replication through windows firewall server 2003
hello ,
I see a lot of technical stuff up here...but does anyone have a quick listing of the ports or aother exceptions that are needed to keep replication going when the windows forwall is up?
thanks
June 21st, 2012 3:18pm
Yes Active directory
thanks Mr Weber
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 4:08pm
Mienolf,
I have added all the ports listed in the document your fist link points to. Some of them, when adding, explianed they could not be added possibly since they were already in there .
I added these and then enabled the firwall on the (backup) domain controller (server 2003 r2 sp2) I
had 2 problems originally when turning the FW on..
relpication would stop expalining no end points from mapper, and DHCP clients would no longer get requestd DHCP leases
after adding all the listed ports ....DHCP server is working fine but replication is having problems
when I run replmon , my primary DC is listed first and this server ( DC #2) is listed 2nd the firstenry states the mapper erro a=butthe rest (config/schema/DNSzones\Forest DNS zones are all OK
the sencod "section" for this DC#2 all 5 items have the BANG on them ( yellow circle with exclaimation point) and there is no "stuff" displayed at all if you click on one of them
June 22nd, 2012 10:12am
also when I have the FW up ( and then I get the endpoint mapper errors )
I asos l run dcdiag and all test pass (even one called replication )
I also do ahve the FW logs but cant begin to analyse those :(
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 11:18am
Hello,
please upload the following files for a better overview:
ipconfig /all >c:\ipconfig.txt [all DCs]
dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!)
http://explore.live.com/windows-live-skydrive and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
June 25th, 2012 2:39am
heres the URL
https://skydrive.live.com/#cid=BD95D9F727CB8E30&id=BD95D9F727CB8E30%21120
ipconfig1 = main DC
ipconfig 2= backup DC this is the one that if I put the FireWall on replication fails ( I have the FW off on DC1 intending to learn from this issue with DC2 before I turn the FW on
DC1 backon)
Thanks letme know if you need me to do more stuff
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2012 1:32pm
Hello,
as you use HP teaming please assure that the configuration is made for failover and NOT for load balancing as this is NOT supported from Microsoft.
What are the Forwarders 192.168.1.21, 192.168.1.22 and 192.168.100.2 for machines, are they domain DNS servers? Normally you should use either the root hints or ISPs DNS server as Forwarders.
Is your domain a child domain and the used forwarders are from the root domain?Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
June 25th, 2012 2:04pm
I am going ti dissolve the team..... there is no real value to it atthis point and once again I have found little support out there for the configuration....
the forwarders ...... they are DNS servers in other domains I connect to (trusts stuff)_
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2012 2:20pm
OK HP adapter team has been disolved on Server #1
I turned the firewall back on on server #2
still get "no end points error"
I am offto do more "no end ppint " research
June 26th, 2012 1:37pm
this may be why so many folks dont turn the FW on on their servers .......
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2012 1:38pm
Meinolf,
did you get my link to my SkyDrive folder ?
June 29th, 2012 7:19am
Hello,
we and lots of others have no problems with enabled fiewalls on the DCs, they replicate fine, so please assure the connecticvity, Portquery should help you or your firewall guys to verify
http://www.microsoft.com/en-us/download/details.aspx?id=17148Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2012 12:31pm
Hi,
I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.
Regards,
Arthur Li
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.Arthur Li
TechNet Community Support
July 2nd, 2012 3:34am
Well I do not know where to go from here ....I still have the problen
when the firewall is on ( on my backup domain controller ) AD will not replicate
" there are no more edn points from the end point mapper "
I was able to get my DHCP service to operate correctly when I turn the FW on by adding port exceptions to the FW......and while I was at it, I also added a ton of other exceptions that are listed in that "setting firewals
up on Domain controllers" document.....but AD will still not replicate when the FW is on
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2012 7:11am
Ok I ran PQ from the Dc to the backup DC
With Firewall ON
IP address resolved to ml350g5bpm
querying...
TCP port 389 (ldap service): FILTERED
UDP port 389 (unknown service): LISTENING or FILTERED
Using ephemeral source port
Sending LDAP query to UDP port 389...
LDAP query to port 389 failed
Server did not respond to LDAP query
portqry.exe -n 192.168.50.48 -e 389 -p BOTH exits with return code 0x00000001.
July 3rd, 2012 9:05am
hi,
any updates? if your question is answered it would be nice if you mark it accordingly because this may help others who have got the same or a similar question.
Thanks a lot in advance
Kind regards
Thomasregards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2012 1:01pm
no change...still have the problem........I know to mark answers..
July 3rd, 2012 1:17pm
Hi Meinholf,
notsure if i have narrowed anyhting down to a level where trouble shooting can begin
In replmon I did the generate repprt ( with the firewall on DC#2 up ) and whe I got to the stanza that listed the no endpoint error it listed Transport = Intra-site RPC
So I was reading up on AD replcation ( the amount of detail that just about any aspect of Windwos Servers is amazing ya know like what is KCC and what does it do...and what ISTG and so on .... for someone like me that
is tasked to "do it all" build servers run cabling load servers and do all lthat same stuff at the workstation level run a help desk for end user applciation support, and also be a perimtier guy running
Sonicwall appliaicnes and also exchange mgr........I cant seem to dive all the way into any one disapline to the point of gaining more that a cursory understanding of all these detials
anyhow I then ran Port query on port 135 for both TCP and UDP..TCP all looks good ...
but from each server there looks like UDP problems each with epmap service
OK so I have the FW on DC #2 up when query UDP 135 from here to my #1 DC (No FW) I get
UDP PORT 135 NOT LISTENING
When I reverse this and query UDP 135 from my #1 Dc to #2 (whose FW is up) I get
UDP port 135 (epmap service): LISTENING or FILTERED
Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:
RPC Endpoint Mapper did not respond
UDP port 135 is FILTERED
Anything here to go on ??
thanks
Free Windows Admin Tool Kit Click here and download it now
July 5th, 2012 1:06pm
Well iam shooting in the dark.....I disabled the Firewall so now as usual replication works
while the FW on DC#2 was down I ran port query from both ends again and now they both say UDP port 135 NOT LISTENING but like I say replication works
If I was to stay on this lead..... it would imply that if UDP 135 is not listening then all will work...but if the FW is up on DC #2 then UDP 125 is tagged as "Listneing or filtered" and then the replication fails
July 5th, 2012 1:29pm
Hi Daniel,
Here is my analysis about the issue:
1. Only TCP 135 (RPC protocol) should be listened. No protocol uses UDP 135 so that UDP 135 should not be listened. It is normal that UDP 135 is not listened. It doesn't mean that UDP 135 not listened leads the AD replication to succeed.
2. When the status is FILTERED, it means the packets are blocked by the windows firewall or any other firewall. It seems that both TCP and UDP 389 are blocked by the windows firewall based on your information. Please add rules in windows firewall to ensure
that TCP 389 and UDP 389 are allowed.
Best Regards
Scott Xie
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2012 4:08am
I have both tcp and udp port 389 on the FW exception list( on DC #2)
If (from DC #2) I query UDP port 389.(wi h FW on) .leaving the default 127.0.0.1 host in there I get "not listening"
If I put the IP address if DC#2(not using local loopback 127.0.0.1) in then I get LISTENING
tcp port queries give me the LAP paragraph....I assume that port is listening/working ok
If I go the DC #1 ( primary DC and replcaition partner) and query udp 398 on DC#2 it says "listening'
whaddaya think about that ?
July 11th, 2012 3:34pm
Iget the same portquery results on udp port 389 whether the FW is on or off.....
No matter what i cant replicate when the FW is on no more endpoints
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2012 3:52pm
Hi,
It seems the replication issue is not caused by port 389. To further troubleshoot the issue, I suggest that you can enable Firewall log on the server. From the firewall log we can check if there is a firewall rule blocks the concerning network traffic:
a. On the concerning server, click "Start"->"Run", type "gpedit.msc", press Enter.
b. In "Local Group Policy Editor" window, in the left panel, locate to: "Computer Configuration/Windows Settings/Security Settings"
c. Expand "Windows Firewall with Advanced Security", click "Windows Firewall with Advanced Security Local Group policy Object".
d. In the right-panel, click "Windows Firewall Properties".
e. In the new opened window, on "Domain Profile" tab, in "Logging" section, click "Customize".
f. In "Customize Logging Settings for the Domain Profile" window, uncheck the two "Not configured" checkboxes. Set "Log dropped packets" to "Yes". Click "OK".
g. Use step e - step f to enable "Log dropped packets" on "Private Profile" and "Public Profile" tab. Click "OK".
Best Regards
Scott Xie
July 13th, 2012 3:58am
The FW on DC#2 is set to log....I am not sure if I would still need to do the GP proceedure you outlined or if the existing pfirewall.log file is good enough
I have uploaded that file lto my quickdoc folder on Skydrive
https://skydrive.live.com/?cid=BD95D9F727CB8E30&id=BD95D9F727CB8E30%21120
let me know if this is OK
thanks for sticking with me on this issue
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2012 9:33am
Hi Daniel,
You are welcome. Yes, the pfirewall.log file is enough. I have checked the file you uploaded. I find there are many dropped packets which ports is TCP 1025. Please refer to following link:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;179442
Since your DC is windows server 2003, the following dynamic ports need to be opened:
Client Port(s) Server Port(s)
1024-65535/TCP 1024-65535/TCP
Please ensure these dynamic ports have been opened.
Best Regards
Scott Xie
July 16th, 2012 3:39am
I had to use one of my complimenry Support calls to Microsoft ...they indicated the same answer......
The key factor here is that I am on Server 2003 which has these dynamic ports blocked by default
Microsoft DOES NNOT RECOMMEND assigning RPC to a specific port some of the docuents I was refered to seem to elude to this.........
Maybe I am one of the last still operating on Server 2003 and this detail (dynamic ports blocked) must be very obscure
on the plus side I know much more a bout DC firewalls and some of the assoicated tools used to troubleshoot............ thanks to all
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2012 7:19am
Well well well....
I thought I would get a lesson on how to add this port range....but NO !! the official MS standpoint is this is not recommeded on Server 2003 domain controller platforms they showed me a technet DOC
http://support.microsoft.com/kb/555381
and theyare refunding my support call since they say is a Microsoft probelm and admit there should be more supportive info on it so folks like me (idiots) can get educated the issue
let me know what you think about their stance on this
thanks
July 16th, 2012 4:05pm
Meinolf.please see my final reply way down below........ sorry to have ben chewing up everyonestime..if I ever thopugh this was an activiy Microsoft really did not support complelty i would never gone down this path
I appreciate everyone help even if it was fruitless for me
http://support.microsoft.com/kb/555381
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2012 4:09pm