This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 73%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Trying to make sure all ports are open needed for AD, currently the previous admins have just had the firewall disabled for some reason. When running Port Query I'm facing some issues that are strange to me, as the ports in question show open on the firewall.
The below scan is from a DC to another DC, the two DC's are local and connected to the same switch, no network firewall all local traffic.
Error screenshot(PLEASE NOTE: this doesn't come up if the firewall is disabled):
Error text(PLEASE NOTE: this doesn't come up if the firewall is disabled):
*---------------------------
Microsoft Visual C++ Debug Library
Debug Error!
Program: C:\PortQryUI\portqry.exe
File:
Run-Time Check Failure #2 - Stack around the variable 'my_ncb' was corrupted.
(Press Retry to debug the application)
Abort Retry Ignore
Full Query Report after clicking Retry(Sensitive information removed):
*=============================================
Starting portqry.exe -n *********dc2 -e 135 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 135 (epmap service): FILTERED
portqry.exe -n *********dc2 -e 135 -p TCP exits with return code 0x00000002.
=============================================
Starting portqry.exe -n *********dc2 -e 389 -p BOTH ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 389 (ldap service): LISTENING
Using ephemeral source port
Sending LDAP query to TCP port 389...
LDAP query response:
domainFunctionality: 6
forestFunctionality: 6
domainControllerFunctionality: 7
rootDomainNamingContext: DC=*********,DC=local
ldapServiceName: *********.local:*********dc2$@*********.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
supportedControl: 1.2.840.113556.1.4.319
supportedCapabilities: 1.2.840.113556.1.4.800
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=*********,DC=local
serverName: CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=*********,DC=local
namingContexts: DC=*********,DC=local
isSynchronized: TRUE
highestCommittedUSN: 45926283
dsServiceName: CN=NTDS Settings,CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
dnsHostName: *********DC2.*********.local
defaultNamingContext: DC=*********,DC=local
currentdate: 01/13/2022 16:41:16 (unadjusted GMT)
configurationNamingContext: CN=Configuration,DC=*********,DC=local
======== End of LDAP query response ========
UDP port 389 (unknown service): LISTENING or FILTERED
Using ephemeral source port
Sending LDAP query to UDP port 389...
LDAP query response:
domainFunctionality: 6
forestFunctionality: 6
domainControllerFunctionality: 7
rootDomainNamingContext: DC=*********,DC=local
ldapServiceName: *********.local:*********dc2$@*********.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
supportedControl: 1.2.840.113556.1.4.319
supportedCapabilities: 1.2.840.113556.1.4.800
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=*********,DC=local
serverName: CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=*********,DC=local
namingContexts: DC=*********,DC=local
isSynchronized: TRUE
highestCommittedUSN: 45926287
dsServiceName: CN=NTDS Settings,CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
dnsHostName: *********DC2.*********.local
defaultNamingContext: DC=*********,DC=local
currentdate: 01/13/2022 16:41:19 (unadjusted GMT)
configurationNamingContext: CN=Configuration,DC=*********,DC=local
======== End of LDAP query response ========
UDP port 389 is LISTENING
portqry.exe -n *********dc2 -e 389 -p BOTH exits with return code 0x00000000.
=============================================
Starting portqry.exe -n *********dc2 -e 636 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 636 (ldaps service): LISTENING
portqry.exe -n *********dc2 -e 636 -p TCP exits with return code 0x00000000.
=============================================
Starting portqry.exe -n *********dc2 -e 3268 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 3268 (msft-gc service): LISTENING
Using ephemeral source port
Sending LDAP query to TCP port 3268...
LDAP query response:
domainFunctionality: 6
forestFunctionality: 6
domainControllerFunctionality: 7
rootDomainNamingContext: DC=*********,DC=local
ldapServiceName: *********.local:*********dc2$@*********.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
supportedControl: 1.2.840.113556.1.4.319
supportedCapabilities: 1.2.840.113556.1.4.800
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=*********,DC=local
serverName: CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=*********,DC=local
namingContexts: DC=*********,DC=local
isSynchronized: TRUE
highestCommittedUSN: 45926288
dsServiceName: CN=NTDS Settings,CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
dnsHostName: *********DC2.*********.local
defaultNamingContext: DC=*********,DC=local
currentdate: 01/13/2022 16:41:22 (unadjusted GMT)
configurationNamingContext: CN=Configuration,DC=*********,DC=local
======== End of LDAP query response ========
portqry.exe -n *********dc2 -e 3268 -p TCP exits with return code 0x00000000.
=============================================
Starting portqry.exe -n *********dc2 -e 3269 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 3269 (msft-gc-ssl service): LISTENING
portqry.exe -n *********dc2 -e 3269 -p TCP exits with return code 0x00000000.
=============================================
Starting portqry.exe -n *********dc2 -e 53 -p BOTH ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 53 (domain service): LISTENING
UDP port 53 (domain service): LISTENING
portqry.exe -n *********dc2 -e 53 -p BOTH exits with return code 0x00000000.
=============================================
Starting portqry.exe -n *********dc2 -e 88 -p BOTH ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 88 (kerberos service): LISTENING
UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n *********dc2 -e 88 -p BOTH exits with return code 0x00000002.
=============================================
Starting portqry.exe -n *********dc2 -e 445 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 445 (microsoft-ds service): FILTERED
portqry.exe -n *********dc2 -e 445 -p TCP exits with return code 0x00000002.
=============================================
Starting portqry.exe -n *********dc2 -e 137 -p UDP ...
portqry.exe -n *********dc2 -e 137 -p UDP exits with return code 0x80000003.
=============================================
Starting portqry.exe -n *********dc2 -e 138 -p UDP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n *********dc2 -e 138 -p UDP exits with return code 0x00000002.
=============================================
Starting portqry.exe -n *********dc2 -e 139 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 139 (netbios-ssn service): FILTERED
portqry.exe -n *********dc2 -e 139 -p TCP exits with return code 0x00000002.
=============================================
Starting portqry.exe -n *********dc2 -e 42 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 42 (nameserver service): FILTERED
portqry.exe -n *********dc2 -e 42 -p TCP exits with return code 0x00000002.*
Firewall rules:
2: /api/attachments/164759-image.png?platform=QnA
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I think so. The server ports are listed here but note the clients respond on dynamic ports.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions
--please don't forget to upvote and Accept as answer if the reply is helpful--
Alrighty, thanks for the help!
You're welcome.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Yes, it looks like this was my issue:
This also resolved issues with my file servers when enabling their firewalls, the share would no longer be accessible once doing so.
Huge headache because of a GPO that was set up yeeaars ago, guess it's also time to go through and clean up GPO's.
Thanks for the help!
Glad to hear, you're welcome.
You shouldn't need to make any modifications to the windows firewall. Just make sure both got the domain firewall profile.
The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests
If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/computer-cant-identify-network
So I'd check the domain controller and problem client have the static address of DC listed for DNS and no others such as router or public DNS
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just trying to figure out why the previous admin disabled the firewalls, and the Port Query seems to show me they had an issue they couldn't narrow down.
The example above is from a DC to another DC(local to each other), both of them use each other as the primary DNS and itself as secondary DNS as per Microsoft's recommendations.
The error and ports "FILTERED" are the same in either direction (DC1 to DC2, and DC2 to DC1)
Trying to make sure all ports are open needed for AD
As long as the domain controller has the domain firewall profile then all required ports will be available.
--please don't forget to upvote and Accept as answer if the reply is helpful--
It does, but even with the Public and Private profiles disabled for the adapter it shows ports 139 & 445 as FILTERED and port 138 as "LISTENING or FILTERED".
Should I just not worry about that and monitor dcdiag for issues after enabling the firewall? My worry is mainly replication breaking, then getting stale data replicated after fixing the issue.
There's no need to do anything with the unused firewall profiles since they are in fact not being used. As to 138, 139, 445 you can turn on File and Printer sharing
--please don't forget to upvote and Accept as answer if the reply is helpful--
Yes, that is set to "on" already on both DC's
Sounds good, you should be good to go.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Okay, so I can ignore the Port Query then? Lol, just trying to avoid walking into a nightmare with replication or trust issues.
Think my plan is with my 8 DC's at multiple sites, is enable one firewall per site and then dcdiag throughout the next week.
