Unable to see domain resources on server

I recently moved a server in to our DMZ and I am now unable to see domain resources (when trying to add users to local groups) and the server is unable to resolve SIDs. I am pretty certain this is a port issue but do not know which ports to open in to the domain. Currently, I have 80, 443, 389, 636, 1025, and 135 open.
Aaron_GruberAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DesktopNinjaCommented:
Currently, Microsoft does not support using active directory over the internet (across NAT).  This is because the server is not able to initiate communications with computers on a network that it cannot route to.  That being said, this is probably what's happening:

1) You moved your server to the DMZ without changing the domainname.com (not www.domainname.com, just domainname.com) root entry to specify the external IP.

AND/OR

2) You didn't open enough ports in your firewall if routing is enabled between the two subnets.  See here: http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Let us know if this worked for you!
0
piattndCommented:
What type of server did you move to the DMZ?  What type of blocked events do you see on the firewall coming from your server in the DMZ?  What ports and what were you doing at the time of the request?
0
SandeshdubeySenior Server EngineerCommented:
What is the role of server in DMZ is it DC or member server.

Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Aaron_GruberAuthor Commented:


Expert Comment

by: DesktopNinjaPosted on 2013-08-28 at 14:46:46ID: 39447149
Currently, Microsoft does not support using active directory over the internet (across NAT).  This is because the server is not able to initiate communications with computers on a network that it cannot route to.  That being said, this is probably what's happening:
The server is not communicating over the internet, it is on the edge of our network between our outside and inside firewalls.




Expert Comment

by: piattndPosted on 2013-08-28 at 15:38:05ID: 39447266
What type of server did you move to the DMZ?  What type of blocked events do you see on the firewall coming from your server in the DMZ?  What ports and what were you doing at the time of the request?
The server is just an application/web server but needs to be able to resolve AD usernames. The server is a Windows Server 2008 R2 (virtual machine). I have not had my network admin do a packet capture on the firewall yet. Was hoping for a quick "You need this port" answer.
What ports and what were you doing at the time of the request?
I have no idea what you are asking.




Expert Comment

by: SandeshdubeyPosted on 2013-08-28 at 21:12:03ID: 39447768
What is the role of server in DMZ is it DC or member server.
Member server.
0
piattndCommented:

The server is just an application/web server but needs to be able to resolve AD usernames. The server is a Windows Server 2008 R2 (virtual machine). I have not had my network admin do a packet capture on the firewall yet. Was hoping for a quick "You need this port" answer.

According to your original post, you've already opened the ports on the firewall that are needed for LDAP communication, therefore I think it's necessary to move onto the next step which is to identify why traffic would still be blocked.

The first part of doing so is to identify whether the traffic is being sent over the ports you expect (that depends on the method you're using to communicate back to AD) and that the port traffic isn't being blocked (possible rule with your ACL).

All of us experts would love to give a quick answer of "open port ####", as it's quick points for us, but your question is not that simple.
0
Aaron_GruberAuthor Commented:
I am able to successfully telnet to a domain controller using all of the ports I listed. Not sure if that helps. My network admin is doing a packet capture on the firewall now.
0
KaffiendCommented:
You need port 636 ("secure" LDAP)

You could use port 389, but that would be kind of sloppy from a security standpoint.

You probably need the network/firewall team's involvement in this one.  They need to make sure traffic on port 636 can flow from and to both ends.  You might also need port 53 so your DMZ member server knows the IP addresses of DCs for making LDAP queries.
0
Aaron_GruberAuthor Commented:
Expert Comment

by: KaffiendPosted on 2013-08-29 at 07:51:32ID: 39449209
You need port 636 ("secure" LDAP)

You could use port 389, but that would be kind of sloppy from a security standpoint.

You probably need the network/firewall team's involvement in this one.  They need to make sure traffic on port 636 can flow from and to both ends.  You might also need port 53 so your DMZ member server knows the IP addresses of DCs for making LDAP queries.

Currently, I have 80, 443, 389, 636, 1025, and 135 open as well as DNS ports.
0
piattndCommented:
636 has already been opened, according to the original post.  I'm assuming port 53 isn't the issue, because I assume the telnet tests were all done via computer name, not IP address.  If that is not the case, test your name lookup, as it could be that name lookup is the entire issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Feroz AhmedSenior Network EngineerCommented:
Hi,

You can add DNS entries in tcp/ip advanced settings this will solve the issue if the issue is not resolved then you can disjoin from domain and add to domain this will solve the issue .
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.