| Author |
Message |
J Duff
Guest
|
 Posted:
Sat Oct 22, 2005 12:50 am Post subject:
joining a domain through firewall |
|
|
We have two layers in our DMZ. I want to join a server to a domain from one
layer of the dmz to the other layer. I keep getting the error that the
domain could not be reached. I can connect a share from one machine to
another but I can not join the domain. Any suggestions? |
|
| Back to top |
|
 |
Neteng
Guest
|
| Posted:
Sat Oct 22, 2005 12:50 am Post subject:
Re: joining a domain through firewall |
|
|
You really shouldn't have your DMZ servers in your domain, but if really
want to, you'll need to open the appropriate ports on the firewall (search
MS/Google for the ports)
"J Duff" <JDuff@discussions.microsoft.com> wrote in message
news:03D4AF94-EFFB-4A0D-BE5E-306E78749129@microsoft.com...
| Quote: | We have two layers in our DMZ. I want to join a server to a domain from
one
layer of the dmz to the other layer. I keep getting the error that the
domain could not be reached. I can connect a share from one machine to
another but I can not join the domain. Any suggestions? |
|
|
| Back to top |
|
|
Miha Pihler [MVP]
Guest
|
| Posted:
Sat Oct 22, 2005 12:50 pm Post subject:
Re: joining a domain through firewall |
|
|
I would agree here with other poster that this is not something you should
do unless you have environment built for this.
Ports that client will need to talk to domain controllers in LAN (or in
other segments) are more or less these:
RPC endpoint mapper 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC dynamic assignment 1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP) 389/tcp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
Domain Name Service (DNS) 53/tcp1, 53/udp
Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp,
1512/udp
WINS replication (if required) 42/tcp, 42/udp
and ICMP protocol.
--
Mike
Microsoft MVP - Windows Security
"J Duff" <JDuff@discussions.microsoft.com> wrote in message
news:03D4AF94-EFFB-4A0D-BE5E-306E78749129@microsoft.com...
| Quote: | We have two layers in our DMZ. I want to join a server to a domain from
one
layer of the dmz to the other layer. I keep getting the error that the
domain could not be reached. I can connect a share from one machine to
another but I can not join the domain. Any suggestions? |
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Sat Oct 22, 2005 4:50 pm Post subject:
Re: joining a domain through firewall |
|
|
In news:03D4AF94-EFFB-4A0D-BE5E-306E78749129@microsoft.com,
J Duff <JDuff@discussions.microsoft.com> made this post, which I then
commented about below:
| Quote: | We have two layers in our DMZ. I want to join a server to a domain
from one layer of the dmz to the other layer. I keep getting the
error that the domain could not be reached. I can connect a share
from one machine to another but I can not join the domain. Any
suggestions?
|
In addition to the other posts, You can't forget about the epherical ports
that are dynamically created when establishing a session (UDP >1023). Here's
more specific info:
179442 - How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/?id=179442
Download details Active Directory in Networks Segmented by Firewalls:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=c2ef3846-43f0-4caf-9767-a9166368434e
Active Directory Replication over Firewalls:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
================================= |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in