How to use Portqry to troubleshoot Active Directory connectivity issues
You can also use Portqry in the following ways:
- To troubleshoot Active Directory issues in which you have to verify basic TCP/IP connectivity. This can be especially useful in environments with firewalls.
- To verify connectivity to TCP/IP ports that are used by Active Directory for Lightweight Directory Access Protocol (LDAP), remote procedure call (RPC), and Domain Name Service (DNS).
OverviewPortqry reports the status of a port in one of three ways:
- Listening: A process is listening on the target port on the target system. Portqry received a response from the port.
- Not Listening: No process is listening on the target port on the target system. Portqry received an Internet Control Message Protocol (ICMP) "Destination Unreachable - Port Unreachable" message back from the target UDP port. Or, if the target port is a TCP port, Portqry received a TCP acknowledgement packet with the Reset flag set.
- Filtered: The target port on the target system is being filtered. Portqry did not receive a response from the target port. A process may or may not be listening on the port. By default, TCP ports are queried three times and UDP ports are queried one time before reporting the target port is filtered.
Example 1When you run the following command
C:\>portqry -n mydc.reskit.com -e 389 -p udp Querying target system called: mydc.reskit.com Attempting to resolve name to IP address... Name resolved to 169.254.0.14 UDP port 389 (unknown service): LISTENING or FILTERED Sending LDAP query to UDP port 389... LDAP query response: currentdate: 10/11/2001 23:10:21 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=reskit,DC=com dsServiceName: CN=NTDS Settings,CN=mydc,CN=Servers,CN=eu,CN=Sites,CN=Configuration,DC=reskit,DC=com namingContexts: DC=reskit,DC=com defaultNamingContext: DC=reskit,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=reskit,DC=com configurationNamingContext: CN=Configuration,DC=reskit,DC=com rootDomainNamingContext: DC=reskit,DC=com supportedControl: 1.2.840.113518.104.22.1689 supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: 815431405 supportedSASLMechanisms: GSSAPI dnsHostName: MYDC.reskit.com ldapServiceName: reskit.com:mydc$@RESKIT.COM serverName: CN=MYDC,CN=Servers,CN=EU,CN=Sites,CN=Configuration,DC=reskit,DC=com supportedCapabilities: 1.2.840.113522.214.171.1240 isSynchronized: TRUE isGlobalCatalogReady: TRUE ======== End of LDAP query response ======== UDP port 389 is LISTENING
Be aware that the LDAP test over UDP may not work against domain controllers that are running Windows Server 2008. One reason for this can be that you have disabled IPv6 on the Domain Controller. To re-enable IPv6, set the value discussed in the article below to the default of "0":
929852 How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
If Portqry is not available to you for this UDP port 389 test, you can perform the same test using LDP.EXE when you connect to the Domain Controller on port 389 with "Connectionless" check box activated.
Another alternative to portqry is NLTEST, but it does not work for arbitrary servers. The server needs to be a Domain Controller in the same domain as the machine you run the tool on. If this is the case, you can use Nltest /sc_reset < domain name >\< computer name > to force a security channel onto a particular domain controller.For more information, visit the following Microsoft Web site:
Example 2When you run the following command
Querying target system called: mydc.reskit.com Attempting to resolve name to IP address... Name resolved to 169.254.0.18 UDP port 135 (epmap service): LISTENING or FILTERED Querying Endpoint Mapper Database... Server's response: UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interfacencacn_np:\\\\MYDC[\\PIPE\\lsass] UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interfacencacn_np:\\\\MYDC[\\PIPE\\lsass] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interfacencacn_ip_tcp:169.254.0.18 UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Servicencacn_ip_tcp:169.254.0.18 UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs APIncacn_ip_tcp:169.254.0.18 UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs APIncacn_np:\\\\MYDC[\\pipe\\00000580.000] Total endpoints found: 6 ==== End of RPC Endpoint Mapper query response ==== UDP port 135 is LISTENING
Portqry can send a correctly formatted DNS query (using UDP or TCP). The utility will send a DNS query for "portqry.microsoft.com." Portqry then waits for a response from the target DNS server. Whether the DNS response to the query is negative or positive is irrelevant, because any response indicates that the port is listening.
Download Portqry.exePortqry.exe is available for download from the Microsoft Download Center. To download Portqry.exe, visit the following Microsoft Web site:
Important The PortQueryUI tool provides a graphical user interface and is available for download. PortQueryUI has several features that can make using PortQry easier. To obtain the PortQueryUI tool, visit the following Microsoft Web site:
Article ID: 816103 - Last Review: 09/11/2011 11:29:00 - Revision: 10.0
- kbhowtomaster KB816103