Avatar of cheto06
cheto06
 asked on

RODC Ports

So I created an RODC on the DMZ, however, I am no trying to lock down the firewall rules and only open the required ports.
The MSFT KB: http://support.microsoft.com/kb/179442/ says to open these,
49152 -65535/UDP	123/UDP	W32Time
49152 -65535/TCP	135/TCP	RPC-EPMAP
49152 -65535/TCP	138/UDP	Netbios
49152 -65535/TCP	49152 -65535/TCP	RPC
49152 -65535/TCP/UDP	389/TCP/UDP	LDAP
49152 -65535/TCP	636/TCP	LDAP SSL
49152 -65535/TCP	3268/TCP	LDAP GC
49152 -65535/TCP	3269/TCP	LDAP GC SSL
53, 49152 -65535/TCP/UDP	53/TCP/UDP	DNS
49152 -65535/TCP	135, 49152 -65535/TCP	RPC DNS
49152 -65535/TCP/UDP	88/TCP/UDP	Kerberos
49152 -65535/TCP/UDP	445/NP-TCP/NP-UDP	SAM/LSA

however on my firewall (netscreen SSG5) all i can find are these (DNS, ICMP-ANY, LDAP, SMB, SMTP). When I lock down to these ports I can't no longer logon to my RODC.

Any thoughts?
Software FirewallsHardware FirewallsActive Directory

Avatar of undefined
Last Comment
pwindell

8/22/2022 - Mon
Sajid Shaik M

cheto06

ASKER
I saw this list before- my issue is that for some reason they don't appear in the firewall.
cheto06

ASKER
I have open all the ports on this link (except TCP/UDP dynamic)
Still can't log on to my RODC. "There are currently no logon servers available to service the logon request" error message.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Sajid Shaik M

is the dns working fine ?if not work on it...
Sajid Shaik M

Make sure your DNS configuration is correct; in short: use *only* Hyperspace and Jupiter as DNS servers on *all* domain members (including the DCs), configure Forwarders on your DCs.
Make sure your domain's DNS zone is configured to allow dynamic updates.
Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records are present (see link below).
Are your AD zones AD integrated, or do you have a primary/secondary zone setup?
Check these articles for details:

10 DNS Errors That Will Kill Your Network
http://mcpmag.com/features/article.asp?EditorialsID=413

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515

SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/?kbid=239897

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861

HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567
cheto06

ASKER
If I open TCP/UDP ANY it works fine. However, now I am getting these errors on the FRS Event Log (windows 2008 Server(

The File Replication Service is having trouble enabling replication from dc01.contoso.com to dco2 for \windows\sysvol\domain using the DNS name dc01.contoso.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.

1) FRS can not correctly resolve the DNS dc01.contoso.com from this computer
2) FRS is not running on dc01.contoso.com
3)The topology informaton in AD Domain Services for this replica has not yet replicated to all the DC's
This even log message will appear once per connection, After the problem is fixed your will see another even log message indicating that the connection has been established.

I am able to resolve the RODC from my RWDC and viceversa. The FRS Service is running.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Cliff Galiher

Depending on your firewall, because your RODC is in the DMZ and, presumably, your DC source is on an internal network, opening firewall ports may not be enough. You may have to set up static routes (depending on your subnet masks and routing being used, whether NAT is being used between the DMZ and the internal network segments, etc) to ensure that traffic both inbound and outbound are properly flowing. It is a tricky thing, and is probably NOT a server misconfiguration, but is entirely an issue with your router/firewall.

My gut instinct is that, due to the fact that fixing this requires some real knowledge of both the device being used as well as a more thorough understanding of your underlying network topology, you will probably not get this solved via EE. You'd be better served calling in a local trusted advisor...someone who can physically see the network and better understand its layout, although technically this could be done remotely if your network documentation is thorough...and someone who is very experienced with the exact make and model of device you are trying to configure. Otherwise this will probably drag on via EE for a very long time and you won't be satisfied with the results.

-Cliff
ASKER CERTIFIED SOLUTION
cheto06

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
cheto06

ASKER
So if it's not a recommended solution why do people use it?
pwindell

That's why the IT as an industry is in such a mess,...why pretty much every client I dealt with while working part time for a consultant had their systems in such a mess.  Too many people (way too many) just seem to refuse to do things the right way,...maybe it is lack of knowledge or training,...maybe it is the refusal to spend the money it takes to do the job correctly,....maybe both at the same time,...I don't know.  But then other people look around,...it looks like "...everybody's doing it...",...so they do it too and the whole thing of "bad practices" grows and spreads out of control.

Things like Building Codes and licenses required to do the work help to reduce this with things like building electrical systems, plumbing systems, etc,...but IT doesn't have such regulations.  But in my opinion,..it should.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
pwindell

In my previous post I was responding to the authors final comment of    "So if it's not a recommended solution why do people use it?"