Port Query Error / Incorrect Results?

Nate Breeden 21 Reputation points
2022-01-13T17:02:54.303+00:00

Trying to make sure all ports are open needed for AD, currently the previous admins have just had the firewall disabled for some reason. When running Port Query I'm facing some issues that are strange to me, as the ports in question show open on the firewall.

The below scan is from a DC to another DC, the two DC's are local and connected to the same switch, no network firewall all local traffic.

  • When the firewall is disabled and I run Port Query everything goes through fine as expected, no error and everything comes back as "LISTENING" (as it should).
  • When the firewall is enabled and I run Port Query I receive a debug error (screenshot/text below), prior to receiving the error the "Query Results" scans port 445 and returns:
    "TCP port 445 (microsoft-ds service): FILTERED
    portqry.exe -n criswellgbdc2 -e 445 -p TCP exits with return code 0x00000002."
    • If I click "Ignore" or "Retry" the test goes through, but then shows me more ports that it believes are closed, which are open on the DC that is being scanned.

Error screenshot(PLEASE NOTE: this doesn't come up if the firewall is disabled):
164872-image.png

Error text(PLEASE NOTE: this doesn't come up if the firewall is disabled):
*---------------------------
Microsoft Visual C++ Debug Library


Debug Error!
Program: C:\PortQryUI\portqry.exe
File:
Run-Time Check Failure #2 - Stack around the variable 'my_ncb' was corrupted.
(Press Retry to debug the application)


Abort Retry Ignore


Full Query Report after clicking Retry(Sensitive information removed):
*=============================================
Starting portqry.exe -n *********dc2 -e 135 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 135 (epmap service): FILTERED
portqry.exe -n *********dc2 -e 135 -p TCP exits with return code 0x00000002.

=============================================

Starting portqry.exe -n *********dc2 -e 389 -p BOTH ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 389 (ldap service): LISTENING
Using ephemeral source port
Sending LDAP query to TCP port 389...
LDAP query response:
domainFunctionality: 6
forestFunctionality: 6
domainControllerFunctionality: 7
rootDomainNamingContext: DC=*********,DC=local
ldapServiceName: *********.local:*********dc2$@*********.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
supportedControl: 1.2.840.113556.1.4.319
supportedCapabilities: 1.2.840.113556.1.4.800
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=*********,DC=local
serverName: CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=*********,DC=local
namingContexts: DC=*********,DC=local
isSynchronized: TRUE
highestCommittedUSN: 45926283
dsServiceName: CN=NTDS Settings,CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
dnsHostName: *********DC2.*********.local
defaultNamingContext: DC=*********,DC=local
currentdate: 01/13/2022 16:41:16 (unadjusted GMT)
configurationNamingContext: CN=Configuration,DC=*********,DC=local
======== End of LDAP query response ========
UDP port 389 (unknown service): LISTENING or FILTERED
Using ephemeral source port
Sending LDAP query to UDP port 389...
LDAP query response:
domainFunctionality: 6
forestFunctionality: 6
domainControllerFunctionality: 7
rootDomainNamingContext: DC=*********,DC=local
ldapServiceName: *********.local:*********dc2$@*********.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
supportedControl: 1.2.840.113556.1.4.319
supportedCapabilities: 1.2.840.113556.1.4.800
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=*********,DC=local
serverName: CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=*********,DC=local
namingContexts: DC=*********,DC=local
isSynchronized: TRUE
highestCommittedUSN: 45926287
dsServiceName: CN=NTDS Settings,CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
dnsHostName: *********DC2.*********.local
defaultNamingContext: DC=*********,DC=local
currentdate: 01/13/2022 16:41:19 (unadjusted GMT)
configurationNamingContext: CN=Configuration,DC=*********,DC=local
======== End of LDAP query response ========
UDP port 389 is LISTENING
portqry.exe -n *********dc2 -e 389 -p BOTH exits with return code 0x00000000.

=============================================

Starting portqry.exe -n *********dc2 -e 636 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 636 (ldaps service): LISTENING
portqry.exe -n *********dc2 -e 636 -p TCP exits with return code 0x00000000.

=============================================

Starting portqry.exe -n *********dc2 -e 3268 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 3268 (msft-gc service): LISTENING
Using ephemeral source port
Sending LDAP query to TCP port 3268...
LDAP query response:
domainFunctionality: 6
forestFunctionality: 6
domainControllerFunctionality: 7
rootDomainNamingContext: DC=*********,DC=local
ldapServiceName: *********.local:*********dc2$@*********.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
supportedControl: 1.2.840.113556.1.4.319
supportedCapabilities: 1.2.840.113556.1.4.800
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=*********,DC=local
serverName: CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=*********,DC=local
namingContexts: DC=*********,DC=local
isSynchronized: TRUE
highestCommittedUSN: 45926288
dsServiceName: CN=NTDS Settings,CN=*********DC2,CN=Servers,CN=*********-Site,CN=Sites,CN=Configuration,DC=*********,DC=local
dnsHostName: *********DC2.*********.local
defaultNamingContext: DC=*********,DC=local
currentdate: 01/13/2022 16:41:22 (unadjusted GMT)
configurationNamingContext: CN=Configuration,DC=*********,DC=local
======== End of LDAP query response ========
portqry.exe -n *********dc2 -e 3268 -p TCP exits with return code 0x00000000.

=============================================

Starting portqry.exe -n *********dc2 -e 3269 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 3269 (msft-gc-ssl service): LISTENING
portqry.exe -n *********dc2 -e 3269 -p TCP exits with return code 0x00000000.

=============================================

Starting portqry.exe -n *********dc2 -e 53 -p BOTH ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 53 (domain service): LISTENING
UDP port 53 (domain service): LISTENING
portqry.exe -n *********dc2 -e 53 -p BOTH exits with return code 0x00000000.

=============================================

Starting portqry.exe -n *********dc2 -e 88 -p BOTH ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 88 (kerberos service): LISTENING
UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n *********dc2 -e 88 -p BOTH exits with return code 0x00000002.

=============================================

Starting portqry.exe -n *********dc2 -e 445 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 445 (microsoft-ds service): FILTERED
portqry.exe -n *********dc2 -e 445 -p TCP exits with return code 0x00000002.

=============================================

Starting portqry.exe -n *********dc2 -e 137 -p UDP ...
portqry.exe -n *********dc2 -e 137 -p UDP exits with return code 0x80000003.

=============================================

Starting portqry.exe -n *********dc2 -e 138 -p UDP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n *********dc2 -e 138 -p UDP exits with return code 0x00000002.

=============================================

Starting portqry.exe -n *********dc2 -e 139 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 139 (netbios-ssn service): FILTERED
portqry.exe -n *********dc2 -e 139 -p TCP exits with return code 0x00000002.

=============================================

Starting portqry.exe -n *********dc2 -e 42 -p TCP ...
Querying target system called:
*********dc2
Attempting to resolve name to IP address...
Name resolved to ...
querying...
TCP port 42 (nameserver service): FILTERED
portqry.exe -n *********dc2 -e 42 -p TCP exits with return code 0x00000002.*

Firewall rules:
164837-image.png
164852-image.png 2: /api/attachments/164759-image.png?platform=QnA

Windows for business Windows Client for IT Pros Directory services Active Directory
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2022-01-13T19:17:49.03+00:00

    I think so. The server ports are listed here but note the clients respond on dynamic ports.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Anonymous
    2022-01-13T17:12:49.36+00:00

    You shouldn't need to make any modifications to the windows firewall. Just make sure both got the domain firewall profile.

    The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests
    If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/computer-cant-identify-network

    So I'd check the domain controller and problem client have the static address of DC listed for DNS and no others such as router or public DNS

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. Anonymous
    2022-01-13T18:16:57.023+00:00

    Trying to make sure all ports are open needed for AD

    As long as the domain controller has the domain firewall profile then all required ports will be available.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  3. Anonymous
    2022-01-13T18:55:24.613+00:00

    There's no need to do anything with the unused firewall profiles since they are in fact not being used. As to 138, 139, 445 you can turn on File and Printer sharing

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    164921-image.png


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.