Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

changing active ports

Posted on 2013-01-31
14
Medium Priority
?
150 Views
Last Modified: 2013-05-02
I need to change the ports that Active Directory uses because of firewall hardening. Would that be changed in ADSIEdit or is there another way to statically change them?
0
Comment
Question by:jfholloway
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
14 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 1000 total points
ID: 38840340
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38840341
So you want to restrict the RPC ports and that is done via the registry on the DCs

http://support.microsoft.com/kb/224196

http://blogs.technet.com/b/luistog/archive/2012/05/08/restricting-ad-replication-traffic-between-dcs-to-only-a-few-ports.aspx

Test in a lab first on a few DCs so you get a feel for it first.

Thanks

Mike
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38840344
You cannot change the LDAP port.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:jfholloway
ID: 38840414
Thnaks everyone. Is there a way to scan to see what firewall ports are open?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38840425
you can use a tool like portqry to test ports, telnet is another method.  There are other ways, those are just two.

Thanks

Mike
0
 
LVL 70

Expert Comment

by:KCTS
ID: 38840434
Active directory (LDAP) uses port 389 (or 636 over SSL), its NOT a good idea to change it - I can't see how you will achieve much in the way of hardening you server by tinkering with LDAP ports.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38840459
Not LDAP ports but RPC (high ports).  I've seen this done at several places where they didn't want to open everything above 1024
0
 

Author Comment

by:jfholloway
ID: 38840463
Thanks again. In the article link you gave me it doesn't say how to change to a port change instead of just one port. Is there a way to do that as well? also, can I use the same port say 137 to also run RPC through?
0
 
LVL 23

Expert Comment

by:Radhakrishnan R
ID: 38840612
Hi,

I would suggest you to not change the AD or it's related ports as this cause issues. Why don't you open the ports from your firewall (or add exception) instead of changing the default one?

Currently opened port can be view by performing netstat -ano command. Also, the list of default AD ports can be find from this link http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

Hope this help
0
 

Author Comment

by:jfholloway
ID: 38840666
I would like to do it from the firewall but, our network/corporate security group won't bend. They say they won't allow the "extreme" number of ports that AD needs or the ports that they deem are high security risk ports so, I have to redirect to specific ports they have signed off on.
0
 
LVL 23

Expert Comment

by:Radhakrishnan R
ID: 38840759
Hi,

As you know AD is integrated with several ports and you are trying to chnage the AD architucture which is not recommended.
Some AD ports doesn't work if you change or some ports should not change (i.e - LDAP-389).

However, if you are only concerning about replication then the replication port can be change http://support.microsoft.com/?id=224196

Personely, i would say speak to your security group and make them understand that changing AD port is not possible and it's not advisible.

"Good Luck"
0
 

Author Comment

by:jfholloway
ID: 38840861
Thanks everyone for the help!
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38841672
In a case where no one will bend, do a VPN.  Two ports, and you can emulate what ever you want overhead.  No port restriction required.  Just avoid setting up an IPSec policy as it may cause issues with your VPN appliance.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 38842819
they can be blocked at the corp. firewall but allowed within the LAN but blocked from the WAN, not a problem.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question