Hedley Phillips
asked on
Should I and how do I, run Active Directory into my DMZ?
Hi,
My level of knowledge on Firewalls and Active Directory is pretty basic and I would appreciate some expert advice please.
I am trying to allow my windows 2003 & 2000 servers in my DMZ to connect to the 2003 Domain Controller in the LAN but I am getting errors with regards to the secure connection failing and there being no logon servers available:
Event ID: 5719
This computer was not able to set up a secure session with a domain controller in domain <DOMAIN> due to the following:
There are currently no logon servers available to service the logon request.
Event ID: 1053
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
Firstly, is it good practice to allow Active Directory through into the DMZ?
I have opened up the following ports on the Firewall (Fortigate 60) as per KB 179442 (http://support.microsoft.com/kb/179442)
Client Port(s) Server Port Service
137/UDP 137/UDP NetBIOS Name
138/UDP 138/UDP NetBIOS Netlogon and Browsing
1024-65535/TCP 139/TCP NetBIOS Session
1024-65535/TCP 42/TCP WINS Replication
Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB
As a test I set my Firewall to allow all through from the DMZ to the LAN and then ran a
dia sni pa dmz host 192.168.4.100' (the dmz servers IP address)
while performing an nltest /sc_reset:<DOMAIN NAME> and it passes with a success
All of the ports listed in the sniff were covered in my ports I have opened on the Firewall and I have attached this image to this question. So far so good.
Going back to the Firewall and switching off the allow all and re-running the nltest /sc_reset fails with:
1311 0x51f ERROR_NO_LOGIN_SERVERS
and this is where I am stumped, as far as I can see I have the correct ports listed.
any advice appreciated,
thanks.
ports-to-allow-secure-domain-tru.JPG
My level of knowledge on Firewalls and Active Directory is pretty basic and I would appreciate some expert advice please.
I am trying to allow my windows 2003 & 2000 servers in my DMZ to connect to the 2003 Domain Controller in the LAN but I am getting errors with regards to the secure connection failing and there being no logon servers available:
Event ID: 5719
This computer was not able to set up a secure session with a domain controller in domain <DOMAIN> due to the following:
There are currently no logon servers available to service the logon request.
Event ID: 1053
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
Firstly, is it good practice to allow Active Directory through into the DMZ?
I have opened up the following ports on the Firewall (Fortigate 60) as per KB 179442 (http://support.microsoft.com/kb/179442)
Client Port(s) Server Port Service
137/UDP 137/UDP NetBIOS Name
138/UDP 138/UDP NetBIOS Netlogon and Browsing
1024-65535/TCP 139/TCP NetBIOS Session
1024-65535/TCP 42/TCP WINS Replication
Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB
As a test I set my Firewall to allow all through from the DMZ to the LAN and then ran a
dia sni pa dmz host 192.168.4.100' (the dmz servers IP address)
while performing an nltest /sc_reset:<DOMAIN NAME> and it passes with a success
All of the ports listed in the sniff were covered in my ports I have opened on the Firewall and I have attached this image to this question. So far so good.
Going back to the Firewall and switching off the allow all and re-running the nltest /sc_reset fails with:
1311 0x51f ERROR_NO_LOGIN_SERVERS
and this is where I am stumped, as far as I can see I have the correct ports listed.
any advice appreciated,
thanks.
ports-to-allow-secure-domain-tru.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Whup! Yep you're right. Sorry :-)
I'm really really against allowing anything beyond the absolute basics through to a DMZ and certaibly not domain traffic. all it would take is a DMZ Server to be compromised and you've got a door into your (supposedly) secure Domain.
We had an issue where a Web Server needed domain authentication and rather than move the Server into the internal network and publish it through ISA, some bright spark thought it would be good to allow AD through to it. Suffice to say this caused nightmares AND was slated by the external Auditors
I'm really really against allowing anything beyond the absolute basics through to a DMZ and certaibly not domain traffic. all it would take is a DMZ Server to be compromised and you've got a door into your (supposedly) secure Domain.
We had an issue where a Web Server needed domain authentication and rather than move the Server into the internal network and publish it through ISA, some bright spark thought it would be good to allow AD through to it. Suffice to say this caused nightmares AND was slated by the external Auditors
I would definitely agree with Kieran that having a domain machine in a DMZ sort of negates the point of having the DMZ in the first place and leaves a gaping security hole. What are you trying to achieve?
ASKER
Thanks for your help. We have followed your advice and not placed any domain members in the DMZ
ASKER
thanks for your reply.
DNS is listed there, 3rd from bottom on the 2nd list.
If domain traffic shouldn't be allowed in the DMZ then I will be happy with that and will lock all these ports back down again. I just thought that it was required and should work.
To be honest, I was looking at all the open ports and ranges and my DMZ was starting to look like a Swiss cheese with all those holes.