Skip to main content

Articles in this section

See more
Print

Troubleshooting LDAPS connections in Cayosoft Guardian

  • Updated

Troubleshooting LDAPS connections in Cayosoft Guardian

Use this article to diagnose LDAPS connection problems between Cayosoft Guardian, or the Forest Recovery Agent, and Active Directory domain controllers. This article covers the most common failure modes that can occur when LDAPS is enabled explicitly or used as part of the automatic fallback path.

Quick checks before troubleshooting

Run the following checks from the Guardian server or the Forest Recovery Agent host for the affected domain controller.

Check Command or action

Is the LDAPS listener reachable?

 
Test-NetConnection dc01.contoso.com -Port 636

Is Global Catalog over SSL reachable?

 
Test-NetConnection dc01.contoso.com -Port 3269

Does the domain controller have a valid LDAPS certificate?

Open ldp.exe, connect to the domain controller on port 636, and select the SSL option.

Is the issuing CA trusted on this host?

 
certutil -store Root
						certutil -store CA

Common failure modes

useLdaps = true but port 636 is blocked

Symptom: All operations against the affected domain controller fail. The Guardian service log contains the following entry:

Copy
LDAPS connection to {dc}:636 failed

No fallback occurs.

Resolution: Confirm that TCP port 636 is open end to end between the Guardian server, or the Forest Recovery Agent host, and the affected domain controller. When LDAPS is explicitly enabled, Cayosoft Guardian intentionally does not fall back to LDAP on port 389.

Certificate chain validation failure in strict mode

Symptom: When ldapsSkipCertificateValidation = false, the LDAPS handshake fails with a certificate error. At Debug level, the Guardian service log includes the certificate subject, issuer, and thumbprint presented by the domain controller.

Resolution: Install the issuing CA chain into the Trusted Root Certification Authorities and Intermediate Certification Authorities stores on the Guardian server and every Forest Recovery Agent host. Verify the certificate chain by running certutil -verify against the domain controller certificate.

Note: As a temporary workaround, you can set ldapsSkipCertificateValidation = true. For long-term operation, configure a valid certificate chain and use strict certificate validation.

Domain controller has no LDAPS certificate

Symptom:Test-NetConnection to port 636 fails even though the domain controller is online. When you connect with ldp.exe and select SSL, the connection fails with a Cannot open connection message.

Resolution: A domain controller enables its LDAPS listener automatically when a valid server authentication certificate is present in its Personal certificate store. Issue or deploy a valid certificate through your enterprise PKI, and then restart the Active Directory Domain Services service or wait for automatic detection.

Mixed environment, where some domain controllers use LDAP and others are LDAPS-only

Symptom: When useLdaps = false, operations against LDAPS-only domain controllers are slower than operations against domain controllers that accept LDAP on port 389.

Explanation: This behavior is expected. Cayosoft Guardian attempts to connect to port 389 first, waits for the connection failure, and then retries the connection on port 636. The first connection attempt warms the cache, so subsequent operations against the same domain controller are faster.

Resolution: If most domain controllers in the forest are LDAPS-only, set useLdaps = true to skip the port 389 connection attempt.

Forest Recovery Agent fails during LDAP metadata collection

Symptom: A recovery plan fails during metadata collection, RID discovery, or FSMO role discovery. The Forest Recovery Agent log shows LDAP connection failures.

Resolution: Enable Use LDAPS in Forest Recovery Settings. The Forest Recovery Agent has a separate LDAP transport configuration from the Guardian service and must be configured independently.

Both ports 389 and 636 are blocked

Symptom: All operations against the domain controller fail regardless of the selected LDAP transport mode.

Resolution: Open at least one LDAP port pair according to the Required Ports for Cayosoft Guardian article. Cayosoft Guardian requires LDAP or LDAPS, and the corresponding Global Catalog port, to manage a domain controller.

Interpreting LDAPS log messages

Message Meaning 
Connecting to {host}:{port} using LDAPS

An LDAPS connection attempt has started.

 
LDAPS connection to {host}:636 established

The TLS handshake succeeded, and the LDAPS session is open.

 
LDAP connection to {host}:389 failed. Attempting LDAPS fallback on port 636.

The connection attempt on port 389 failed in default mode. Cayosoft Guardian is about to retry the connection on port 636.

 
LDAPS fallback to {host}:636 succeeded.

Automatic fallback recovered the connection, and operations proceeded normally.

 
LDAPS fallback to {host}:636 also failed.

Both port 389 and port 636 failed. The original LDAP error is then reported to the caller.

 
LDAPS certificate — Subject: {…}, Issuer: {…}, Thumbprint: {…}

Debug-level record of the certificate presented by the domain controller. Use this message to verify which certificate Cayosoft Guardian validated.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Comments

0 comments

Please sign in to leave a comment.