[THIN] Re: OT: AD Browsing Issue
- From: Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 8 Mar 2012 13:12:59 +0000
Firewall requirements for client access to domain controllers are as follows:
"TCP-1024-5000"
"TCP-49150-65535"
"UDP-1024-5000"
"UDP-49150-65535"
"A-Kerberos"
"UDP-LDAP-389"
"DNS"
"LDAP"
"PING"
"SMB"
"MS-AD"
"NBT"
"A-Kerberos" protocol tcp src-port 1024-65535 dst-port 88-88
"A-Kerberos" + udp src-port 1024-65525 dst-port 464-464
"A-Kerberos" + tcp src-port 1024-65525 dst-port 464-464
"A-Kerberos" + udp src-port 1024-65535 dst-port 88-88
The first port range from 1024 - 5000 is to support Windows 2003
clients and 49150 - 65535 is to support Windows 2008 / Vista and above
clients.
You *could* run rpccfg on each host on either side of the firewall,
but that's not best practise.
On Wed, Mar 7, 2012 at 8:12 PM, Steve <kwajalein@xxxxxxxxx> wrote:
> conditional forwarding has now been enabled on the client domain, resolution
> of fqdn now happens. FW guy now tells me that they are limiting traffic to
> ports needed for kerberos, though I'm guessing that IPSec filters haven't
> been updated for the DCs in the site where the resource servers were moved
> to. there is a site in sites & services for the site that's causing
> consternation. oh, and even though I
> I've got a couple of microsoft guys engaged, hopefully they can figure it out.
>
> Sent from my iPad
>
> On Mar 6, 2012, at 3:14 PM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx> wrote:
>
>> Answers inline
>>
>> On Tue, Mar 6, 2012 at 11:34 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
>>> On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
>>> wrote:
>>>>
>>>> DNS is replicated completely?
>>>
>>> That I won't know, though I'm trying to get some hostnames for the other
>>> domain to see if I can resolve them.
>>> Got a hostname - can't resolve it.
>>>>
>>>>
>>>> NetBIOS over TCP/IP is turned on?
>>>
>>> On my PC, yes. On the DCs? Don't know.
>>>>
>>>>
>>>> What does sites and services look like?
>>>
>>> Oodles of sites, can't really tell that there's one setup for the other
>>> domain. What should I be looking for here?
>>
>> Whatever subnet that machine that doesn't work is sitting in, should
>> be in a subnet defined in sites and services, that should specify
>> which DC it should be looking at. Can you run dcdiag and try to see if
>> there is any problems there.
>>
>>>>
>>>>
>>>> Can you run wireshark on one of the machines that's not working and
>>>>
>>>> see whether it's trying to connect out to a DC that's perhaps not in
>>>> the policy?
>>>
>>> that would definitely be out of the question. I can run a port query from
>>> PCs and member servers.
>>>>
>>
>> Give that IP address to the firewall admins on both sides and ask for
>> drops. Also ask the networking guys if they have routed *all* the IP
>> address space in use between the two orgs. Firewall might be open on
>> both sides, but without the routes there, you're going to lose out.
>>
>>
>>>>
>>>> On the machine that you are running ADUC on, can you login there to
>>>> the other domain?
>>>
>>> I'll see if they can create an account for me to test with.
>>>
>>> They're currently allowing perhaps 7 DCs on each domain to contact one
>>> another. The FW guys say that there's no port restrictions, they're just
>>> allowing IPs to connect to one another.
>>>
>>> One enterprise group controls our DCs and FWs, another enterprise controls
>>> the other DCs; FWs on the other domain are controlled locally. Everyone says
>>> that their part is configured correctly (of course). Seems like there should
>>> be a way to set up a bridgehead or two on each domain, and then just allow
>>> the bridgeheads to talk through the firewalls. One enterprise AD guy
>>> believes that we need to configure the firewalls with ACLs for all of the
>>> DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more
>>> succinct way.
>>
>> In my experience, he's right. It shouldn't work that way, but you see
>> strange oddities sometimes (Timeouts) without it.
>>
>> I just did a POC for a trust relationship setup the other day.
>>
>> Also, just to state the obvious. Make sure that are trying to add
>> members of another domain to a domain local group. Otherwise it won't
>> work.
>>
>>
>>>
>>> thanks.
>>>>
>>>>
>>>> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
>>>>> Alright, one for the AD Gods/Goddesses
>>>>>
>>>>> Got a trust between two different AD forests. From my PC I can browse
>>>>> the
>>>>> other domains and select/add objects. From ADUC, I can't even see the
>>>>> other
>>>>> domains (see the attached pic).
>>>>>
>>>>> Ideas?
>>>>>
>>>>> What's driving this issue is from a server in another site (still in my
>>>>> domain) one can't see the other domains at all in order to add users (as
>>>>> I
>>>>> can from my PC). So between these two matters I'm guessing that our
>>>>> trust
>>>>> isn't quite right, but I don't have access to DCs nor the firewalls so
>>>>> I'm
>>>>> troubleshooting symptomatically. If anyone wants to pipe in with a Cliff
>>>>> Notes version of setting up trusts between AD domains through firewalls
>>>>> for
>>>>> domains with a *lot* of DCs I'd gladly read it and drink a german bier
>>>>> in
>>>>> their honor.
>>>> ************************************************
>>>> For Archives, RSS, to Unsubscribe, Subscribe or
>>>> set Digest or Vacation mode use the below link:
>>>> //www.freelists.org/list/thin
>>>> ************************************************
>>>
>>>
>> ************************************************
>> For Archives, RSS, to Unsubscribe, Subscribe or
>> set Digest or Vacation mode use the below link:
>> //www.freelists.org/list/thin
>> ************************************************
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
