Ports to be open. Special Scenario
Thanks Fred and David,
actually i don't have the whole information to know if the DC2 is PDC emulator. It it is, so ports between FIM and DC2 will need to be opened. If not, as my understanding, it's only required a great replication scheme between DC1 and DC2 to have a good SSPR
performance, and not open ports between FIM and DC2. Am i ok?
August 13th, 2011 1:04pm
If FIM communicates only with DC1 then the document you linked to is correct. If DC1 and DC2 are in the same domain then they'll need the usual ports open for AD replication, etc.
CraigMartin Edgile, Inc. http://identitytrench.com
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2011 1:13pm
Thanks Craig, so this means to have the following ports opened between FIMsrv and DC2 srv:
1. TCP/UDP 135 (RPC EPMapper)
2. TCP/UDP 389 (LDAP, LDAP Ping)
3. TCP 636 (LDAP over SSL)
4. TCP 3268 (GC)
5. TCP 3269 (GC SSL)
6. TCP/UDP 53 (DNS)
7. TCP/UDP 88 (Kerberos)
8. TCP Dynamic (RPC)
9. TCP/UDP 464 (Kerberos Change/Set Password)
10. TCP 445 – (CIFS/ MICROSOFT-DS)
Just remembering that final users are located at the same network that DC2. Actually, required ports between DC1 and DC2 are opened.
August 13th, 2011 2:26pm
If FIM is talking to DC1,
and
If DC1 and DC2 are in the same domain
then
I don't think FIM needs to talk to DC2 at all, unless DC1 goes down and FIM does looking for another DC to talk to.
CraigMartin Edgile, Inc. http://identitytrench.com
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2011 2:28pm
If the scenario was password syncrhonization, so would be necessary to open ports between FIMsrv and DC2?
August 13th, 2011 3:04pm
For SSPR to work, your end users clients need to be able to contact the FIM server. Contact to the DC in the local network is not enough. I guess it's not needed for the FIM server to be able to contact the local DC although if the DC replication is slow,
the users might experience that their SSPR will take a while to work./Frederik Leed
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2011 4:11pm
Self Service Password Reset and Password Sync: One more thing to consider: When setting passwords FIM Sync contacts the PDCemulator no matter with which DC it normally communicates. Therefore is DC2 going to be the PDCemulator or is likely to become so?
If so then you do need the ports opened as described in the technet article you referenced.
Password Sync consideration (instructions on setting up PCNS): Assuming DC1 and DC2 are in the same domain, then if that domain is to be the source for passwords
to be synchronized to other systems then you need to
follow the instructions found here for what ports to open:
Service
Protocol
Port
RPC Endpoint mapper
TCP
135
Dynamic RPC ports (PCNS)
TCP
5000 - 5100
Dynamic RPC ports (management agent for Active Directory)
TCP
57500 - 57520
David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html
August 13th, 2011 6:22pm
I have a customer that will have located FIM and DC1 servers in Miami, though DC2 server and final users are located in Colombia.
Final users will work with SSPR.
I'd like to know if it's necessary to open ports between FIMsrv and DC2 in order to support SSPR, opening the ports referred in the link
http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx.
Any comment is very welcomed.
Thanks.
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2011 9:24pm