| When a network infrastructure includes | | | | version 6 (IPv6) traffic. |
| router-based firewalls, the function of the | | | | |
| firewall, which is to silently discard | | | | The basic syntax for Ttcp.exe on the |
| traffic that the firewall has not been | | | | listening node (the receiver) is the |
| configured to forward, can impair specific | | | | following: |
| networking functions. For example, if a | | | | |
| firewall between two Microsoft Windows Active | | | | ttcp -r -pPort (to listen on a TCP port) |
| Directory directory service domain | | | | |
| controllers has not been configured to allow | | | | ttcp -r -pPort-u (to listen on a UDP port) |
| all of the different types of traffic that | | | | |
| domain controllers use to synchronize the | | | | The basic syntax for Ttcp.exe on the sending |
| Active Directory database, replication can | | | | node (the transmitter) is the following: |
| fail. | | | | |
| | | | ttcp -t -pPort (to send to a TCP port) |
| When troubleshooting networking functions and | | | | |
| reachability, a common step is to use the | | | | ttcp -t -pPort-u (to send to a UDP port) |
| Ping tool (Ping.exe) and ping one computer | | | | |
| from another. However, the Ping tool uses | | | | For additional command line options, type |
| Internet Control Message Protocol (ICMP) Echo | | | | ttcp at the command prompt. |
| and Echo Reply messages, which is typically | | | | |
| not the same traffic being used for the | | | | Ttcp.exe can only listen on or send to a |
| network function that is impaired. The | | | | single port. To configure a computer to |
| firewalls between the two computers might be | | | | listen on multiple ports, run Ttcp.exe in |
| allowing ICMP traffic or might be dropping | | | | separate command prompt windows. |
| it. In either case, because the network | | | | |
| function that is impaired is not using ICMP | | | | Top of pageTop of page |
| Echo traffic, the connectivity test with the | | | | |
| Ping tool does not provide conclusive | | | | Common Types of Traffic Problems |
| diagnostic information about the traffic that | | | | |
| is being discarded (dropped) by the | | | | The most common types of traffic that are |
| intermediate firewalls. | | | | blocked by firewalls and can impair Windows |
| | | | networking functionality are the following: |
| For definitive diagnostic information, you | | | | |
| must be able to duplicate the exact type of | | | | Active Directory domain traffic |
| traffic of the impaired network function | | | | |
| using a tool that can report connectivity | | | | DNS traffic |
| success or failure. Once you have determined | | | | |
| the types of traffic that are being dropped | | | | VPN traffic |
| by intermediate firewalls, you can configure | | | | |
| the firewalls to forward the dropped traffic | | | | ICMP traffic |
| to restore connectivity for the impaired | | | | |
| network function. | | | | Other traffic |
| | | | |
| Tools for Testing Network Paths for Specific | | | | Active Directory Domain Traffic |
| Types of Traffic | | | | |
| | | | Active Directory domain traffic includes the |
| Microsoft provides the following tools to | | | | following domain operations: |
| test network paths for specific types of | | | | |
| traffic: | | | | Active Directory replication between domain |
| | | | controllers |
| Port Query | | | | |
| | | | Promotion of a new domain controller with the |
| PPTP Ping | | | | Dcpromo.exe tool |
| | | | |
| Telnet | | | | Domain logon |
| | | | |
| Test TCP | | | | Domain authentication |
| | | | |
| Port Query (Portqry.exe and Portqueryui.exe) | | | | Establishing domain trusts |
| | | | |
| Port Query is a free tool from Microsoft that | | | | The traffic used for these types of domain |
| you can use to help troubleshoot TCP/IP | | | | operations is described in detail in the How |
| connectivity issues for specific types of | | | | to Configure a Firewall for Domains and |
| Transmission Control Protocol (TCP) and User | | | | Trusts Microsoft Knowledge Base article and |
| Datagram Protocol (UDP) traffic. Port Query | | | | includes the following: |
| has a command-line version (Portqry.exe) | | | | |
| (available at PortQry Command Line Port | | | | TCP port 135 for Remote Procedure Call (RPC) |
| Scanner Version 2.0) and a graphical user | | | | traffic |
| interface version (Portqueryui.exe) | | | | |
| (available at PortQryUI - User Interface for | | | | TCP port 389 and UDP port 389 for LDAP |
| the PortQry Command Line Port Scanner. Both | | | | traffic |
| versions run on Windows 2000, Windows XP, and | | | | |
| Windows Server 2003-based computers. | | | | TCP port 636 for LDAP over Secure Sockets |
| | | | Layer (SSL) traffic |
| Portqry.exe has the following features: | | | | |
| | | | TCP port 3268 for LDAP Global Catalog (GC) |
| A command-line mode that you can use to query | | | | traffic |
| TCP, UDP, or both for a single port, an | | | | |
| ordered list of ports, or a sequential range | | | | TCP port 3269 for LDAP GC SSL traffic |
| of ports. | | | | |
| | | | TCP port 53 and UDP port 53 for DNS traffic |
| An interactive mode from which you can issue | | | | |
| sequential commands more easily and use a | | | | TCP port 88 and UDP port 88 for Kerberos |
| series of shortcuts, or predefined queries | | | | traffic |
| for common traffic such as Domain Name System | | | | |
| (DNS) or Lightweight Directory Access | | | | TCP port 445 for Server Message Block (SMB) |
| Protocol (LDAP). | | | | (also known as Common Internet File System |
| | | | [CIFS]) traffic |
| A local host mode that you can use to obtain | | | | |
| detailed information about the TCP and UDP | | | | You can test your network paths for domain |
| ports being used on the local computer on | | | | traffic on an individual port basis with the |
| which Portqry.exe runs. | | | | Portqry.exe tool if the domain controller is |
| | | | already in place or with the Ttcp.exe tool to |
| For details of the three different modes and | | | | listen and send domain traffic if the |
| command syntax, see New features and | | | | computer that is being promoted to a domain |
| functionality in PortQry version 2.0. This | | | | controller has not yet been promoted. |
| Microsoft Knowledge Base article contains | | | | |
| example commands and sample output. | | | | The easiest way to test for all of these |
| | | | ports at one time is to use Portqueryui.exe |
| Portqueryui.exe allows you to more easily | | | | and the "Domains and Trusts" predefined |
| query ports with a Windows-based graphical | | | | service, which by default queries the |
| user interface. From this window, you can | | | | following sets of ports: |
| specify the name or IP address of the | | | | |
| computer to query, select a pre-defined | | | | TCP port 135 (RPC traffic) |
| service, manually specify the port, ports, or | | | | |
| port ranges to query in a specified order, | | | | TCP port 398 and UDP port 389 (LDAP traffic) |
| and the protocol to query (TCP, UDP, or | | | | |
| both). When you click Query, the results are | | | | TCP port 636 (LDAP over SSL traffic) |
| displayed in the Query Result portion of the | | | | |
| window. | | | | TCP port 3268 (LDAP GC traffic) |
| | | | |
| To determine the set of ports queried for the | | | | TCP port 3269 (LDAP GC SSL traffic) |
| predefined services, click Help, and then | | | | |
| click Predefined Services. You can modify the | | | | TCP port 53 and UDP port 53 (DNS traffic) |
| set of ports queried for each predefined | | | | |
| service or create your own predefined | | | | TCP port 88 and UDP port 88 (Kerberos |
| services by modifying the contents of the | | | | traffic) |
| Config.xml file. For information about the | | | | |
| syntax for specifying ports in the Config.xml | | | | TCP port 445 (SMB traffic) |
| file, see the Portqueryui.doc file. Both the | | | | |
| Config.xml and Portqueryui.doc file are | | | | UDP port 137 (Network Basic Input/Output |
| stored in the Portqueryui.exe installation | | | | System [NetBIOS] name service traffic) |
| folder. | | | | |
| | | | UDP port 138 (NetBIOS NetLogon and browsing |
| When either version of the Port Query tool | | | | traffic) |
| queries a port, it reports the status of a | | | | |
| port as being in one of the following states: | | | | TCP port 139 (NetBIOS session traffic) |
| | | | |
| LISTENING | | | | TCP port 42 (Windows Internet Name Service |
| | | | [WINS] replication traffic) |
| Port Query received a positive response and a | | | | |
| process is listening on the TCP or UDP port | | | | The set of ports queried with the "Domains |
| that was queried. | | | | and Trusts" predefined service includes all |
| | | | of the ports listed in the How to Configure a |
| NOT LISTENING | | | | Firewall for Domains and Trusts Microsoft |
| | | | Knowledge Base article. |
| Port Query received a negative response and a | | | | |
| process is not listening on the TCP or UDP | | | | DNS Traffic |
| port that was queried. For a TCP port, Port | | | | |
| Query received a TCP connection reset | | | | To test for DNS traffic, you can use the |
| segment. For a UDP port, Port Query received | | | | following methods: |
| an ICMP Destination Unreachable-Port | | | | |
| Unreachable message. | | | | Use Portqry.exe with the following syntax: |
| | | | |
| FILTERED | | | | portqry -n DNS_server_name_or_IP_address -p |
| | | | BOTH -e 53 |
| Port Query received no response to the query. | | | | |
| A process may or may not be listening on the | | | | Alternately, you can use the q dns shortcut |
| port. The FILTERED status indicates that the | | | | command at the Portqry.exe interactive |
| query traffic could have been dropped by an | | | | command prompt. |
| intermediate firewall. By default, Port Query | | | | |
| tries TCP ports three times and UDP ports | | | | Use Portqueryui.exe and the "Networking" |
| once. | | | | predefined service, which queries DNS along |
| | | | with other networking protocols |
| PPTP Ping | | | | |
| | | | VPN Traffic |
| PPTP Ping is a set of two tools (Pptpsrv.exe | | | | |
| and Pptpclnt.exe) that are provided with the | | | | To use PPTP Ping to test for PPTP-based VPN |
| Windows 2000 or Windows Server 2003 Support | | | | traffic, do the following: |
| Tools, located in the Support\Tools folder of | | | | |
| the Windows 2000 or Windows Server 2003 | | | | 1.On the VPN server computer: |
| product CD-ROMs. After installing the Support | | | | |
| Tools, Pptpsrv.exe and Pptpclnt.exe are | | | | If needed, stop the Routing and Remote Access |
| stored in the Program Files\Support Tools | | | | service using the Routing and Remote Access |
| folder on the Windows system drive. For | | | | or Services snap-ins. This step ensures that |
| Windows XP Service Pack2, you can obtain an | | | | Pptpsrv.exe can use TCP port 1723 and IP |
| updated versions of Pptpsrv.exe and | | | | protocol 47. |
| Pptpclnt.exe from Windows XP Service Pack 2 | | | | |
| Support Tools. | | | | Run Pptpsrv.exe. |
| | | | |
| PPTP Ping allows you to test whether | | | | 2.On the VPN client computer: |
| Point-to-Point Tunneling Protocol (PPTP) | | | | |
| traffic, consisting of TCP port 1723 traffic | | | | Run Pptpclnt.exe with the following syntax: |
| for PPTP tunnel maintenance and IP protocol | | | | |
| 47 for Generic Routing Encapsulation (GRE) | | | | pptpclnt.exe servername_or_IP_Address |
| traffic for PPTP tunneled data, can be | | | | |
| successfully sent and received between a | | | | When prompted, type some text to send to the |
| client and server computer. PPTP Ping does | | | | VPN server computer and then press ENTER. |
| not verify that a successful PTPP connection | | | | |
| can be made (which requires a user | | | | If PPTP traffic can be successfully exchanged |
| authentication process), only that PPTP | | | | between the VPN server and VPN client |
| traffic can be exchanged with a specified | | | | computers, Pptpsrv.exe on the VPN server |
| destination. | | | | computer will display the text that was sent |
| | | | by the VPN client computer and an exchange of |
| For PPTP traffic, the problem is typically a | | | | five GRE messages. If not, Pptpsrv.exe will |
| firewall that filters GRE traffic. To correct | | | | indicate what types of PPTP traffic were |
| this problem, configure your firewalls to | | | | unsuccessful. |
| forward GRE traffic (IP protocol 47) to the | | | | |
| VPN server computer. | | | | If you are using a site-to-site VPN |
| | | | connection (also known as a router-to-router |
| Telnet | | | | VPN connection) to connect two sites of your |
| | | | organization and both Routing and Remote |
| Telnet (Telnet.exe) is a tool included with | | | | Access server computers can initiate the VPN |
| Windows that you typically use to login to a | | | | connection, use the above procedure again, |
| Telnet server. You can also use the Telnet | | | | reversing the roles of the two computers. |
| tool to test TCP connectivity for any TCP | | | | Because either server computer can initiate |
| destination port. To verify that a TCP | | | | the connection, you must ensure that both |
| connection can be established using the known | | | | servers can act as both VPN clients and VPN |
| destination TCP port number of the | | | | servers. |
| application of the destination, you can use | | | | |
| the telnet IPv4AddressPort command. For | | | | ICMP Traffic |
| example, to verify whether the Web server | | | | |
| service on the computer with the IPv4 address | | | | ICMP traffic is used by protocol stack |
| of 131.107.78.12 is accepting TCP | | | | components, system services, and applications |
| connections, use the telnet 131.107.78.12 80 | | | | for various networking functions. Here are |
| command. | | | | some examples of Windows networking functions |
| | | | that use ICMP traffic: |
| If the Telnet tool is successful in creating | | | | |
| a TCP connection, the command prompt window | | | | To determine whether the link to the Active |
| will clear and-depending on the | | | | Directory domain controller is a fast link or |
| protocol-might display some text. This window | | | | a slow link for the purposes of downloading |
| allows you to type in commands to the service | | | | Group Policy settings, Active Directory |
| to which you have connected. Type Control-C | | | | clients send ICMP Echo messages. |
| to exit the Telnet tool. If the Telnet tool | | | | |
| is not successful in creating a TCP | | | | To automatically determine the path maximum |
| connection, it displays the message | | | | transmission unit (PMTU) between two peers, |
| "Connecting To IPv4Address...Could not open | | | | the Windows TCP/IP stack uses the receipt of |
| connection to the host, on port Port: Connect | | | | ICMP Destination Unreachable-Fragmentation |
| failed". | | | | Needed and Don't Fragment Set messages. For |
| | | | more information, see Path Maximum |
| Test TCP | | | | Transmission Unit (PMTU) Black Hole Routers, |
| | | | the July 2004 The Cable Guy article. |
| Test TCP (Ttcp.exe) is a tool that you can | | | | |
| use to listen for and send TCP segment data | | | | In either case, you can test for intermediate |
| or UDP messages between two nodes. Ttcp.exe | | | | firewalls that block ICMP traffic with the |
| is provided with Windows Server 2003 in the | | | | Ping tool. |
| Valueadd\Msft\Net\Tools folder of the Windows | | | | |
| Server 2003 product CD-ROM. | | | | Other Traffic |
| | | | |
| Test TCP differs from Port Query in the | | | | For other types of traffic, you can use the |
| following ways: | | | | following methods: |
| | | | |
| With Test TCP, you can configure a computer | | | | Use Portqry.exe to specify individual ports |
| to listen on a specific TCP or UDP port | | | | at the command line or use the shortcuts in |
| without having to install the application or | | | | interactive mode. |
| service on the computer. This allows you to | | | | |
| test network connectivity for specific | | | | Use Portqueryui.exe to specify individual |
| traffic before the services are in place. For | | | | ports or use the predefined services. |
| example, you could use Test TCP to test for | | | | |
| domain replication traffic to a computer | | | | Use Telnet.exe to test for TCP connectivity |
| before you make the computer a domain | | | | on specific ports. |
| controller. | | | | |
| | | | Use Ttcp.exe to set up listening and sending |
| Test TCP also supports Internet Protocol | | | | nodes. |