Has anyone seen a Windows Server return zero results to a CLDAP query for NetLogon servers?

Thu Oct 3 23:43:34 UTC 2019

Hi folks,

I have run into a situation where it seems the Windows DC is
responding to CLDAP request, but returning zero responses.

Samba send:

searchRequest
    baseObject:
    scope: baseObject (0)
    derefAliases: neverDerefAliases (0)
    sizeLimit: 0
    timeLimit: 0
    typesOnly: False
    Filter: (&(&(NtVer=0x00000006)(DnsDomain=SOME.DOM))(AAC=00:00:00:00))
        filter: and (0)
            and: (&(&(NtVer=0x00000006)(DnsDomain=SOME.DOM))(AAC=00:00:00:00))
                and: 3 items
                    Filter: (NtVer=0x00000006)
                        and item: equalityMatch (3)
                            equalityMatch
                    Filter: (DnsDomain=GPJ.LOC)
                        and item: equalityMatch (3)
                            equalityMatch
                    Filter: (AAC=00:00:00:00)
                        and item: equalityMatch (3)
                            equalityMatch
    attributes: 1 item
        AttributeDescription: NetLogon

and the server responds:

LDAPMessage searchResDone(3822) success [0 results]
    messageID: 3822
    protocolOp: searchResDone (5)
        searchResDone
            resultCode: success (0)
            matchedDN:
            errorMessage:
    [Response To: 5897]
    [Time: 0.001296000 seconds]

After that Samba seems to declare that DC as a negative connection
entry and cannot find any DCs.

Has anyone seen this? Does anyone know how to configure Windows to do that?

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)