you the negative impact if not allowed.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, July 1, 2011 12:14 PM
    Moderator
  • Here is what I have found out so far from Marcin and Jorge:

    During the DC Locator process the client runs an LDAP ping.  The best way to find additional might be to run wireshark and snif for UDP/389.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, July 1, 2011 1:32 PM
    Moderator
  • @Paul, thanks for the info - Is there any documentation on this?

    There's not much here which suggest TCP is used? - http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx


    Sukh
    Friday, July 1, 2011 1:56 PM
  • Nothing I could find.  The info I receieved was from two MVP associates, if I hear anything from Microsoft I will update but I would definetely keep UDP/389 open.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

     


    Friday, July 1, 2011 2:46 PM
    Moderator
  • hello,

    thanks for fast and detailed response

    best regards boris

    Friday, July 1, 2011 3:11 PM
  • This document indicates the LDAP ping uses UDP/389

    http://msdn.microsoft.com/en-us/library/ff718294(v=PROT.10).aspx

     


    Richard Mueller - MVP Directory Services
    Friday, July 1, 2011 3:17 PM
  • mmh, that's what I posted and it never got look at I guess.

    Both TCP and UDP are used from the documents links I have posted, both do different discoverys and have different functions.

     

    The DC locator process is deatiled more in the link that I posted.


    Sukh
    Friday, July 1, 2011 3:22 PM
  • LDAP over UDP, a.k.a. the LDAP Ping is used for/by DC Locator
     
    <META name=Generator content="Microsoft Word 14 (filtered)"> <STYLE> </STYLE>

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Awinish" wrote in message news:fe50fd09-d789-4a08-b4b3-74e9e6348656...

    Port 389 is a must post, without that you can't perform an ldap query or an object search. Ldap is used for locating a srv records in DNS, GC, DC etc. Ldap is extensively used by AD for performing search operations,locating dns records etc, so make sure this port is not filtered out else your AD will not behave properly.

    Active Directory and Active Directory Domain Services Port Requirements

    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Saturday, July 9, 2011 5:27 PM
    Moderator
  • 1. Workstation does a non site specific DNS query for list of LDAP servers.

    2. DNS responds back with the list of the DC srv LDAP records.

    3. Work station does UDO 389 (CLDAP) Connectionless LDAP attempt to the entire list of DC srv LDAP records that was sent by DNS.

    

    • Edited by dodong123 Sunday, July 15, 2018 2:01 AM upload image
    Sunday, July 15, 2018 1:58 AM