Test Connectivity to an Active Directory Domain Controller from a PC

1 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

petri.com

Test Connectivity to an Active

Directory Domain Controller from a PC
To test connectivity to an Active Directory domain controller
(DC) from a Windows PC you can use several methods, which this
article will outline.
Related: Provision Domain Controllers in Azure using
PowerShell
In most cases, domain-joined computers have established
connections to at least one Active Directory DC, and if there are no
errors in that computers event log, then you may safely assume that
AD connectivity functions correctly.
However, in some cases, the testing computers are not members of
the tested Active Directory domain, as they are either part of a
stand-alone network or are located in some DMZ that prohibits
connectivity to the DCs. In other scenarios, the testing computers
may already be members of one AD domain, but the test has to be
done to another different AD domain, just for testing purposes.
Note: The purpose of this article is not to provide troubleshooting
steps to AD-related issues, nor to AD-joined computers that fail to
contact their DCs or lost the secure channel with their DCs. The
purpose of this article is to give you tips on how to verify that you
can successfully connect to a DC from a specific computer, even if it
is not domain joined.
19/02/2016 17:34

Test Connectivity to an Active Directory Domain Controller from a PC

2 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

There are several tools and methods you can use to test connectivity
to an Active Directory DC. Here a few tools you should consider
using:
Active Directory (AD) Explorer
This is a tool created by Sysinternals, which is now a part of
Microsoft. Its a stand-alone tool thats useful for querying AD and
performing various tasks. The official Microsoft description states:
Active Directory Explorer (AD Explorer) is an advanced Active
Directory (AD) viewer and editor. You can use AD Explorer to
easily navigate an AD database, define favorite locations, view
object properties and attributes without having to open dialog
boxes, edit permissions, view an objects schema, and execute
sophisticated searches that you can save and re-execute.
In the context of this article, AD Explorer is also useful for AD
connectivity tests.
Download AD Explorer
Once youve downloaded the Microsoft Sysinternals AD Explorer
tool, simply run the ADExplorer.exe file.
Type in the name of the DC you want to connect to and the
credentials you want to bind with.
Note: If you provide credentials for a user that has Domain Admin or
Enterprise Admin rights, then you will be able to perform actions on
the AD tree. This means that one wrong move and you may render
your AD useless. Take caution, and best use a user account that has
read-only permissions to the AD tree.
19/02/2016 17:34

Test Connectivity to an Active Directory Domain Controller from a PC

3 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

Sysinternals Active Directory (AD) Explorer. (Image: Daniel Petri)

You can also use several built-in tools that are a part of the Windows
OS. However, these tools require that you have the AD-DS Role
administration tools. More on that in a moment.
LDP.EXE
LDP.EXE is a GUI tool that acts as a Lightweight Directory Access
Protocol (LDAP) client, which lets you perform connect, bind,
search, modify, add or delete operations against AD. LDP is used to
view objects stored in AD along with their metadata, and attributes.
After you run LDP you want to connect to DC:

19/02/2016 17:34

Test Connectivity to an Active Directory Domain Controller from a PC

4 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

Using LDP.EXE to text connectivity to an Active Directory DC.

(Image: Daniel Petri)
Next, you need to bind as user. If youve already logged on to the
machine with the proper credentials, then you can use Bind as
currently logged on user.

Using LDP.EXE to text connectivity to an Active Directory DC

Bind as User. (Image: Daniel Petri)
How do we get these tools? The answer depends on the version of

19/02/2016 17:34

Test Connectivity to an Active Directory Domain Controller from a PC

5 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

your operating system. If youre using Windows Server 2012/R2,

then they are already included in the OS image, and all you need to
do is to activate them by enabling the AD-DS management tools.
Warning: Be careful when trying to enable the AD-DS management
tools. Some users may not notice the difference, but if you add the
AD-DS Role you will actually configure this server to be a domain
controller (well, part of the way, there is an additional step you need
to do, but even so, you dont want this to happen by mistake). You
must add the AD-DS management tools that are part of the Remote
Server Administration Tools (RSAT) feature, and not the role!
To install the tools on Windows Server 2012/R2:
User Server Manager > Manager > Add Roles and Features

Installing the RSAT tools on Windows Server 2012 R2. (Image:

Daniel Petri)

19/02/2016 17:34

Test Connectivity to an Active Directory Domain Controller from a PC

6 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

On desktop OSs such as Windows 7/8/8.1 you need to download

the RSAT package from Microsoft and install it on the machine.
To install tools on Windows 7:
Download Remote Server Administration Tools for Windows 7 with
Service Pack 1 (SP1) from Official Microsoft Download Center.
To install tools on Windows 8:
Download Remote Server Administration Tools for Windows 8 from
Official Microsoft Download Center.
To install tools on Windows 8.1:
Download Remote Server Administration Tools for Windows 8.1
from Official Microsoft Download Center.
PortQry
The PortQry utility is a command line utility that you can use to help
troubleshoot TCP/IP connectivity issues. It was originally located in
the Windows Server 2003 Support Tools, but you can download a
new version of the PortQry Command Line Port Scanner from the
Official Microsoft Download Center.
You can also download the GUI version of PortQry from the Official
Microsoft Download Center.
First, remember that there are several ports that are required when
you connect to a Active Directory Domain Controller.
TCP 88 (Kerberos)

19/02/2016 17:34

Test Connectivity to an Active Directory Domain Controller from a PC

7 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

TCP 135 (RPC)

TCP 389 (LDAP)
TCP 445 (CIFS)
TCP 3268 (Global Catalog)
And others.
We can use it for our testing purposes:

portqry -n <DC_name> -e 389 -p tcp

This is an example output for the above command:

Output from the PORTQRY.EXE command. (Image: Daniel Petri)

And here is the same example when using the GUI version:
19/02/2016 17:34

Test Connectivity to an Active Directory Domain Controller from a PC

8 di 8

about:reader?url=https://www.petri.com/test-connectivity-to-an-active-...

Output from the GUI variant of PORTQRY.EXE. (Image: Daniel

Petri)

19/02/2016 17:34