If you have Active Directory and Exchange on the same box, you probably have a problem with conflicting ports. Active Directory uses Lightweight Directory Access Protocol ( LDAP ) as does Exchange. Unfortunately Active Directory and Exchange try to use the same ports for the LDAP communications causing mis-communications. Active Directory and Exchange use LDAP via TCP port 389 for client communications and TCP port 636 for secure client communication ( SSL ). If this is the case, what you will normally see is problems in Exchange but it could effect either or both. If you check the event log, it will inform you of the "probable" port conflict by generating Event ID: 1306 and Event ID: 1309 errors, port 389 and port 636 conflicts, respectively.
You have a fine gotcha! on your hands. What to do? What to do?
I would strongly recommend from a security perspective that you do not run any application including Exchange or IIS on a domain controller. If you can, move the Exchange server to a member server. If you must run both Active Directory and Exchange on the same server, see How to Change LDAP Port Assignments in Exchange Server.
If you have firewall and are trying to block LDAP port access, LDAP uses
- TCP port 389 for client communications
- TCP port 636 for SSL communications
- TCP port 3268 for communications to Global Catalog server
- TCP port 3269 for SSL communications to Global Catalog server
- Optimizing Windows 2000 Active Directory Servers with Six or Eight Processors
- LDAP FAQ
- LDAP Roadmap & FAQ
- IBM iseries LDAP FAQ
- OpenLDAP FAQ
- LDAP Troubleshooting Guide
- RFC 2251 : Lightweight Directory Access Protocol (v3)
- RFC 1777 : Lightweight Directory Access Protocol (v2)
- Differences between LDAP 2 and LDAP 3
- LDAP Software Projects