How can you tell whether an Active Directory domain controller is functioning properly? How do you know whether some over-zealous VLAN ACL is blocking necessary ports? Testing ICMP, is easy, just ping it. Testing LDAP response isn’t hard, I wrote a vbScript to do that years ago. But to complete, we want to check more. My list of things to check are this:
- Ping
- TCP Ports 53,88,135,389,445,464,636,3689
- UDP Ports 53,389,464,636,3689
- If you are running NetBIOS add 139 TCP and UDP ports 137,138
- If the DNS port is open run NSLookup to check lookups
- If LDAP port is open, do a test bind
Since a large enterprise may have a large number of DCs, I wanted to multi-thread the script. For compatibility, I wanted to be able to run it on PowerShell 3 from a Windows 7 host without admin rights.
What I discovered is that testing TCP ports with PowerShell is pretty easy. UDP connections, however, turned out to be more difficult. After about 45 minutes of frustration, I found a great Test-Port function from PowerShell MVP Boe Prox. It is contained inside the script.
In my view, WorkFlows, introduced in Version 3, are the easiest way to multi-thread in PowerShell, and is a way which does not require special setup or rights on the remote systems. On my system, I see about 4 simultaneous queries using this method.
Test-DCs.ps1 can be edited to choose the testing of whatever ports you require and could easily be changed to test other systems such as web servers, Exchange or SharePoint servers.
Update 10-1-19: This version has many improvements, including multi-threading and dynamically determining whether query of DNS or GC ports is required. Update 4/16/2017: Fixed some bugs, and to add switch for optional scanning of secure ports. Update 3/3/18, version 4: Introductory window a WPF form.