Aaron_Gruber
asked on
Unable to see domain resources on server
I recently moved a server in to our DMZ and I am now unable to see domain resources (when trying to add users to local groups) and the server is unable to resolve SIDs. I am pretty certain this is a port issue but do not know which ports to open in to the domain. Currently, I have 80, 443, 389, 636, 1025, and 135 open.
Last Comment
What type of server did you move to the DMZ? What type of blocked events do you see on the firewall coming from your server in the DMZ? What ports and what were you doing at the time of the request?
What is the role of server in DMZ is it DC or member server.
Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
ASKER
The server is not communicating over the internet, it is on the edge of our network between our outside and inside firewalls.
Expert Comment
by: DesktopNinjaPosted on 2013-08-28 at 14:46:46ID: 39447149
Currently, Microsoft does not support using active directory over the internet (across NAT). This is because the server is not able to initiate communications with computers on a network that it cannot route to. That being said, this is probably what's happening:
The server is just an application/web server but needs to be able to resolve AD usernames. The server is a Windows Server 2008 R2 (virtual machine). I have not had my network admin do a packet capture on the firewall yet. Was hoping for a quick "You need this port" answer.
Expert Comment
by: piattndPosted on 2013-08-28 at 15:38:05ID: 39447266
What type of server did you move to the DMZ? What type of blocked events do you see on the firewall coming from your server in the DMZ? What ports and what were you doing at the time of the request?
What ports and what were you doing at the time of the request?I have no idea what you are asking.
Member server.
Expert Comment
by: SandeshdubeyPosted on 2013-08-28 at 21:12:03ID: 39447768
What is the role of server in DMZ is it DC or member server.
The server is just an application/web server but needs to be able to resolve AD usernames. The server is a Windows Server 2008 R2 (virtual machine). I have not had my network admin do a packet capture on the firewall yet. Was hoping for a quick "You need this port" answer.
According to your original post, you've already opened the ports on the firewall that are needed for LDAP communication, therefore I think it's necessary to move onto the next step which is to identify why traffic would still be blocked.
The first part of doing so is to identify whether the traffic is being sent over the ports you expect (that depends on the method you're using to communicate back to AD) and that the port traffic isn't being blocked (possible rule with your ACL).
All of us experts would love to give a quick answer of "open port ####", as it's quick points for us, but your question is not that simple.
ASKER
I am able to successfully telnet to a domain controller using all of the ports I listed. Not sure if that helps. My network admin is doing a packet capture on the firewall now.
You need port 636 ("secure" LDAP)
You could use port 389, but that would be kind of sloppy from a security standpoint.
You probably need the network/firewall team's involvement in this one. They need to make sure traffic on port 636 can flow from and to both ends. You might also need port 53 so your DMZ member server knows the IP addresses of DCs for making LDAP queries.
You could use port 389, but that would be kind of sloppy from a security standpoint.
You probably need the network/firewall team's involvement in this one. They need to make sure traffic on port 636 can flow from and to both ends. You might also need port 53 so your DMZ member server knows the IP addresses of DCs for making LDAP queries.
ASKER
Expert Comment
by: KaffiendPosted on 2013-08-29 at 07:51:32ID: 39449209
You need port 636 ("secure" LDAP)
You could use port 389, but that would be kind of sloppy from a security standpoint.
You probably need the network/firewall team's involvement in this one. They need to make sure traffic on port 636 can flow from and to both ends. You might also need port 53 so your DMZ member server knows the IP addresses of DCs for making LDAP queries.
Currently, I have 80, 443, 389, 636, 1025, and 135 open as well as DNS ports.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Hi,
You can add DNS entries in tcp/ip advanced settings this will solve the issue if the issue is not resolved then you can disjoin from domain and add to domain this will solve the issue .
You can add DNS entries in tcp/ip advanced settings this will solve the issue if the issue is not resolved then you can disjoin from domain and add to domain this will solve the issue .
Windows Server 2008
Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
1) You moved your server to the DMZ without changing the domainname.com (not www.domainname.com, just domainname.com) root entry to specify the external IP.
AND/OR
2) You didn't open enough ports in your firewall if routing is enabled between the two subnets. See here: http://technet.microsoft.c
Let us know if this worked for you!