Join domain over vpn, what firewall ports should be opened?

I have remote office location which i need to join to our main domain. I accually joined pc to the domain, but when i try to login to that domain it says that "The system cannot log you in because domain "mydomain" not available.  On my firewall i allowed these ports:
AD replication, DNS, File replication service, Global Catalog LDAP, Kerberos (tcp/udp), LDAP(tcp/udp), NTP. And i still cannot login with the AD account. What am i missing here?
Who is Participating?
DNS records can be tricky at times unless you know the chronology of a DNS Query:

Both clients and servers can cache or store DNS records in certain areas. If you had cached or stored entries on the clients or server, then you could be missing a Host A record and still operate. Below is the chronology of a DNS query. The DNS service istelf is easy. Troubleshooting a DNS problem is easy too if you understand the below info:

 The client sends out a DNS query:
The client has a couple records that it will try to resolve the query by itself:
1) The first thing it looks at is a persistant host. (These are configured in the registry.)
2) The second place a client looks for is a cached entry. (To determine if this is the case, go to the command prompt of the client and type IPconfig /flushdns.)
3) Then if your client doesn't have the cached entry, it will look at the client's C:\i386\Host file for resolution. (You can look at and edit the host file with word pad. Check and see that there are no entries, except local host file in that file. Manually configured host files can mess up DNS resolution.)

After the client can't determine its own DNS query it will look at the prefered DNS server: (To determine the prefered DNS server, it will be the first on on the list in an IPconfig /all of the client).
1) The first place the server looks for DNS records is its own DNS cache. (You can flush the cash by again going to the command prompt and typing ipconfig /flushdns)
2) Then the server will look at its own C:\i386\host file.
2)Then, the DNS server will have a list of Host A records. (For internal queries, it looks and sounds like you have a list of Host A records).
3) If the DNS server can't find the Host A, it will make an attempt to contact an outisde server. There are two types of contacts. One is a recursive and the other is an iteration query. There are also two types of lists to contact the outside server. One is called a forwarder and the other is called roothints.
---brief explaination of each:
---Recursive lookup: A recursive lookup is handled by the server. It will go out to a distant server and try to resolve DNS queries that it can't do on for the client. In other words, if the DNS server can't find an internal address, it will go out to other servers and ask them to look for it. If a resolution is provided. The resolution will be passed down to the client from the server. It is recommended to turn off recursive lookups for security reasons and performance reasons.
--Iteration: Iteration is done when the server can't resolve the query and tells the client, "I can't do it, ask another DNS server." The resolution comes from the remote server, not the local server. So, this is basically passing the buck.
---forwarders: forwarders are manually configured DNS servers that your server will forward queries to if your server can't make the resolution. (most folks configure the ISP's DNS server as the forwarders)
---Root Hints: Root Hints are a list of public DNS servers that your server forwards DNS queries to if your server can't resolve the DNS query

My guess is you had a saved DNS record in the C:\i386\host file or a cached DNS record. In either case, you will be able to track it down with this information much easier if you have DNS problems.

There are a couple things I recommend you configure for the health of the lan:
1) I would go to the clients, servers NIC TCP/IP configuration and router's list of DNS servers to make sure your DNS servers are the prefered DNS server.  The only place on the LAN that should have outside DNS servers are in forwarders (that you configure) or root hints (that is preconfigured).
2) Then, for security, disable DNS recursion.  
3) For DHCP also list your DNS servers in the DHCP configuration.
When looking for the right ports, I like this article:
To answer your question:

The netlogon service requires RPC. RPC runs on port 135.

It also requires Netbios/Wins port 137.
 NetBIOS Datagram Service
NetBIOS Name Resolution
NetBIOS Session Service
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

NukerysAuthor Commented:
still no luck. i added these ports mentioned, but can't login. I can access domain controller shared directory with domain user/password  but cannot login with that account
Ok, so it's not a Netlogon problem.

My guess is the browser service.

Netbios ports 137 and UDP ports 138 and 139.
To go across a VPN, the browser service needs WINS. Netbios broadcasts will not go through a VPN or across NAT.
This article explains the Browser service and you will have to use what I call the WINS/WAN configuration of the Browser service.

NOTE: Don't let the fact that this article is a NT4 article scare you. There is only one small change. NT4 uses the "IsDomainMasterBrowser" registry key while 2003 shortened that up to "IsDomainMaster".
Oops, you are stuck at a logon prompt. That's not the master browser service. You will have problems with the master browser service after logging in. So, keep the above handy.

This may be a DNS records problem. Follow the procedures on the below link:
NukerysAuthor Commented:
Yes it is dns problem. I forgot to set dns from main dns controller, it was set to local dns :)   And question is why is everything working normally, without problems you described earlier?
You know what:

It may have looked like a DNS error, but I really think it was a Netlogon error. I am thinking it is a netlogon error. Monitor this post and you will be able to see what was your problem. I think it took the restart of the NETLOGON service to send out the netbios broadcast saying, "I am here and I am the domain master" .

Nevertheless, it is a good thing to get your DNS records straight with the server.
NukerysAuthor Commented:
Thanks for your answers, i will investigate this and hopefully will find the problem :)
For now, you are up and running right?
NukerysAuthor Commented:
Yes for now everything is working. So i can close this post? I don't know how things get done here.
There are two buttons under each question. One will say assign multiple solutions, the other will say something like accept this as a solution.

Awarding multiple solutions allows you to split points between experts that helped you or to say that these two or more solutions provided you with the answers you needed.

Accepting one solution defines that as the one answer that helped you and will assign all points to that posting.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.