?
Solved

W2K3 firewall blocking domain trust need help with ports

Posted on 2008-10-16
6
Medium Priority
?
1,016 Views
Last Modified: 2010-04-21
I've read all the postings here for help and all of the microsoft KBs and other forums.  My situation is I have a 2000 Domain and a new 2003 domain.  Different forests each running it's own DNS.  Both Domains are on the same network.  I have setup the dns forward lookup zones on each and verified each is working according to other posts here.  What I have a problem with is when I disable the windows firewall on the 2003 server everything works fine, no problems and fast, when I turn the firewall on, the trust disconnects and I get RPC server unavailable errors.  I have setup exceptions in the firewall according to MS recommendations and other suggestions from here.  None work.  Has anyone found the "magic" ports to open?  I would prefer to leave the firewall on.
0
Comment
Question by:Codeonesysadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22736612
In many environments the WIndows 2003 firewall is disabled.  This is usually because they have a good quality firewall in place at the perimter.
If you choose to keep it enabled, yes you need to allow thorugh the ports for Active Directory authentication.
 TCP ports: 135,139,445

UDP ports: 135,137,138,445
You should not need RPC, port 88, but keep it in mind in case there are issues.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22741940
Just wanted to make sure you saw these articles:

http://support.microsoft.com/kb/555381
one thing this doesn't mention is ICMP: (for Ping and tracert)
http://nic.phys.ethz.ch/readme/164

I always liked this article for key microsoft ports:
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx
0
 

Author Comment

by:Codeonesysadmin
ID: 22743390
Thanks guys for the support.  ChiefIT, I had used all 3 of those documents already in my previous attempts.  Particularly the first 2.  I have done precisely what they explain and to no avail.  SStone, all those ports are already open in my configuration.  We are being forced for now to leave the firewall off.  It's not a huge risk as we are behind a WatchGuard firewall and things seem pretty secure.  I was just hoping that someone may have run into this issue with the 2k3 firewall and domain trusts.  I'll leave the question for a few more days while I do other research and await any further responces.  Thanks again for the help!
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 39

Accepted Solution

by:
ChiefIT earned 750 total points
ID: 22747192
        123:udp:*:enabled:NTP
         3268:tcp:*:enabled:Global Catalog LDAP
         389:tcp:*:enabled:LDAP
         389:udp:*:enabled:LDAP
         53:tcp:*:enabled:DNS
         53:udp:*:enabled:DNS
         53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
         53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)
         88:tcp:*:enabled:Kerberos
         88:udp:*:enabled:Kerberos

Let's see what we are missing:
+++++Remote Procedure Call
Application protocol Protocol Port
RPC
 TCP
 135
 
RPC over HTTP
 TCP
 593
 
+++++++Maybe Mail:
System Service Name SMTPSVC

Application protocol Protocol Port
SMTP
 TCP
 25
 
SMTP
 UDP
 25
 
+++++System Service Name CertSvc

Application protocol Protocol Port
RPC
 TCP
 135
 
Randomly allocated high TCP ports
 TCP
 RANDOM
 
_____

It looks like you are missing the port 135 for RPC service and CA service as exceptions. Sometimes random port can be defined in registry to be a fixed port number for this very reason. I hope this helps.  


0
 

Author Comment

by:Codeonesysadmin
ID: 22832387
Thanks for the help.  In the end, we turned off the firewall.  I tried setting the RPC random port to a specific, but that too didn't work for us.  As everything works great with the firewall off and we do have a secure network with hardware, I guess the risk just isn't there.  Anyway, Thanks for the great info!
0
 

Author Closing Comment

by:Codeonesysadmin
ID: 31506991
Thanks for the specifics and documents to support the question!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question