LDAP UDP Port Problem

  • Thread starter Thread starter Mike Morgan
  • Start date Start date
M

Mike Morgan

I'm having a problem logging in to our new active directory from any subnet
other than the one the DC is on. The DC is on 10.25.1.5. If I put a
workstation on 10.25.1.6 every thing works fine. If I put it on 10.25.4.6,
it takes forever to login. Troubleshooting has revealed that TCP/IP and DNS
are working properly. Netdiag revealed some failed tests, but nothing panned
out in the way of a solution. Then I did some portqry's on the LDAP port on
my DC with both 10.25.1.6 and 10.25.4.6. The results are listed below. In
short, with a 10.25.4.6 IP on the workstation, the DC does not respond to
UDP requests. Does anybody know how to either fix or work around this? Thank
you.


portqry -name downtown01 -p tcp -e 389

Querying target system called:

downtown01

Attempting to resolve name to IP address...


Name resolved to 10.25.1.5

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 02/02/2004 21:24:34 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
dsServiceName: CN=NTDS
Settings,CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=c
i,DC=gulfport,DC=ms,DC=us
namingContexts: CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
defaultNamingContext: DC=ci,DC=gulfport,DC=ms,DC=us
schemaNamingContext:
CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
configurationNamingContext: CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
rootDomainNamingContext: DC=ci,DC=gulfport,DC=ms,DC=us
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 11760
supportedSASLMechanisms: GSSAPI
dnsHostName: downtown01.ci.gulfport.ms.us
ldapServiceName: ci.gulfport.ms.us:[email protected]
serverName:
CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=ci,DC=gulf
port,DC=ms,DC=us
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE


======== End of LDAP query response ========


portqry -name downtown01 -p udp -e 389


Querying target system called:

downtown01

Attempting to resolve name to IP address...


Name resolved to 10.25.1.5

querying...

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query response:


currentdate: 02/02/2004 21:24:47 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
dsServiceName: CN=NTDS
Settings,CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=c
i,DC=gulfport,DC=ms,DC=us
namingContexts: CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
defaultNamingContext: DC=ci,DC=gulfport,DC=ms,DC=us
schemaNamingContext:
CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
configurationNamingContext: CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
rootDomainNamingContext: DC=ci,DC=gulfport,DC=ms,DC=us
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 11760
supportedSASLMechanisms: GSSAPI
dnsHostName: downtown01.ci.gulfport.ms.us
ldapServiceName: ci.gulfport.ms.us:[email protected]
serverName:
CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=ci,DC=gulf
port,DC=ms,DC=us
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE


======== End of LDAP query response ========



UDP port 389 is LISTENING



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++
portqry -name downtown01 -p udp -e 389


Querying target system called:

downtown01

Attempting to resolve name to IP address...


Name resolved to 10.25.1.5

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 02/02/2004 21:23:56 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
dsServiceName: CN=NTDS
Settings,CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=c
i,DC=gulfport,DC=ms,DC=us
namingContexts: CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
defaultNamingContext: DC=ci,DC=gulfport,DC=ms,DC=us
schemaNamingContext:
CN=Schema,CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
configurationNamingContext: CN=Configuration,DC=ci,DC=gulfport,DC=ms,DC=us
rootDomainNamingContext: DC=ci,DC=gulfport,DC=ms,DC=us
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 11756
supportedSASLMechanisms: GSSAPI
dnsHostName: downtown01.ci.gulfport.ms.us
ldapServiceName: ci.gulfport.ms.us:[email protected]
serverName:
CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=ci,DC=gulf
port,DC=ms,DC=us
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE


======== End of LDAP query response ========



portqry -name downtown01 -p udp -e 389

Querying target system called:

downtown01

Attempting to resolve name to IP address...


Name resolved to 10.25.1.5

querying...

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query to port 389 failed
Server did not respond to LDAP query
 
My apologies, the first set of output is from 10.25.1.6 and the second is
from 10.25.4.6.
 
Mike Morgan said:
My apologies, the first set of output is from 10.25.1.6 and the second is
from 10.25.4.6.


Settings,CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=c
CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=ci,DC=gulf
Settings,CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=c
CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=ci,DC=gulf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Settings,CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=c
CN=DOWNTOWN01,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=ci,DC=gulf
Click to expand...

Do you have those IP subnets associated with the site under AD sites and
services?
 
Yes, the IP's are associated with a site called Downtown. The subnets
associated with that site are 10.25.1.0, 10.25.3.0, 10.25.4.0, and
10.25.5.0. Only the machines on the 10.25.1.0 subnet will login normally.
 
Just curious - does dcdiag report an issue when run on that dc? If a DC is
not advertising I'm not sure whether it just stops responding to Netlogon
UDP LDAP queries or all UDP LDAP queries. dcdiag could tell you if you are
advertising.

Jason
 
You might want to do a network trace on both sides and watch the packets. A
common occurrence is for UDP packets to be tossed out when they exceed a
certain size and start to fragment. This is configurable in the networking
hardware.

You can doublecheck if this is the problem by forcing kerberos to use tcp
for all communications.

See http://support.microsoft.com/default.aspx?scid=KB;en-us;q244474

The correct fix is to identify that the network gear is tossing out the UDP
packets and sit down with your network people and have them explain why.
 
You're description is accurate. That is indeed what its happening. I can
see that there is communication on 389/udp going to and from the server.
But, my firewall is reporting some fragmentation going from server to
workstation. I just didn't know what to do about it. I tried forcing
Kerberos to tcp communications a few days ago without success. However, I
may have done something wrong. I'll try it again. I'm also going to work
with my firewall vendor to see if my firewall is the problem. Thanks for the
help.
 
Back
Top