Port 636 failed to respond

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2009-09-29

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the value of the dNSHostName attribute of all domain controllers in Active Directory. After retrieving the names of the domain controllers, the Exchange Server Analyzer opens a TCP socket connection to port 636 on each domain controller. This connection is made by using a custom object processor that returns a specific string if the connection is successful. If the Exchange Server Analyzer does not receive 636 Available as part of the returned string, a warning is displayed.

This warning indicates that the domain controller did not respond to a connection attempt on TCP port 636. TCP port 636 is the default port for Secure Lightweight Directory Access Protocol (LDAP over SSL) communications.

With the introduction of Exchange 2000 Server Service Pack 3, Exchange Server will connect with LDAP over SSL if a valid certificate exists in the local certificate store on the Exchange Server computer. If such a certificate does not exist, or if a certificate-related error is returned (for example, the domain controller does not trust the Exchange certificate, or the certificate being used requires strong-key protection), Exchange Server will automatically fall back to LDAP without SSL. If you are receiving this warning, it could be because of connectivity issues between the Exchange Server Analyzer and the domain controller. Public Key Infrastructure (PKI) or other certificate issues will not be exposed by this warning.

There are many reasons why LDAP over SSL requests may not be properly serviced by a domain controller when the Exchange Server Analyzer queries it.

To correct this warning

  1. Verify that the account running the tool is authorized to query the domain controller. You will need User level permissions in the domain where the domain controller is running. More information about permissions required to run the Exchange Server Analyzer can be found in the Help file included with the tool. Open the Help file by opening the Exchange Server Analyzer, clicking Help, and then clicking Microsoft Exchange Server Analyzer Tool Help.

  2. Verify that there are no firewalls or port restrictions between the computer running the Exchange Server Analyzer and the domain controller that failed to respond.

  3. Verify that the domain controller is connected to the network and functioning properly.

  4. Verify that the time on the computer running the Exchange Server Analyzer and the domain controller that failed to respond is synchronized. If the Microsoft Windows® Time Service on the domain controller is stopped or disabled, the domain controller local time may be out of synchronization. In this case, the domain controller will not respond to LDAP over SSL requests until its clock is synchronized.

For more information about using LDAP over SSL, see the Microsoft Knowledge Base article 321051, "How to enable LDAP over SSL with a third-party Certification Authority" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=321051).

For more information about troubleshooting Active Directory connectivity issues, see the Knowledge Base article 816103, "HOW TO: Use Portqry to Troubleshoot Active Directory Connectivity Issues" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=816103).

For more information about the Windows Time Service, see the Knowledge Base article, 816042, "How to configure the Windows Time service on a Windows Server 2003-based forest root PDC master computer" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=816042).