Test Connectivity to an Active Directory Domain Controller from a PC
To test connectivity to an Active Directory domain controller (DC) from a Windows PC you can use several methods, which this article will outline.
In most cases, domain-joined computers have established connections to at least one Active Directory DC, and if there are no errors in that computer’s event log, then you may safely assume that AD connectivity functions correctly.
However, in some cases, the testing computers are not members of the tested Active Directory domain, as they are either part of a stand-alone network or are located in some DMZ that prohibits connectivity to the DCs. In other scenarios, the testing computers may already be members of one AD domain, but the test has to be done to another different AD domain, just for testing purposes.
Note: The purpose of this article is not to provide troubleshooting steps to AD-related issues, nor to AD-joined computers that fail to contact their DCs or lost the secure channel with their DCs. The purpose of this article is to give you tips on how to verify that you can successfully connect to a DC from a specific computer, even if it is not domain joined.
Tools to Test Connectivity from a Windows PC to a DC
There are several tools and methods you can use to test connectivity to an Active Directory DC. Here a few tools you should consider using:
Active Directory (AD) Explorer
This is a tool created by Sysinternals, which is now a part of Microsoft. It’s a stand-alone tool that’s useful for querying AD and performing various tasks. The official Microsoft description states:
“Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute.”
In the context of this article, AD Explorer is also useful for AD connectivity tests.
Download AD Explorer
Once you’ve downloaded the Microsoft Sysinternals AD Explorer tool, simply run the ADExplorer.exe file.
Type in the name of the DC you want to connect to and the credentials you want to bind with.
Note: If you provide credentials for a user that has Domain Admin or Enterprise Admin rights, then you will be able to perform actions on the AD tree. This means that one wrong move and you may render your AD useless. Take caution, and best use a user account that has read-only permissions to the AD tree.
Sysinternals Active Directory (AD) Explorer. (Image: Daniel Petri)
You can also use several built-in tools that are a part of the Windows OS. However, these tools require that you have the AD-DS Role administration tools. More on that in a moment.
LDP.EXE is a GUI tool that acts as a Lightweight Directory Access Protocol (LDAP) client, which lets you perform connect, bind, search, modify, add or delete operations against AD. LDP is used to view objects stored in AD along with their metadata, and attributes.
After you run LDP you want to connect to DC:
Using LDP.EXE to text connectivity to an Active Directory DC. (Image: Daniel Petri)
Next, you need to bind as user. If you’ve already logged on to the machine with the proper credentials, then you can use “Bind as currently logged on user.”
Using LDP.EXE to text connectivity to an Active Directory DC – Bind as User. (Image: Daniel Petri)
How do we get these tools? The answer depends on the version of your operating system. If you’re using Windows Server 2012/R2, then they are already included in the OS image, and all you need to do is to activate them by enabling the AD-DS management tools.
Warning: Be careful when trying to enable the AD-DS management tools. Some users may not notice the difference, but if you add the AD-DS Role you will actually configure this server to be a domain controller (well, part of the way, there is an additional step you need to do, but even so, you don’t want this to happen by mistake). You must add the AD-DS management tools that are part of the Remote Server Administration Tools (RSAT) feature, and not the role!
To install the tools on Windows Server 2012/R2:
User Server Manager > Manager > Add Roles and Features
Installing the RSAT tools on Windows Server 2012 R2. (Image: Daniel Petri)
On desktop OSs such as Windows 7/8/8.1 you need to download the RSAT package from Microsoft and install it on the machine.
To install tools on Windows 7:
Download Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) from Official Microsoft Download Center.
To install tools on Windows 8:
Download Remote Server Administration Tools for Windows 8 from Official Microsoft Download Center.
To install tools on Windows 8.1:
Download Remote Server Administration Tools for Windows 8.1 from Official Microsoft Download Center.
The PortQry utility is a command line utility that you can use to help troubleshoot TCP/IP connectivity issues. It was originally located in the Windows Server 2003 Support Tools, but you can download a new version of the PortQry Command Line Port Scanner from the Official Microsoft Download Center.
You can also download the GUI version of PortQry from the Official Microsoft Download Center.
First, remember that there are several ports that are required when you connect to a Active Directory Domain Controller.
TCP 88 (Kerberos)
TCP 135 (RPC)
TCP 389 (LDAP)
TCP 445 (CIFS)
TCP 3268 (Global Catalog)
We can use it for our testing purposes:
portqry -n <DC_name> -e 389 -p tcp
This is an example output for the above command:
Output from the PORTQRY.EXE command. (Image: Daniel Petri)
And here is the same example when using the GUI version:
Output from the GUI variant of PORTQRY.EXE. (Image: Daniel Petri)
More in Active Directory
How to Access Active Directory
May 17, 2022 | Michael Reinders
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Active Directory vs. Azure AD (and Other Identity Providers)
May 9, 2022 | Michael Taschler
Apple Finally Discontinues Support for macOS Server App
Apr 25, 2022 | Rabia Noureen
Microsoft Issues New Guidance on Securing Domain Controllers
Apr 15, 2022 | Rabia Noureen
Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine
Apr 15, 2022 | Michael Taschler
Most popular on petri