Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor
Jump to solution

AD Query server connection

Hi all,

 

Wondering if anyone has ideas on this issue, I have 2 clusters (same policy). On one cluster it can successfully connect and receive login events from two domain controllers, on the other cluster I get the message "no connectivity, connection refused by remote host [ntstatus = 0xc0000236]"

 

Both clusters use the same login credentials,  both clusters can telnet to the server IP's on port 389 and 636. I have also connected to the server and checked event viewer. I don't see any errors it all says success.

 

When I use the test_ad_connectivity tool I get the following:

 

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

 

 

Any ideas what this could be?

thanks

0 Kudos
1 Solution

Accepted Solutions
Sigbjorn
Advisor
Advisor

Hi Ryan,

You do need RPC communication for AD Query to work, but you don't need all "tcp-high-ports".

49152-65535 is the Microsoft specified range required, and it's what we use for our AD Query setups.

(In addtition to tcp/636 and tcp/135)

/Sigbjorn

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
0 Kudos
Ryan_Ryan
Advisor

Hi good idea,

 

I tried that and can confirm it has successfully queried and returns correct information from ldap.

 

 

0 Kudos
PhoneBoy
Admin
Admin

Unless @Royi_Priov or someone from R&D has an idea, I suggest opening a TAC case.

0 Kudos
Ryan_Ryan
Advisor

I might have found the issue, if there is another f/w between the gateway and the domain controller it appears you need to open:

 

tcp/389 or tcp/636

tcp/135

tcp/1025-65535 

 

For full connectivity. Will update once we have opened ports and confirmed.

0 Kudos
Sigbjorn
Advisor
Advisor

Hi Ryan,

You do need RPC communication for AD Query to work, but you don't need all "tcp-high-ports".

49152-65535 is the Microsoft specified range required, and it's what we use for our AD Query setups.

(In addtition to tcp/636 and tcp/135)

/Sigbjorn

Gaurav_Pandya
Advisor

Hi Ryan,

I am sure that firewall in between is the issue. You need to open required ports on that firewall

0 Kudos
Royi_Priov
Employee
Employee

Hi,

It looks like you are in the right direction with the DCE-RPC ports, I will explain why:

LDAP connectivity is not related to the WMI connection which should be open between GW to AD.

You can also see in the log:

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

 

Thanks,

Royi.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Ryan_Ryan
Advisor

confirmed it was the f/w ports needing to be opened. working now!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events