Solved

W2K3 firewall blocking domain trust need help with ports

Posted on 2008-10-16
6
1,000 Views
Last Modified: 2010-04-21
I've read all the postings here for help and all of the microsoft KBs and other forums.  My situation is I have a 2000 Domain and a new 2003 domain.  Different forests each running it's own DNS.  Both Domains are on the same network.  I have setup the dns forward lookup zones on each and verified each is working according to other posts here.  What I have a problem with is when I disable the windows firewall on the 2003 server everything works fine, no problems and fast, when I turn the firewall on, the trust disconnects and I get RPC server unavailable errors.  I have setup exceptions in the firewall according to MS recommendations and other suggestions from here.  None work.  Has anyone found the "magic" ports to open?  I would prefer to leave the firewall on.
0
Comment
Question by:Codeonesysadmin
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
In many environments the WIndows 2003 firewall is disabled.  This is usually because they have a good quality firewall in place at the perimter.
If you choose to keep it enabled, yes you need to allow thorugh the ports for Active Directory authentication.
 TCP ports: 135,139,445

UDP ports: 135,137,138,445
You should not need RPC, port 88, but keep it in mind in case there are issues.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Just wanted to make sure you saw these articles:

http://support.microsoft.com/kb/555381
one thing this doesn't mention is ICMP: (for Ping and tracert)
http://nic.phys.ethz.ch/readme/164

I always liked this article for key microsoft ports:
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
Thanks guys for the support.  ChiefIT, I had used all 3 of those documents already in my previous attempts.  Particularly the first 2.  I have done precisely what they explain and to no avail.  SStone, all those ports are already open in my configuration.  We are being forced for now to leave the firewall off.  It's not a huge risk as we are behind a WatchGuard firewall and things seem pretty secure.  I was just hoping that someone may have run into this issue with the 2k3 firewall and domain trusts.  I'll leave the question for a few more days while I do other research and await any further responces.  Thanks again for the help!
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 38

Accepted Solution

by:
ChiefIT earned 250 total points
Comment Utility
        123:udp:*:enabled:NTP
         3268:tcp:*:enabled:Global Catalog LDAP
         389:tcp:*:enabled:LDAP
         389:udp:*:enabled:LDAP
         53:tcp:*:enabled:DNS
         53:udp:*:enabled:DNS
         53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
         53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)
         88:tcp:*:enabled:Kerberos
         88:udp:*:enabled:Kerberos

Let's see what we are missing:
+++++Remote Procedure Call
Application protocol Protocol Port
RPC
 TCP
 135
 
RPC over HTTP
 TCP
 593
 
+++++++Maybe Mail:
System Service Name SMTPSVC

Application protocol Protocol Port
SMTP
 TCP
 25
 
SMTP
 UDP
 25
 
+++++System Service Name CertSvc

Application protocol Protocol Port
RPC
 TCP
 135
 
Randomly allocated high TCP ports
 TCP
 RANDOM
 
_____

It looks like you are missing the port 135 for RPC service and CA service as exceptions. Sometimes random port can be defined in registry to be a fixed port number for this very reason. I hope this helps.  


0
 

Author Comment

by:Codeonesysadmin
Comment Utility
Thanks for the help.  In the end, we turned off the firewall.  I tried setting the RPC random port to a specific, but that too didn't work for us.  As everything works great with the firewall off and we do have a secure network with hardware, I guess the risk just isn't there.  Anyway, Thanks for the great info!
0
 

Author Closing Comment

by:Codeonesysadmin
Comment Utility
Thanks for the specifics and documents to support the question!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Lockdown of laptops 10 37
SolarWind and DNS Server 12 35
importing users to Security group 2 30
Powershell - check csv format 4 30
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now