Ports required for Internal Firewall between client and DC

Discussion:

(too old to reply)

Tomasz Onyszko

2006-12-06 09:43:40 UTC

Ram wrote:

This document should answer all Your questions:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Paul Bergson [MVP-DS]

2006-12-06 13:38:23 UTC

Permalink

You can lock the dc's into using specific high ports for rpc. We do this
and we have locked the range way down to just a couple hundred.

http://support.microsoft.com/default.aspx/kb/154596/en-us
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Tomasz Onyszko
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Paul Bergson [MVP-DS]

2006-12-08 20:27:39 UTC

Permalink

What ever DC the client communicates will have to have the registry hack
applied.

When an application requests access to Active Directory an Active Directory
server (domain controller is located by a mechanism called the domain
controller locator (Locator ) . Locator is an algorithm that runs in the
context of the Net Logon service. During a search for a domain controller,
the Locator attempts to find a domain controller in the site closest to the
client. When the domain that is being sought is a Windows 2000 domain, the
domain controller uses the information stored in Active Directory to
determine the closest site.

From this you may be able to narrow down the list depending on your
topology. There are also some folks who have played with dns to attempt to
get certain dc's answer but I have never done this, so I would rather not
comment on it.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_jevl.mspx?mfr=true
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks, Fine, i know that we can lock down the rpc ports in DC using the
"Internet" key.
1. Do we have to set this up in all DC's in the domain? i am talking about
a
domain with 50 over DC's.
2. If we fix the port in one DC, can i make this DC as the one the clients
should look out for while joining the Domain? The reason why i cannot
create
a site and subnet and put all the clients in the site to choose this DC is
because the clients are all in seperate networks across firewall and
putting
them under this single site is still worked out.
Note: Just to let you know when i set this internet key on a DC running
Exchange, the Exchange MTA service stopped responding. I need to fix up
the
RPC ports for exchange seperately :-(
Any help is appreciated.
Thanks,
Ram
When i tried this with a DC running exchange the Exchagne MTA service just
stopped responding.

Post by Paul Bergson [MVP-DS]
You can lock the dc's into using specific high ports for rpc. We do this
and we have locked the range way down to just a couple hundred.
http://support.microsoft.com/default.aspx/kb/154596/en-us
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Ahmed H. Habashy

2007-01-09 11:06:19 UTC

Permalink

Active Directory (Local Security Authority)

System service name: LSASS

Application protocol Protocol Ports

Global Catalog Server TCP 3269

Global Catalog Server TCP 3268

LDAP Server Both 389

RPC (epmap) Both 135

RPC (netbios-ns) 137 both

RPC (netbios-dgm) 138 both

RPC (netbios-ssn) 139 both

Microsoft SMB (Microsoft-ds) 445

Kerberos 88 Both

DNS 53 both

RPC randomly allocated high TCP ports TCP 1024 â 65536*

*To limit the number of RPC ports you can edit the following registry key to only restrict RPC Traffic to specific ports range:

You need to add a DWORD value named TCP/IP Port and set the value to the port you want to use. You'll need to carry out this procedure on each of the domain controllers in your domain.

To change the RPC replication port to 50000:

1- Click Start and click Run. In the Open text box enter Regedit and click OK.

2- Go to the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

3- Click the Edit menu and point to New. Click DWORD Value.

4- Rename the entry from New Value #1 to TCP/IP Port, and then double click the entry.

5- In the Edit DWORD Value dialog box, select the Decimal option. Enter 50000 in the Value data text box. Click OK.

6- Restart the domain controller.

* All of the Above In Addition to the ICMP Traffic if the member Servers and Domain Controller are in different VLAN, for group policy processing.

Regards

Ahmed H. habashy

Hi,
I have a setup where the clients and DC are seperated by firewalls. Client
and DC are in seperated network. Few ports are allowed for IMAP, POP3, NTP,
DNS and RPCOVERHTTP.
Now am planning to join the client to my Domain. If the client needs to
contact the domain contorller i know it will need
LDAP 389
LDAP 3268
DNS 53
Kerberos 88
Does it need any other ports to join to domain? My question is the RPC high
ports comes in to picture when the Netlogon service tries to verify the trust
with the DC. In the case of joining the client to the domain do i need to
open the
RPC high ports 1024 to 65536 or any other RPC ports for the domain join to
work?
Any help is appreciated.
-Ram.