Issue
When querying UDP port 389 locally on, or remotely to, a domain controller it fails with "LDAP query to port 389 failed Server did not respond to LDAP query"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PortQry.exe -n %COMPUTERNAME% -e 389 -p UDP | |
| Querying target system called: | |
| %COMPUTERNAME% | |
| Attempting to resolve name to IP address... | |
| Name resolved to 192.168.75.10 | |
| querying... | |
| UDP port 389 (unknown service): LISTENING or FILTERED | |
| Using ephemeral source port | |
| Sending LDAP query to UDP port 389... | |
| LDAP query to port 389 failed | |
| Server did not respond to LDAP query |
One or more IPv6 components were disabled.
On the domain controller used in this example, the following command was used to disable IPv6:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t "REG_DWORD" /d "0xffffffff" /f |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| netsh interface 6to4 set state state=disabled undoonstop=disabled | |
| netsh interface isatap set state state=disabled | |
| netsh interface teredo set state state=disabled |
The following spreadsheet shows a breakdown of how the DisableComponents registry value affects 389/udp.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Data | Option | Port | Connection | LDAP* (tcp) | CLDAP* (udp) | |
|---|---|---|---|---|---|---|
| 0xff | Disable all IPv6 components except the IPv6 loopback interface | 389 | TRUE | TRUE | FALSE | |
| 0x20 | Prefer IPv4 over IPv6 by changing entries in the prefix policy table | 389 | TRUE | TRUE | TRUE | |
| 0x10 | Disable IPv6 on all non-tunnel interfaces (both LAN and Point-to-Point Protocol [PPP] interfaces) | 389 | TRUE | TRUE | FALSE | |
| 0x01 | Disable IPv6 on all tunnel interfaces | 389 | TRUE | TRUE | TRUE | |
| 0x11 | Disable all IPv6 interfaces except for the IPv6 loopback interface | 389 | TRUE | TRUE | FALSE |
Resolution
Use any or all of the following commands to re-enable IPv6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| netsh interface 6to4 set state state=default undoonstop=default | |
| netsh interface isatap set state state=default | |
| netsh interface teredo set state default | |
| REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /f |
Result
After re-enabling IPv6, querying 389/UDP completes successfully.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PortQry.exe -n %COMPUTERNAME% -e 389 -p UDP | |
| Querying target system called: | |
| %COMPUTERNAME% | |
| Attempting to resolve name to IP address... | |
| Name resolved to 192.168.75.10 | |
| querying... | |
| UDP port 389 (unknown service): LISTENING or FILTERED | |
| Using ephemeral source port | |
| Sending LDAP query to UDP port 389... | |
| LDAP query response: | |
| currentdate: 08/01/2013 13:02:51 (unadjusted GMT) | |
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=forest,DC=local | |
| dsServiceName: CN=NTDS Settings,CN=%COMPUTERNAME%,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=forest,DC=local | |
| namingContexts: DC=forest,DC=local | |
| defaultNamingContext: DC=forest,DC=local | |
| schemaNamingContext: CN=Schema,CN=Configuration,DC=forest,DC=local | |
| configurationNamingContext: CN=Configuration,DC=forest,DC=local | |
| rootDomainNamingContext: DC=forest,DC=local | |
| supportedControl: 1.2.840.113556.1.4.319 | |
| supportedLDAPVersion: 3 | |
| supportedLDAPPolicies: MaxPoolThreads | |
| highestCommittedUSN: 328844 | |
| supportedSASLMechanisms: GSSAPI | |
| dnsHostName: %COMPUTERNAME%.forest.local | |
| ldapServiceName: forest.local:%COMPUTERNAME%$@FOREST.LOCAL | |
| serverName: CN=%COMPUTERNAME%,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=forest,DC=local | |
| supportedCapabilities: 1.2.840.113556.1.4.800 | |
| isSynchronized: TRUE | |
| isGlobalCatalogReady: TRUE | |
| domainFunctionality: 4 | |
| forestFunctionality: 4 | |
| domainControllerFunctionality: 4 | |
| ======== End of LDAP query response ======== | |
| UDP port 389 is LISTENING |
Conclusion
An environment that utilizes IPv4 and wishes to remove complexity by removing IPv6 may be surprised to find that its not so easily removed. Microsoft's Article, How to disable IP version 6 or its specific components in Windows, explains that the DisabledComponents registry key method is the correct way to disable IPv6. This article also states, "We do not recommend disabling IPv6. However, if you must disable IPv6 or components of IPv6, follow the steps in this article." Unfortunately, disabling IPv6 causes this known failure and may cause other unknown failures.
Thank you for your post and info on this! It helped us out on our AD sync issues!
ReplyDeleteYou're welcome. I'm glad it helped.
DeleteJust wanted to thanks for posting this!
ReplyDeleteYou're welcome.
DeleteThanks...this helped with our Domain Trust issues
ReplyDeleteYou're welcome. I'm glad you found it helpful.
Delete