[THIN] Re: OT: AD Browsing Issue

  • From: Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Thu, 8 Mar 2012 13:12:59 +0000

Firewall requirements for client access to domain controllers are as follows:


"A-Kerberos" protocol tcp src-port 1024-65535 dst-port 88-88
"A-Kerberos" + udp src-port 1024-65525 dst-port 464-464
"A-Kerberos" + tcp src-port 1024-65525 dst-port 464-464
"A-Kerberos" + udp src-port 1024-65535 dst-port 88-88

The first port range from 1024 - 5000 is to support Windows 2003
clients and 49150 - 65535 is to support Windows 2008 / Vista and above

You *could* run rpccfg on each host on either side of the firewall,
but that's not best practise.

On Wed, Mar 7, 2012 at 8:12 PM, Steve <kwajalein@xxxxxxxxx> wrote:
> conditional forwarding has now been enabled on the client domain, resolution 
> of fqdn now happens. FW guy now tells me that they are limiting traffic to 
> ports needed for kerberos, though I'm guessing that IPSec filters haven't 
> been updated for the DCs in the site where the resource servers were moved 
> to. there is a site in sites & services for the site that's causing 
> consternation. oh, and even though I
> I've got a couple of microsoft guys engaged, hopefully they can figure it out.
> Sent from my iPad
> On Mar 6, 2012, at 3:14 PM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx> wrote:
>> Answers inline
>> On Tue, Mar 6, 2012 at 11:34 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
>>> On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
>>> wrote:
>>>> DNS is replicated completely?
>>> That I won't know, though I'm trying to get some hostnames for the other
>>> domain to see if I can resolve them.
>>> Got a hostname - can't resolve it.
>>>> NetBIOS over TCP/IP is turned on?
>>> On my PC, yes. On the DCs? Don't know.
>>>> What does sites and services look like?
>>> Oodles of sites, can't really tell that there's one setup for the other
>>> domain. What should I be looking for here?
>> Whatever subnet that machine that doesn't work is sitting in, should
>> be in a subnet defined in sites and services, that should specify
>> which DC it should be looking at. Can you run dcdiag and try to see if
>> there is any problems there.
>>>> Can you run wireshark on one of the machines that's not working and
>>>> see whether it's trying to connect out to a DC that's perhaps not in
>>>> the policy?
>>> that would definitely be out of the question. I can run a port query from
>>> PCs and member servers.
>> Give that IP address to the firewall admins on both sides and ask for
>> drops. Also ask the networking guys if they have routed *all* the IP
>> address space in use between the two orgs. Firewall might be open on
>> both sides, but without the routes there, you're going to lose out.
>>>> On the machine that you are running ADUC on, can you login there to
>>>> the other domain?
>>> I'll see if they can create an account for me to test with.
>>> They're currently allowing perhaps 7 DCs on each domain to contact one
>>> another. The FW guys say that there's no port restrictions, they're just
>>> allowing IPs to connect to one another.
>>> One enterprise group controls our DCs and FWs, another enterprise controls
>>> the other DCs; FWs on the other domain are controlled locally. Everyone says
>>> that their part is configured correctly (of course). Seems like there should
>>> be a way to set up a bridgehead or two on each domain, and then just allow
>>> the bridgeheads to talk through the firewalls. One enterprise AD guy
>>> believes that we need to configure the firewalls with ACLs for all of the
>>> DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more
>>> succinct way.
>> In my experience, he's right. It shouldn't work that way, but you see
>> strange oddities sometimes (Timeouts) without it.
>> I just did a POC for a trust relationship setup the other day.
>> Also, just to state the obvious. Make sure that are trying to add
>> members of another domain to a domain local group. Otherwise it won't
>> work.
>>> thanks.
>>>> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
>>>>> Alright, one for the AD Gods/Goddesses
>>>>> Got a trust between two different AD forests. From my PC I can browse
>>>>> the
>>>>> other domains and select/add objects. From ADUC, I can't even see the
>>>>> other
>>>>> domains (see the attached pic).
>>>>> Ideas?
>>>>> What's driving this issue is from a server in another site (still in my
>>>>> domain) one can't see the other domains at all in order to add users (as
>>>>> I
>>>>> can from my PC). So between these two matters I'm guessing that our
>>>>> trust
>>>>> isn't quite right, but I don't have access to DCs nor the firewalls so
>>>>> I'm
>>>>> troubleshooting symptomatically. If anyone wants to pipe in with a Cliff
>>>>> Notes version of setting up trusts between AD domains through firewalls
>>>>> for
>>>>> domains with a *lot* of DCs I'd gladly read it and drink a german bier
>>>>> in
>>>>> their honor.
>>>> ************************************************
>>>> For Archives, RSS, to Unsubscribe, Subscribe or
>>>> set Digest or Vacation mode use the below link:
>>>> //www.freelists.org/list/thin
>>>> ************************************************
>> ************************************************
>> For Archives, RSS, to Unsubscribe, Subscribe or
>> set Digest or Vacation mode use the below link:
>> //www.freelists.org/list/thin
>> ************************************************
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:

Other related posts: