Active Directory not found

Question

Active Directory not found

andreyzein1 opened this issue 2 months ago · 6 comments

Hello!
I run pingcastle on a domain computer, I specify my domain and it gives an error - domain not found: no DNS entries exist for ... .

I checked - the domain controller is unavailable, the DNS server is available. What could be the problem?

Answer 1 · 2024-09-12T10:11:12.000Z

Hi there, I am not 100% sure but I believe for you to get this error Windows is struggling to locate a domain controller. It could be worth running dcdiag to verify the domain is healthy.

There are a couple of things that may be worth trying in PingCastle itself:

Target the DC directly using the command line options PingCastle.exe --healthcheck --server "DC.FQDN"
Use the --log switch and check the output of the trace log and see if this helps.
Try using LDAPOnly option if you do not have Active Directory Web Services. PingCastle.exe --protocol LDAPOnly --healthcheck

Answer 2 · 2024-09-13T08:27:20.000Z

Hi there, I am not 100% sure but I believe for you to get this error Windows is struggling to locate a domain controller. It could be worth running dcdiag to verify the domain is healthy.

There are a couple of things that may be worth trying in PingCastle itself:

Target the DC directly using the command line options PingCastle.exe --healthcheck --server "DC.FQDN"

Use the --log switch and check the output of the trace log and see if this helps.

Try using LDAPOnly option if you do not have Active Directory Web Services. PingCastle.exe --protocol LDAPOnly --healthcheck

Thank you for you help!
I trying use LDAPonly but have next error:

An exception occured when doing the task: Perform analysis for {IIP}
Active Directory not Found: Could not connect to net.tcp://{IIP}:389/ActiveDirectoryWebServices/Windows/Resource. The connection attempt lasted for a time span of 00:00:00.0045056. TCP error code 10013: An attempt was made to access a socket in a way forbidden by its access permissions {IIP}:389.

Can you tell me what the problem could be here? There are no network restrictions

Answer 3 · 2024-09-13T09:15:45.000Z

This looks like it may still be trying ADWS but with the LDAP Port? I just disabled ADWS in my lab and tried the LDAPOnly with no error. To confirm its only LDAPOnly when it runs there should be a "performance warning" saying its using LDAP instead of ADWS and it will default to the 389 port, you shouldn't need to specifically set the port unless you are usign a non-standard port.

Answer 4 · 2024-09-13T09:21:19.000Z

This looks like it may still be trying ADWS but with the LDAP Port? I just disabled ADWS in my lab and tried the LDAPOnly with no error. To confirm its only LDAPOnly when it runs there should be a "performance warning" saying its using LDAP instead of ADWS and it will default to the 389 port, you shouldn't need to specifically set the port unless you are usign a non-standard port.

If I use --protocol LDAPOnly flag i have next error:

An exception occured when doing the task: Perform analysis for {IP}
Note: you can run the program with the switch --log to get more detail
Exception: The server is not operational.

 at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
  at System.DirectoryServices.DirectoryEntry.Bind()
  at System.DirectoryServices.DirectoryEntry.get_AdsObject()
  at System.DirectoryServices.PropertyValueCollection.PopulateList()
  at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
  at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
  at PingCastle.ADWS.ADDomainInfo.Create(DirectoryEntry rootDSE) in c:\git\PingCastle\ADWS\ADDomainInfo.cs:line 105
  at PingCastle.ADWS.LDAPConnection.GetLDAPDomainInfo() in c:\git\PingCastle\ADWS\LDAPConnection.cs:line 204
  at PingCastle.ADWS.ADConnection.GetDomainInfo() in c:\git\PingCastle\ADWS\ADConnection.cs:line 40
  at PingCastle.ADWS.LDAPConnection.EstablishConnection() in c:\git\PingCastle\ADWS\LDAPConnection.cs:line 261
  at PingCastle.ADWS.ADWebService.EstablishConnectionWithLDAP() in c:\git\PingCastle\ADWS\ADWebService.cs:line 174
  at PingCastle.ADWS.ADWebService.EstablishConnection() in c:\git\PingCastle\ADWS\ADWebService.cs:line 77
  at PingCastle.Healthcheck.HealthcheckAnalyzer.PerformAnalyze(PingCastleAnalyzerParameters parameters) in c:\git\PingCastle\Healthcheck\HealthcheckAnalyzer.cs:line 107
  at PingCastle.Tasks.<>c__DisplayClass18.<PerformTheAnalysis>b__17() in c:\git\PingCastle\Tasks.cs:line 552
  at PingCastle.Tasks.StartTask(String taskname, TaskDelegate taskdelegate) in c:\git\PingCastle\Tasks.cs:line 1371

Answer 5 · 2024-09-13T09:37:36.000Z

The server is not operational message is a generic error for connection issues with AD. Is there some stale DC its trying to connect to? Forced LDAPS? Could an EDR be blocking the outbound LDAP Connection or something weird?

Please check using ldp.exe or similar tools that you can actually bind to and query your AD on port 389 to the domain controller used from the machine running PingCastle with the current logged in user. You can use the PowerShell Active Directory module and just run Get-ADUser -Filter "*" -Server DC.FQDN to confirm ADWS is up and running.

Try using the --server switch in PingCastle to force a specific domain controller in a known good state.
PingCastle.exe --healthcheck --protocol LDAPOnly -server DC.FQDN

Answer 6 · 2024-10-04T14:16:47.000Z

Hope you were able to get this all working. I am going to resolve this for now as no reply but please reopen if you still need help.