AD, DNS and Servers on different DMZ from other users.
I have a complex situation, we have 2 servers on same place with other user. we are going to separate them to a new DMZ. On this two servers are too many services like, DNS, AD, File Server, DHCP, SymantecCE antivirus.We have tried to separate but DNS and File shares didn't worked, even the firewall rules ACL-s are not closing anything (Permit IP any any)Even on all devices has been performed clear ARP. could you suggest me anything relating this issue before testing again?best regardsAB
June 6th, 2008 5:20pm
Your post is very confusing.I don't understand 75% of your post, but why would you be putting servers that perform things like AD and DHCP out in a DMZ?Try to explain yourself a little more thouroughly and a little more completely.
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2008 2:40am
the reason is security policy that we have to apply. my real problem and question that i have is: how is working AD and DnS on windows what are ports that AD use to serve to clients, ports to be managed , ports that AD is going to manage clients. putting the servers on new DMZ what changes will happen on DNS. do i need to change all DNS configuration for clients-workstation or i can nat the new ip on old ip and in this way DNS will work.thanks
June 9th, 2008 12:27pm
Adriatik75 said:
the reason is security policy that we have to apply. my real problem and question that i have is: how is working AD and DnS on windows what are ports that AD use to serve to clients, ports to be managed , ports that AD is going to manage clients. putting the servers on new DMZ what changes will happen on DNS. do i need to change all DNS configuration for clients-workstation or i can nat the new ip on old ip and in this way DNS will work.thanksActive Directory authentication uses a variety of TCP and UDP ports. To configure your firewalls to merely allow TCP traffic implies you block UDP traffic, which is needed for Active Directory authentication. File services should also be allowed to enable clients to access the SYSVOL share and Network Location Awareness (NLA) also has some (IGMP) tricks up its sleeve.The best way to check which ports to open / close use a network monitor (like Microsoft Network Monitor 3.1) and/oruse the firewall's built-in monitoring functionality. Alternatively you can look up ports in this Microsoft Excel document.
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2008 3:36pm
Hi,
In order to make all the domain clients smoothly access to the DC via the Firewall, please enable and configure the Windows firewall to permit the following ports on the server.
Service
Port/protocol
RPC endpoint mapper
135/tcp, 135/udp
NetBIOS name service
137/tcp, 137/udp
NetBIOS datagram service
138/udp
NetBIOS session service
139/tcp
RPC static port for AD replication
<AD-fixed-port>/TCP
RPC static port for FRS
<FRS-fixed-port>/TCP
SMB over IP (Microsoft-DS, required for file share)
445/tcp, 445/udp
LDAP
389/tcp
LDAP ping
389/udp
LDAP over SSL
636/tcp
Global catalog LDAP
3268/tcp
Global catalog LDAP over SSL
3269/tcp
Kerberos
88/tcp, 88/udp
DNS
53/tcp, 53/udp
WINS resolution (if required)
1512/tcp, 1512/udp
WINS replication (if required)
42/tcp, 42/udp
For more information on Windows server component port requirement, please refer to:
Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017
Hope it helps.Your potential. Our passion.
June 16th, 2008 1:33pm