RODC Ports

cheto06
cheto06 used Ask the Experts™
on
So I created an RODC on the DMZ, however, I am no trying to lock down the firewall rules and only open the required ports.
The MSFT KB: http://support.microsoft.com/kb/179442/ says to open these,
49152 -65535/UDP	123/UDP	W32Time
49152 -65535/TCP	135/TCP	RPC-EPMAP
49152 -65535/TCP	138/UDP	Netbios
49152 -65535/TCP	49152 -65535/TCP	RPC
49152 -65535/TCP/UDP	389/TCP/UDP	LDAP
49152 -65535/TCP	636/TCP	LDAP SSL
49152 -65535/TCP	3268/TCP	LDAP GC
49152 -65535/TCP	3269/TCP	LDAP GC SSL
53, 49152 -65535/TCP/UDP	53/TCP/UDP	DNS
49152 -65535/TCP	135, 49152 -65535/TCP	RPC DNS
49152 -65535/TCP/UDP	88/TCP/UDP	Kerberos
49152 -65535/TCP/UDP	445/NP-TCP/NP-UDP	SAM/LSA

however on my firewall (netscreen SSG5) all i can find are these (DNS, ICMP-ANY, LDAP, SMB, SMTP). When I lock down to these ports I can't no longer logon to my RODC.

Any thoughts?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
I saw this list before- my issue is that for some reason they don't appear in the firewall.

Author

Commented:
I have open all the ports on this link (except TCP/UDP dynamic)
Still can't log on to my RODC. "There are currently no logon servers available to service the logon request" error message.
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Commented:
is the dns working fine ?if not work on it...

Commented:
Make sure your DNS configuration is correct; in short: use *only* Hyperspace and Jupiter as DNS servers on *all* domain members (including the DCs), configure Forwarders on your DCs.
Make sure your domain's DNS zone is configured to allow dynamic updates.
Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records are present (see link below).
Are your AD zones AD integrated, or do you have a primary/secondary zone setup?
Check these articles for details:

10 DNS Errors That Will Kill Your Network
http://mcpmag.com/features/article.asp?EditorialsID=413

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515

SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/?kbid=239897

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861

HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567

Author

Commented:
If I open TCP/UDP ANY it works fine. However, now I am getting these errors on the FRS Event Log (windows 2008 Server(

The File Replication Service is having trouble enabling replication from dc01.contoso.com to dco2 for \windows\sysvol\domain using the DNS name dc01.contoso.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.

1) FRS can not correctly resolve the DNS dc01.contoso.com from this computer
2) FRS is not running on dc01.contoso.com
3)The topology informaton in AD Domain Services for this replica has not yet replicated to all the DC's
This even log message will appear once per connection, After the problem is fixed your will see another even log message indicating that the connection has been established.

I am able to resolve the RODC from my RWDC and viceversa. The FRS Service is running.
Distinguished Expert 2018

Commented:
Depending on your firewall, because your RODC is in the DMZ and, presumably, your DC source is on an internal network, opening firewall ports may not be enough. You may have to set up static routes (depending on your subnet masks and routing being used, whether NAT is being used between the DMZ and the internal network segments, etc) to ensure that traffic both inbound and outbound are properly flowing. It is a tricky thing, and is probably NOT a server misconfiguration, but is entirely an issue with your router/firewall.

My gut instinct is that, due to the fact that fixing this requires some real knowledge of both the device being used as well as a more thorough understanding of your underlying network topology, you will probably not get this solved via EE. You'd be better served calling in a local trusted advisor...someone who can physically see the network and better understand its layout, although technically this could be done remotely if your network documentation is thorough...and someone who is very experienced with the exact make and model of device you are trying to configure. Otherwise this will probably drag on via EE for a very long time and you won't be satisfied with the results.

-Cliff
Commented:
So I went back to the firewall and opened "ANY"

Description:
The File Replication Service is having trouble enabling replication from DE004 to AS001 for c:\windows\sysvol\domain using the DNS name DE004.atidanmumbai.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name DE004.atidanmumbai.com from this computer.
 [2] FRS is not running on DE004.atidanmumbai.com.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Distinguished Expert 2018
Commented:
Like I said, sometimes opening ports, especially on separate network segments, is not enough. You actually have to create routes so these machines know how to find each other.

With that said, I also have to mention that it is very rare to put an RODC in a DMZ network segment. The whole point of the DMZ is a security boundary and putting a copy of your AD out there and opening the dynamic ports that an RODC will need is self defeating. While I am not sure what the end-game of such a topology is, in such cases where external authentication is required (Exchange Edge service, SharePoint extranet, etc) AD-LDS is usually the better option, supports one-way syncing of a subset of data, and is designed for such topologies so the dynamic port issues are also mitigated.

Something to consider if you are struggling to come up with the resources to resolve your current implementation strategy issues.

-Cliff
Most Valuable Expert 2011
Commented:
Bottom line here is putting a DC outside the firewall (the RO part is irrelevant because the traffic is the same) creates a meaningless "swish cheese" firewall and the DMZ becomes nothing more than an additional LAN Segment on the wrong side of the firewall with only enough ACL blocks still remaining to just make an annoyance.

Author

Commented:
So if it's not a recommended solution why do people use it?
Most Valuable Expert 2011

Commented:
That's why the IT as an industry is in such a mess,...why pretty much every client I dealt with while working part time for a consultant had their systems in such a mess.  Too many people (way too many) just seem to refuse to do things the right way,...maybe it is lack of knowledge or training,...maybe it is the refusal to spend the money it takes to do the job correctly,....maybe both at the same time,...I don't know.  But then other people look around,...it looks like "...everybody's doing it...",...so they do it too and the whole thing of "bad practices" grows and spreads out of control.

Things like Building Codes and licenses required to do the work help to reduce this with things like building electrical systems, plumbing systems, etc,...but IT doesn't have such regulations.  But in my opinion,..it should.
Most Valuable Expert 2011

Commented:
In my previous post I was responding to the authors final comment of    "So if it's not a recommended solution why do people use it?"

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial