I have a complex situation, we have 2 servers on same place with other user. we are going to separate them to a new DMZ. On this two servers are too many services like, DNS, AD, File Server, DHCP, SymantecCE antivirus.We have tried to separate but DNS and File shares didn't worked, even the firewall rules ACL-s are not closing anything (Permit IP any any)Even on all devices has been performed clear ARP. could you suggest me anything relating this issue before testing again?best regardsAB

Your post is very confusing.I don't understand 75% of your post, but why would you be putting servers that perform things like AD and DHCP out in a DMZ?Try to explain yourself a little more thouroughly and a little more completely.

the reason is security policy that we have to apply. my real problem and question that i have is: how is working AD and DnS on windows what are ports that AD use to serve to clients, ports to be managed , ports that AD is going to manage clients. putting the servers on new DMZ what changes will happen on DNS. do i need to change all DNS configuration for clients-workstation or i can nat the new ip on old ip and in this way DNS will work.thanks

Adriatik75 said: the reason is security policy that we have to apply. my real problem and question that i have is: how is working AD and DnS on windows what are ports that AD use to serve to clients, ports to be managed , ports that AD is going to manage clients. putting the servers on new DMZ what changes will happen on DNS. do i need to change all DNS configuration for clients-workstation or i can nat the new ip on old ip and in this way DNS will work.thanksActive Directory authentication uses a variety of TCP and UDP ports. To configure your firewalls to merely allow TCP traffic implies you block UDP traffic, which is needed for Active Directory authentication. File services should also be allowed to enable clients to access the SYSVOL share and Network Location Awareness (NLA) also has some (IGMP) tricks up its sleeve.The best way to check which ports to open / close use a network monitor (like Microsoft Network Monitor 3.1) and/oruse the firewall's built-in monitoring functionality. Alternatively you can look up ports in this Microsoft Excel document.

Hi, In order to make all the domain clients smoothly access to the DC via the Firewall, please enable and configure the Windows firewall to permit the following ports on the server. Service Port/protocol RPC endpoint mapper 135/tcp, 135/udp NetBIOS name service 137/tcp, 137/udp NetBIOS datagram service 138/udp NetBIOS session service 139/tcp RPC static port for AD replication <AD-fixed-port>/TCP RPC static port for FRS <FRS-fixed-port>/TCP SMB over IP (Microsoft-DS, required for file share) 445/tcp, 445/udp LDAP 389/tcp LDAP ping 389/udp LDAP over SSL 636/tcp Global catalog LDAP 3268/tcp Global catalog LDAP over SSL 3269/tcp Kerberos 88/tcp, 88/udp DNS 53/tcp, 53/udp WINS resolution (if required) 1512/tcp, 1512/udp WINS replication (if required) 42/tcp, 42/udp For more information on Windows server component port requirement, please refer to: Service overview and network port requirements for the Windows Server system http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017 Hope it helps.Your potential. Our passion.