We help IT Professionals succeed at work.

Windows 2003 Domain Controller keeps getting orphaned from the domain.

I have a DC that keeps getting orphaned from the domain.  This happened back in October of 07.  I finally got it rejoined after going through removing all the lingering objects, etc, and now it has happend again.

I am running a port scan from the orphaned server to its closest neighborhood DC.  Here are the results.
==== End of RPC Endpoint Mapper query response ====

TCP port 137 (netbios-ns service): NOT LISTENING

TCP port 139 (netbios-ssn service): LISTENING

TCP port 445 (microsoft-ds service): LISTENING

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

It hangs on sending a LDAP query to TCP port 389 to its neighbor DC.

To me, this is a firewall port block issue.  Any ideas?
Watch Question

Sounds like a firewall or port restricition.
OOPs somehow I hit submit.  What network device is this connected to? Are there any port blocks or MAC filtering going on?


This is exactly what I am thinking, but the Network Team cannot see anything on the firewall logs being blocked.

Well will they accept a network capture? That should show the traffic being blocked or the error coming back. Do they have access to sniff the wire?

Is anything listening on port 636 (LDAPS) by chance? Not really used but just thinking. Can you ping the other nodes on the network?


Also, you will see port 389 Listening on my first post above.  And then it hangs on it's literal LDAP request to that same port that is listing.

Now, this would seem to me that the port is open on the firewall, but for some reason it is not getting the LDAP information to or from its target.
RIght I agree on the LDAP port sorry I wAsnt being clear. That is what the network capture would be helpful for.


I am Wiresharking both sides now and will post the results here.
Port 137 is a Netbios port used for the Browser service:

If you are using ISA firewall, the ISA firewall has to have rules set for the browser service to work.

Also, Netbios will not propogate across different subnets, different subnets masks, over a firewall, over NAT or any other type of potential port blockage.

The alternative fix to the browser service is to impliment WINS on clients and servers. I call it the WINS/WAN configuration of the browser service because of how the following article fixes these types of issues.

The following article best explains fixes and work arounds for the domain browser service. The article is for a NT4 server, but everything applies to a 2003 server as well, (including registry edits to determine the function of the browser). It's a good read for anyone who has browser issues.


The only port that seems to be affected is 389.

WINS is not that important in a Windows 2003 domain.

You are correct in saying WINS is not important for LDAP queries. (But, WINS may be important if you run into browser problems. I saw port 137 not listening and assumed that was the original problem. Sorry for my assumption.)

ldap            389/tcp    Lightweight Directory Access Protocol
ldap            389/udp    Lightweight Directory Access Protocol

Port 389 can be blocked by antivirus software. Port 389 has been a target by mass mailing worms. So AV manufacturers included port blocking for some AV products on top of the firewall you already have. Sometimes you need to add an exception to your AV software for your mail client, (or mail server), software to work. To test this theory, temporarily disable your AV software.

If it is conclusive that the AV software is blocking port 389, then let us know what AV software you have and what mail client/server products you are running. I know the exact fix to McAfee, but don't know about Symantec or other AV software packages.


Checked the AV on both servers in question and 389 is open.  

Still working on this with our network team.  


One more thing.  When I try to rejoin the domain by pointing at this servers same site DC, it will not find a domain controller.  When I attempt to rejoin the domain by pointing at a DC half way across the country it works fine.

It has to be a port issue.
Sure sounds like a port issue. maybe it is a port issue on the other DC? I assume you are not using IPsec correct?I am not sure what your network team will post. Do they secure ports a certain way? You may or may not want to post that kind of information on here if people know where you work.

I would ask if they MAC filter, and new NAC installs?

just sounds like a port issue still. What did the packet capture show?

Can't contact the domain controller sounds like the netbios translation isn't being done to the DC, almost sounds like the SVR and/or HOST A DNS record doesn't exist in DNS. Is your DNS server external, internal or internal and the same server as the server you are trying to contact? If it were a permissions problem, I would guess all of your problems are related to the LDAP port. Try to ping the server by using it's computer name:
Example: ping MYSERVER1

If you problems pinging, try going to the server and registering its DNS setting by going to the cmd prompt and typing IPconfig /Registerdns. Then type, 'net stop netlogon'. Then, 'net start netlogon'. Now force replicate that DNS Host A to all servers on that LAN.

An alternative problem that can cause intermittant coms is the router configurations. You should not have external DNS servers on your Router's list of DNS servers. Otherwise you may bypass the server and go straight out to the internet for DNS queries.



The DNS is fine and can resolve any DC in the domain.  It can do an NSLOOKUP on our "domain".com and pulls back all the ips for the DCs.

No problems resolving or pinging at all.  All DNS is internal.

What we are seeing here is a port blockage.  Port 389 is shown as listening, but cannot pull anything from AD.

Have you ever had ISA on this server, especially ISA client? ISA client is not supported on 2003 server. It has to be removed, not disabled. It will not work with LDAP.

Also Mozilla Thunderbird has some port blocking in it. I think you have to configure it to block port 389.


No, no ISA on this box. It is just a DC with DNS/WINS and AD etc.


It appears that we are going to have to completely rebuild this server before I add it back into the domain.

I will keep everyone posted when the testing begins again.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.