Solved

Join domain over vpn, what firewall ports should be opened?

Posted on 2008-06-16
12
1,711 Views
Last Modified: 2008-11-11
I have remote office location which i need to join to our main domain. I accually joined pc to the domain, but when i try to login to that domain it says that "The system cannot log you in because domain "mydomain" not available.  On my firewall i allowed these ports:
AD replication, DNS, File replication service, Global Catalog LDAP, Kerberos (tcp/udp), LDAP(tcp/udp), NTP. And i still cannot login with the AD account. What am i missing here?
0
Comment
Question by:Nukerys
  • 8
  • 4
12 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21791806
When looking for the right ports, I like this article:

http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21791825
To answer your question:

The netlogon service requires RPC. RPC runs on port 135.

It also requires Netbios/Wins port 137.
 NetBIOS Datagram Service
 UDP
 138
 
NetBIOS Name Resolution
 UDP
 137
 
NetBIOS Session Service
 TCP
 139
 
SMB
 TCP
 445
 
0
 
LVL 1

Author Comment

by:Nukerys
ID: 21791929
still no luck. i added these ports mentioned, but can't login. I can access domain controller shared directory with domain user/password  but cannot login with that account
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21792002
Ok, so it's not a Netlogon problem.

My guess is the browser service.

Netbios ports 137 and UDP ports 138 and 139.
To go across a VPN, the browser service needs WINS. Netbios broadcasts will not go through a VPN or across NAT.
This article explains the Browser service and you will have to use what I call the WINS/WAN configuration of the Browser service.

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

NOTE: Don't let the fact that this article is a NT4 article scare you. There is only one small change. NT4 uses the "IsDomainMasterBrowser" registry key while 2003 shortened that up to "IsDomainMaster".
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21792161
Oops, you are stuck at a logon prompt. That's not the master browser service. You will have problems with the master browser service after logging in. So, keep the above handy.

This may be a DNS records problem. Follow the procedures on the below link:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23356031.html
0
 
LVL 1

Author Comment

by:Nukerys
ID: 21792617
Yes it is dns problem. I forgot to set dns from main dns controller, it was set to local dns :)   And question is why is everything working normally, without problems you described earlier?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 21792826
DNS records can be tricky at times unless you know the chronology of a DNS Query:

Both clients and servers can cache or store DNS records in certain areas. If you had cached or stored entries on the clients or server, then you could be missing a Host A record and still operate. Below is the chronology of a DNS query. The DNS service istelf is easy. Troubleshooting a DNS problem is easy too if you understand the below info:

 The client sends out a DNS query:
The client has a couple records that it will try to resolve the query by itself:
1) The first thing it looks at is a persistant host. (These are configured in the registry.)
2) The second place a client looks for is a cached entry. (To determine if this is the case, go to the command prompt of the client and type IPconfig /flushdns.)
3) Then if your client doesn't have the cached entry, it will look at the client's C:\i386\Host file for resolution. (You can look at and edit the host file with word pad. Check and see that there are no entries, except 1.0.0.127 local host file in that file. Manually configured host files can mess up DNS resolution.)

After the client can't determine its own DNS query it will look at the prefered DNS server: (To determine the prefered DNS server, it will be the first on on the list in an IPconfig /all of the client).
1) The first place the server looks for DNS records is its own DNS cache. (You can flush the cash by again going to the command prompt and typing ipconfig /flushdns)
2) Then the server will look at its own C:\i386\host file.
2)Then, the DNS server will have a list of Host A records. (For internal queries, it looks and sounds like you have a list of Host A records).
3) If the DNS server can't find the Host A, it will make an attempt to contact an outisde server. There are two types of contacts. One is a recursive and the other is an iteration query. There are also two types of lists to contact the outside server. One is called a forwarder and the other is called roothints.
---brief explaination of each:
---Recursive lookup: A recursive lookup is handled by the server. It will go out to a distant server and try to resolve DNS queries that it can't do on for the client. In other words, if the DNS server can't find an internal address, it will go out to other servers and ask them to look for it. If a resolution is provided. The resolution will be passed down to the client from the server. It is recommended to turn off recursive lookups for security reasons and performance reasons.
--Iteration: Iteration is done when the server can't resolve the query and tells the client, "I can't do it, ask another DNS server." The resolution comes from the remote server, not the local server. So, this is basically passing the buck.
---forwarders: forwarders are manually configured DNS servers that your server will forward queries to if your server can't make the resolution. (most folks configure the ISP's DNS server as the forwarders)
---Root Hints: Root Hints are a list of public DNS servers that your server forwards DNS queries to if your server can't resolve the DNS query

My guess is you had a saved DNS record in the C:\i386\host file or a cached DNS record. In either case, you will be able to track it down with this information much easier if you have DNS problems.

There are a couple things I recommend you configure for the health of the lan:
1) I would go to the clients, servers NIC TCP/IP configuration and router's list of DNS servers to make sure your DNS servers are the prefered DNS server.  The only place on the LAN that should have outside DNS servers are in forwarders (that you configure) or root hints (that is preconfigured).
2) Then, for security, disable DNS recursion.  
3) For DHCP also list your DNS servers in the DHCP configuration.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21792949
You know what:

It may have looked like a DNS error, but I really think it was a Netlogon error. I am thinking it is a netlogon error. Monitor this post and you will be able to see what was your problem. I think it took the restart of the NETLOGON service to send out the netbios broadcast saying, "I am here and I am the domain master" .

Nevertheless, it is a good thing to get your DNS records straight with the server.  

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23486675.html
0
 
LVL 1

Author Comment

by:Nukerys
ID: 21793143
Thanks for your answers, i will investigate this and hopefully will find the problem :)
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21801299
For now, you are up and running right?
0
 
LVL 1

Author Comment

by:Nukerys
ID: 21801344
Yes for now everything is working. So i can close this post? I don't know how things get done here.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21806766
There are two buttons under each question. One will say assign multiple solutions, the other will say something like accept this as a solution.

Awarding multiple solutions allows you to split points between experts that helped you or to say that these two or more solutions provided you with the answers you needed.

Accepting one solution defines that as the one answer that helped you and will assign all points to that posting.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now