• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2426
  • Last Modified:

Communication Ports between DCs in different domains of the same forest.

Hello,

I am building a new forest with one root domain and 5 child domains, all 2008 R2.  Because of the security requirements every domain will be on a different network separated by the firewall.  I need to come up with ports that will need to be opened between domain controllers in different domains.

This article outlines communication ports between DCs.  
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

The thing that concerns me is the dynamic port range of 49152 to 65535.  I know that security group is going to really not want to open that large of a port range.  I know that you can restrict that range to the smaller number.  I have done that previously for our smaller test domain.  However I am not sure if I want for our main production forest.

1.      Are all those ports listed in the article also apply to communication between domain controllers of different domains in the same forest.  Particularly that dynamic port range.

2.      Do I need to open any firewall ports between different child domains, or will it be enough to open ports between root domain and each child domain?

3.      Would it be good idea to setup IPSec Transport mode between domain controllers of different domains.  That way I will only have to open ports for 1 protocol, as oppose to all those many ports including large port range.  Are there any drawbacks to this method?

4.      Are there really any drawbacks to limiting the dynamic port range to let say 20 ports, or 50 ports, or 100 ports.

Thanks,
Alex
0
Alexey91
Asked:
Alexey91
2 Solutions
 
Adam BrownSr Solutions ArchitectCommented:
1. The Dynamic port range is for RPC access. For the most part, RPC is necessary for Domain Replication. Replication doesn't occur between domains, and it isn't necessary to open RPC for communication over a trust. The following ports are required for communication over a domain trust:
389 For LDAP (Or 663 for LDAPS)
445 for SMB
88 for Kerberos
and 135 for netlogon

2. You only need to open ports for communication between domains that have direct trusts. Parent/child trusts are transitive and will go from child to root to child by default.

3. IPSec is a great thing to use for communication through firewalls. I haven't configured it before, and it's a little tricky to work with, but there aren't really any drawbacks to using it besides the added complexity.

4. The drawbacks to limiting the port range is that you can eventually run out of ports for RPC communication. It's possible to drop the range to a point where heavy RPC traffic cause use up all the available ports, at which point replication will start failing.
0
 
Mike KlineCommented:
+1 to all of acbrown's comments.

Especially #3,  test IPSEC first in a lab make sure you understand how it works.  Also is it only going to be IPSEC for DC to DC communication or also between admin workstations and DC (have seen that too)

I'm personally not a huge fan of doing this because then down the road someone forgets the registry entry on a DC and issues arise etc and I personally don't see it as a huge security risk.

thanks

Mike
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now