Solved

Can't find what service is listening on TCP port 88

Posted on 2013-11-05
30
3,785 Views
Last Modified: 2013-11-13
I need to install Active Directory on a server running server 2008. I get an error saying that TCP port 88 is already in use and it needs to be free (88 kerberos (krb5, kerberos-sec). So I do a netstat -anb and I can see something is listening on it by it says - can not obtain ownership information. I tried running TCPView and I see that TCP port Kerberos is running. It doesn't have a number listed so I tried stopping it and it didn't work.
Any ideas? Thanks
0
Comment
Question by:Impressionist
  • 13
  • 7
  • 4
  • +3
30 Comments
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39626141
What roles to you already have installed on the server? Typically Active Directory would be the first role you would want to install on a domain controller machine.
0
 

Author Comment

by:Impressionist
ID: 39626197
It looks like someone has tried to install Active Directory before, but there are lots of errors. I'm going to try and remove it and start again.
0
 

Author Comment

by:Impressionist
ID: 39626217
That didn't work :( I have File Services, IIS and I installed Active Directory services and then went to the next step of running dcpromo and I get the port 88 error. So I can't work out what's using port 88. There was terminal services installed, but I removed that as its not needed.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39636952
Try Nirsoft's Current Ports to see what is using port 88 and tell us: http://www.nirsoft.net/utils/cports.html
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39637011
If I understand what's been said, you have an instance of kerberos already running, and it may be in a broken state, and unusable according to the dcpromo process.

At this point, I have to ask, what is your goal?  If this server will be promoted for a lab, or as part of a learning experience... then it's a worthy goal, and lets see we can get it to work.  If this will be a domain controller for a production environment that you'll need to support for the next several years... then I'd stop now, and build a clean server for your domain controller.

Assuming the lab/learning environment case:  When you uninstalled the previous installation of the AD role, and rebooted -- did you run netstat -anb (or -ano, and look up the pid)?  Could you see whether port tcp/88 was then clear?
0
 

Author Comment

by:Impressionist
ID: 39637595
Hi, I'm just back online after being sick for a few days. Yes it seems that kerberos is already running, but unusable according to dcpromo. These machines have come from one of our offices that has just closed. I need to get everything working together so that I can clean a few things up. The machine isn't likely be in use for a long time, but I need to promote it as the current DC seems quite old and I'm concerned that it might crash.

I did remove AD role and restart, but the port was still in use.  I will try using the Nirsoft tool to see if it is actually kerberos using 88.
0
 

Author Comment

by:Impressionist
ID: 39637639
Even though AD is removed, kerberos is still running and using tcp/88. I used Nirsoft tool and confirmed that kerberos is using the port. I did previously use netstat but it just noted it was in use but it could not ID the process.

I can't close port 88. So I'm not sure what to do.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39639358
The machine isn't likely be in use for a long time, but I need to promote it as the current DC seems quite old and I'm concerned that it might crash.

If I'm reading this statement correctly that means you should start again - rebuild this server and then promote it to a DC...like @Razmus has already mentioned...since its not doing anything else at minute I'd say that's the quickest way to get back up and running
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39639520
Kerberos appears to be included in the lsass.exe process... which should be the active directory domain services process.  Do you have a service running named 'Active Directory Domain Services'?  Or did the nirsoft/cport tell you what the executible was?  (Is there any chance someone might have loaded one of the other kerberos implementations?)

I'd still tend towards the server rebuild solution, if remotely possible.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39639925
As a side note, running SIW and clicking on Licenses will let you retrieve the installation keys: http://www.majorgeeks.com/files/details/siw_(system_info).html (which may be helpful.)
But; is there any chance there was another server acting as the PDC at the old site?
0
 

Author Comment

by:Impressionist
ID: 39640143
Thanks. I don't really want to wipe it unless I have to as it has a lot of stuff on it and it will take a long time to setup again and I'm not sure I have access to all the existing installation files for the software on it.

What I meant is that I need it working now, but it won't be used say past 6 months, so a long term solution isn't needed, just a short term one.

Yes there was another PDC, this is why I'm making this one a DC as the PDC seems to have some hardware problems and I am concerned it will crash and leave us without a DC.

I'm not in that office at the moment, but I'll see what other services are running. thanks
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39640216
Your right answer then is to fire up the old PDC, demote it (!!!), and then run DCPROMO.  The server you want to use is still tied to the old PDC.
0
 

Author Comment

by:Impressionist
ID: 39640230
OK thanks for that. I'm a bit confused, if I demote the current PDC, where is the new one going to get all the user accounts for the domain from? There aren't any other DC's on the network. Sorry, I don't do this very often, so I don't know a whole lot.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39640363
Assumptions:  (1) You don't have any servers off. (You don't need to start any servers.)
(2) Your domain controller isn't Pre-Windows 2000. (You don't really have a PDC.  You have one server which operates as a PDC-emulator, and that role can be switched to any healthy domain controller in your domain.)
(3) You aren't missing any FSMO roles.  (Running 'netdom query fsmo' from a command prompt on the domain controller will identify all your fsmo roles, and where they currently live.)
(4) You have a domain with a single domain controller in it, and that single domain controller isn't healthy.  (DON'T demote that DC.  As you indicate, if this assumption is valid, that is almost exactly opposite of what you want to accomplish.  Your instinct on this question is sharp.)
(5) Folks other than you have built and maintained the server you are working with, and it isn't a tightly controlled environment.  
(6) The existing domain controller is Windows 2008.  (So, for example, we don't have a Windows 2003 DC, which doesn't have the schema extended to support Windows 2008.  We also don't have a Windows 2008 R2 DC, where the Forest/Domain functional level have already been elevated to Windows 2008 R2.)

Let me know if any of these assumptions are invalid.  Some I think you've already stated (for example, we're dealing with Windows 2008, not NT 4.0 or 3.51...)

I'm increasingly concerned that the server you're trying to promote has the MIT implementation of Kerberos installed.  It would be identified as krb5.  What I don't know is whether the Microsoft implementation of Kerberos would also identify itself as krb5.  :-( )  As you say, you'll be able to look closer when you get into the office.  (I'll be waiting with, as they say, bated breath.)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Impressionist
ID: 39640737
Thanks for the reply.
1) All servers are turned on and connected
2) The DC is Server 2003
3) I don't appear to have netdom. I see it has service pack1, so I'm getting SP2 now, netdom should be with that download.
4) The setup seems fine, there aren't any errors, but the machine is very old and I think the hardware might fail.
5) Yes, someone else set this all up, its come from an office that closed and they have mess everywhere that I need to clean up :(
6) The DC server 2003 and I want to make a newer machine a DC, it is running server 2008 R2. There is only one DC and its the 2003 box.
0
 

Author Comment

by:Impressionist
ID: 39640835
I ran netdom query fsmo and got - the security context is invalid
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39640949
Try removing the Active Directory Service from that server and then check if port 88 is still in use.

Can you post the errors from the Event Log?
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39642003
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39642060
> The DC is Server 2003

Okay, that leaves open the possibility that the AD schema won't support a Windows 2008 DC, but I don't believe you'd get an error anything like the kerberos error you've already received.  (There are a couple easy ways to determine what level your schema is running.  If you're running something older than 44, you'll just need to run adprep a couple times before advancing.  (Microsoft rolled this into the process of adding the first Server 2012 DC... it'll do it for you in the background if it hasn't already been done.  Well, it will if you have sufficient permissions to update the schema.)

> I ran netdom query fsmo and got - the security context is invalid

That is worrying, which leads me to wonder if the account you are using has sufficient permissions to run DCPromo.  The account you are using is a member of domain admins, enterprise admins, or the domain built-in administrators group?

> Migrating AD to a new server

I'm assuming Impressionist doesn't wish to migrate AD to a new server, but wishes to have more than one domain controller as per best practices.
0
 

Author Comment

by:Impressionist
ID: 39643458
Yes, I do want a second domain controller for redundancy. The login I am using is the domain admin, so I'm not sure what is going on. I'll keep working at it.
0
 

Author Comment

by:Impressionist
ID: 39643471
I don't think my port 88 problem has anything to do with the other DC that is running server 2003 as I can't even initiate the process of making the machine a DC because as soon as I run dcpromo after installing AD domain services I get the error stating that port 88 is in use and I can't continue until I free up port 88. Problem is, I can't seem to free it up :(
I might have to give up :(
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39643921
You can use the following commands to find out what is holding onto port 88.

Run the following commands in the command prompt:
netstat -ano | find /I ":88"

Make a note of the last number in the results.
This is the PID of the application using port 88

Then run:
tasklist | find /I "PID"
where PID is the number you noted from the previous command.

e.g. using port 135
C:\Users\Leon>netstat -ano | find /I ":135"
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       876
  TCP    [::]:135               [::]:0                 LISTENING       876

C:\Users\Leon>tasklist | find /I "876"
svchost.exe                    876 Services                   0      9 664 K
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39644515
I assume you've rebooted the server at least once since you started having this problem. (?)

> netstat -ano | find /I ":88"

I believe Impressionist has already said that netstat didn't identify the PID in this instance, twice.  Both in the original question question, and in a latter comment.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39644706
A little more information.
The kerberos function which gets loaded on a domain controller comes from c:\windows\system32\kdsSvc.dll.  You should be able to confirm whether that file is in use.  Doing a quick spot check, I don't see that file on my member servers.

There is still the low probability that a previous administrator has loaded MIT Kerberos , possibly for another project, which would identify itself as krb5.  Try doing a search for any file that contains 'krb5', or the string 'krb5' in the registry.  (I keep coming back to krb5, because you mention that specifically in the error in the original question, and I'm still not sure why you would see reference to that specifically if it weren't the MIT Kerberos...)
0
 

Author Comment

by:Impressionist
ID: 39646310
Hi Razmus,
I don't have the kdssvc.dll and there is nothing with reference to krb5 in the registry. At first I didn't find what was holding onto port 88 using netstat, but cports tells me its kerberos. Someone has done something to this machine, but who knows what?! Is there anyway to force a port closed, even if it is temporary? If I could do that, at least dcpromo would continue and I could see if it would complete.
I may have to give up and see if I can acquire all the install files for the software on this machine and then wipe it and start again.
thanks for all your help.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39646715
Unfortunately I don't know of a way to force a port closed, it would be finding the process which is listening on the port, and either reconfigure that process to use another port, or stop that process.  :-(

Rebuilding the server is certainly the safest option.

I'd be a little worried about an unknown service running on there that is being used in some critical process.  I don't suppose there is any way to take the server off-line during normal operating hours to determine if anything unexpected breaks?  Or move all the known services to another server, and leave this server off for some period of time before destroying/rebuilding?  (I suppose if there was other server hardware available, you wouldn't be attempting to promote this server to be a DC.)
0
 

Author Comment

by:Impressionist
ID: 39646722
My biggest problem is not having a backup DC and having all this stuff on the server I can't promote that I can't easily reinstall :( I don't have many options. Anyway, I'll live with it for now and clean up what I can. Thanks for all your help.
0
 

Author Closing Comment

by:Impressionist
ID: 39646723
Very helpful, although I didn't solve my problem, I appreciated the help.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now