Solved

W2K3 firewall blocking domain trust need help with ports

Posted on 2008-10-16
6
1,008 Views
Last Modified: 2010-04-21
I've read all the postings here for help and all of the microsoft KBs and other forums.  My situation is I have a 2000 Domain and a new 2003 domain.  Different forests each running it's own DNS.  Both Domains are on the same network.  I have setup the dns forward lookup zones on each and verified each is working according to other posts here.  What I have a problem with is when I disable the windows firewall on the 2003 server everything works fine, no problems and fast, when I turn the firewall on, the trust disconnects and I get RPC server unavailable errors.  I have setup exceptions in the firewall according to MS recommendations and other suggestions from here.  None work.  Has anyone found the "magic" ports to open?  I would prefer to leave the firewall on.
0
Comment
Question by:Codeonesysadmin
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22736612
In many environments the WIndows 2003 firewall is disabled.  This is usually because they have a good quality firewall in place at the perimter.
If you choose to keep it enabled, yes you need to allow thorugh the ports for Active Directory authentication.
 TCP ports: 135,139,445

UDP ports: 135,137,138,445
You should not need RPC, port 88, but keep it in mind in case there are issues.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22741940
Just wanted to make sure you saw these articles:

http://support.microsoft.com/kb/555381
one thing this doesn't mention is ICMP: (for Ping and tracert)
http://nic.phys.ethz.ch/readme/164

I always liked this article for key microsoft ports:
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx
0
 

Author Comment

by:Codeonesysadmin
ID: 22743390
Thanks guys for the support.  ChiefIT, I had used all 3 of those documents already in my previous attempts.  Particularly the first 2.  I have done precisely what they explain and to no avail.  SStone, all those ports are already open in my configuration.  We are being forced for now to leave the firewall off.  It's not a huge risk as we are behind a WatchGuard firewall and things seem pretty secure.  I was just hoping that someone may have run into this issue with the 2k3 firewall and domain trusts.  I'll leave the question for a few more days while I do other research and await any further responces.  Thanks again for the help!
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 38

Accepted Solution

by:
ChiefIT earned 250 total points
ID: 22747192
        123:udp:*:enabled:NTP
         3268:tcp:*:enabled:Global Catalog LDAP
         389:tcp:*:enabled:LDAP
         389:udp:*:enabled:LDAP
         53:tcp:*:enabled:DNS
         53:udp:*:enabled:DNS
         53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
         53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)
         88:tcp:*:enabled:Kerberos
         88:udp:*:enabled:Kerberos

Let's see what we are missing:
+++++Remote Procedure Call
Application protocol Protocol Port
RPC
 TCP
 135
 
RPC over HTTP
 TCP
 593
 
+++++++Maybe Mail:
System Service Name SMTPSVC

Application protocol Protocol Port
SMTP
 TCP
 25
 
SMTP
 UDP
 25
 
+++++System Service Name CertSvc

Application protocol Protocol Port
RPC
 TCP
 135
 
Randomly allocated high TCP ports
 TCP
 RANDOM
 
_____

It looks like you are missing the port 135 for RPC service and CA service as exceptions. Sometimes random port can be defined in registry to be a fixed port number for this very reason. I hope this helps.  


0
 

Author Comment

by:Codeonesysadmin
ID: 22832387
Thanks for the help.  In the end, we turned off the firewall.  I tried setting the RPC random port to a specific, but that too didn't work for us.  As everything works great with the firewall off and we do have a secure network with hardware, I guess the risk just isn't there.  Anyway, Thanks for the great info!
0
 

Author Closing Comment

by:Codeonesysadmin
ID: 31506991
Thanks for the specifics and documents to support the question!
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question