1

In one of my domain we configured SSL and is blocked 389 port. After that DsGetDcName() is failing with error code 1355. When 389 port is enabled in dc DsGetDcName() is returning the Domain controllers. But when 389 port is disabled in domain controller ( using windows firewall) DsGetDcName() is is failing.

Is there any alternative method to get the Domain controller with SSL port?

Following is the sample code.

#include <dsgetdc.h>
    DWORD dwRet;
    PDOMAIN_CONTROLLER_INFO pdcInfo;
    // Get a domain controller for the domain this computer is on.
    dwRet = DsGetDcName(NULL, NULL, NULL, NULL, 0, &pdcInfo);
Asesh
  • 3,186
  • 2
  • 21
  • 31
snb
  • 633
  • 1
  • 6
  • 13

1 Answers1

1

Port 389 , TCP and UDP, is the LDAP port. If port is blocked, any LDAP activity wouldn't be possible.

One can't do anything programmatically that is documented by Microsoft. It was possible to change communication ports of domain: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc794917(v=ws.10)

Swift - Friday Pie
  • 12,777
  • 2
  • 19
  • 42
  • I don't want to use LDAP 389 port. Need to Use SSL port 636. – snb Sep 07 '18 at 05:05
  • 1
    @snd then you really should read up on how to setup LDAPS (LDAP over SSL) on Windows, it's more complex than just blocking port, Active Directory in its native form uses quite a range of services with random outgoing ports, in particular ranges. The question in this case is "How to setup&troubleshoot LDAPS" and answer is beyond the scope of this site, it's a problem for Super User, not StackOverflow – Swift - Friday Pie Sep 08 '18 at 01:29
  • I have configured SSL and tested with ldp. Everything works but problem is with `DsGetDcName()` API only. – snb Sep 10 '18 at 05:29
  • 1
    @snd Sound like you didn't read enough. You can't enforce LDAPS for AD functionality by blocking 389, it's *needed* for AD forest to function, as of today that's not possible. you can force client machine not to use 389 for communication between application and AD but should not block 389 incoming to DC as far as I know, I never did that though. MS support can tell you that much. – Swift - Friday Pie Sep 10 '18 at 06:52