Solved

Should I and how do I, run Active Directory into my DMZ?

Posted on 2009-07-01
5
1,844 Views
Last Modified: 2012-05-07
Hi,

My level of knowledge on Firewalls and Active Directory is pretty basic and I would appreciate some expert advice please.

I am trying to allow my windows 2003 & 2000 servers in my DMZ to connect to the 2003 Domain Controller in the LAN but I am getting errors with regards to the secure connection failing and there being no logon servers available:

Event ID: 5719
This computer was not able to set up a secure session with a domain controller in domain <DOMAIN> due to the following:
There are currently no logon servers available to service the logon request.  

Event ID: 1053
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Firstly, is it good practice to allow Active Directory through into the DMZ?

I have opened up the following ports on the Firewall (Fortigate 60) as per KB 179442 (http://support.microsoft.com/kb/179442)

Client Port(s)      Server Port      Service
137/UDP      137/UDP      NetBIOS Name
138/UDP      138/UDP      NetBIOS Netlogon and Browsing
1024-65535/TCP      139/TCP      NetBIOS Session
1024-65535/TCP      42/TCP      WINS Replication

Client Port(s)      Server Port      Service
1024-65535/TCP      135/TCP      RPC
1024-65535/TCP      1024-65535/TCP      LSA RPC Services (*)
1024-65535/TCP/UDP      389/TCP/UDP      LDAP
1024-65535/TCP      636/TCP      LDAP SSL
1024-65535/TCP      3268/TCP      LDAP GC
1024-65535/TCP      3269/TCP      LDAP GC SSL
53,1024-65535/TCP/UDP      53/TCP/UDP      DNS
1024-65535/TCP/UDP      88/TCP/UDP      Kerberos
1024-65535/TCP      445/TCP      SMB


As a test I set my Firewall to allow all through from the DMZ to the LAN and then ran a

dia sni pa dmz host 192.168.4.100' (the dmz servers IP address)

while performing an nltest /sc_reset:<DOMAIN NAME> and it passes with a success

All of the ports listed in the sniff were covered in my ports I have opened on the Firewall and I have attached this image to this question. So far so good.

Going back to the Firewall and switching off the allow all and re-running the nltest /sc_reset fails with:

1311 0x51f ERROR_NO_LOGIN_SERVERS

and this is where I am stumped, as far as I can see I have the correct ports listed.

any advice appreciated,


thanks.
ports-to-allow-secure-domain-tru.JPG
0
Comment
Question by:Hedley Phillips
  • 2
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
Kieran_Burns earned 500 total points
Comment Utility
The whole point of a DMZ is that it is essentially untrusted (okay SEMI trusted) and you should not allow domain traffic into it.
Saying that I can see straight off that you have missed DNS from the list of allowed ports and AD will not work without it.
What you should be doing is seeing why you need authentication traffic through the firewall and design a solution that does not require it.
0
 
LVL 14

Author Comment

by:Hedley Phillips
Comment Utility
Kieran,

thanks for your reply.

DNS is listed there, 3rd from bottom on the 2nd list.

If domain traffic shouldn't be allowed in the DMZ then I will be happy with that and will lock all these ports back down again. I just thought that it was required and should work.

To be honest, I was looking at all the open ports and ranges and my DMZ was starting to look like a Swiss cheese with all those holes.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
Comment Utility
Whup! Yep you're right. Sorry :-)
I'm really really against allowing anything beyond the absolute basics through to a DMZ and certaibly not domain traffic. all it would take is a DMZ Server to be compromised and you've got a door into your (supposedly) secure Domain.
We had an issue where a Web Server needed domain authentication and rather than move the Server into the internal network and publish it through ISA, some bright spark thought it would be good to allow AD through to it. Suffice to say this caused nightmares AND was slated by the external Auditors
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
I would definitely agree with Kieran that having a domain machine in a DMZ sort of negates the point of having the DMZ in the first place and leaves a gaping security hole. What are you trying to achieve?
 
0
 
LVL 14

Author Closing Comment

by:Hedley Phillips
Comment Utility
Thanks for your help. We have followed your advice and not placed any domain members in the DMZ
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now