Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2100: adcheck fails on udp port 389 and NTP port 123

Authentication Service ,  

12 April,16 at 11:07 AM

Applies to: All versions of Centrify DirectControl
 
Question:
 
The /usr/sbin/adcheck command executed on a Centrify server complains about ldap port 389 and ntp port 123 which are blocked. adjoin fails too. 
 
How important are these ports?
 
./adcheck-rhel3-x86_64 proddfs.pf.yourcompany.com-s yourdc.proddfs.pf.yourcompany.com
 
OSCHK : Verify that this is a supported OS : Pass 
PATCH : Linux patch check : Pass 
PERL : Verify perl is present and is a good version : Pass 
SAMBA : Inspecting samba installation : Pass 
SPACECHK : Check if has enough disk space in /var /usr /tmp : Pass 
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass 
DNSPROBE : Probe DNS server 192.168.1.1 : Pass 
DNSCHECK : Analyze basic health of DNS servers : Pass 
SRVOPT : Checking that the -s server exists : Pass 
WHATSSH : Is this an SSH that DirectControl works well with : Pass 
SSH : SSHD version and configuration : Warning 
: You are running OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 
2008 
: We suggest that you install the Centrify build of OpenSSH 
: This can be obtained from www.centrify.com 
: Your OpenSSH is not configured correctly to use PAM. 
: This means that AD users will not be able to log in 
: You should set explicitly like this: 
: UsePAM yes 
: ChallengeResponseAuthentication yes 
: in /etc/ssh/sshd_config 
 
DOMNAME : Check that the domain name is reasonable : Pass 
ADDNS : DNS lookup of DC yourdc.proddfs.pf.yourcompany.com: Pass 
ADPORT : Port scan of DC yourdc.proddfs.pf.yourcompany.com: 
Warning 
: One or more port failed to respond correctly. Either: 
: a) the DC is offline 
: b) a firewall is preventing access to a port 
: The following is a list of failed ports 
: ldap(389)/udp - timeout 
: ntp(123)/udp - timeout 
 
DCUP : Check DCs in proddfs.pf.yourcompany.com: Failed 
: No working domain controllers were found 
 
1 serious issue was encountered during check. This must be fixed before proceeding 
2 warnings were encountered during check. We recommend checking these before proceeding 
Note: You specified a server name on the command line. You must specify this on the adjoin command and in the Centrify configuration file once you have installed DirectControl 
 
Answer:
 
adcheck is failing because it failed on udp port 389. 
 
udp port 389 is absolutely needed to probe Active Directory and get all the Domain Controllers out there. 
(Note: Just tcp port 389 is not enough, this is not a bug as it is a requirement of the protocol) 
 
Since 389 is blocked, the check fails and results in the DCUP failure message. If adcheck is run with the verbose flag, it will search the first 10 domain controllers (as it is a long list) and will report that there were NO working DCs; they all timed out due to the block on port 389.
 
For the NTP message, see the following KB:
 
For the complete list of ports needed for Centrify DirectControl, see:

Related Articles

 No related Articles