Monitoring Benefit
The LDAP test verifies that each DC or RODC can connect locally to LDAP and that LSASS is listening for LDAP connections.
How do we verify the results received on the EMS web server?
From the EMS web server, open the following file from Explorer using a browser:
\Program Files (x86)\ENow\MailscapeWeb\MailscapeData\LogFiles\ServerName\NetworkAgentMessage.xml
Scroll to the bottom of the results and locate Port389, Port636, and BindTime to verify that the results match what is presented on the monitoring web page.
How do we verify the results received on the Compass client?
From the DC or RODC, open the following file from Explorer using Notepad:
\Program Files (x86)\ENow\Mailscape Agent\LogFiles\MailscapeAgent2007.log
Find the string “LDAP” in the log and note the LDAP bind results and any errors that may follow. If an error is detected where the port is unavailable, we recommend running Portqry from the EMS web server to the DC or RODC in question.
Run the following command to test the connectivity over port 389 using UDP protocol to a specific DC or RODC:
.\PortQry.exe -n ServerName -p udp -e 389
Based on how Compass functions, anything other than a result of LISTENING will be considered a failed test. Below is the sample syntax and passing result from PowerShell:
PS C:\PortQryV2> .\PortQry.exe -n 16QA-DC01 -p udp -e 389
Querying target system called:
16QA-DC01
Attempting to resolve name to IP address...
Name resolved to 192.168.1.10
querying...
UDP port 389 (unknown service): LISTENING or FILTERED
Using ephemeral source port
Sending LDAP query to UDP port 389...
LDAP query response:
currentdate: 08/27/2020 17:24:42 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=enow16qa,DC=com
dsServiceName: CN=NTDS Settings,CN=16QA-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=enow16qa
,DC=com
namingContexts: DC=enow16qa,DC=com
defaultNamingContext: DC=enow16qa,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=enow16qa,DC=com
configurationNamingContext: CN=Configuration,DC=enow16qa,DC=com
rootDomainNamingContext: DC=enow16qa,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 421997
supportedSASLMechanisms: GSSAPI
dnsHostName: 16QA-DC01.enow16qa.com
ldapServiceName: enow16qa.com:16qa-dc01$@ENOW16QA.COM
serverName: CN=16QA-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=enow16qa,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
======== End of LDAP query response ========
UDP port 389 is LISTENING
PS C:\PortQryV2>
Note the LDAP test over UDP might not work against domain controllers that are running Windows Server 2008 and later. One reason for this can be that you have disabled IPv6 on the Domain Controller. To enable IPv6, set the value discussed in the article below to the default of "0":
Comments
0 comments
Article is closed for comments.