Avatar of Aaron_Gruber
Aaron_Gruber asked on

Unable to see domain resources on server

I recently moved a server in to our DMZ and I am now unable to see domain resources (when trying to add users to local groups) and the server is unable to resolve SIDs. I am pretty certain this is a port issue but do not know which ports to open in to the domain. Currently, I have 80, 443, 389, 636, 1025, and 135 open.
Active DirectoryWindows Server 2008Cisco

Avatar of undefined
Last Comment
Feroz Ahmed

8/22/2022 - Mon
DesktopNinja

Currently, Microsoft does not support using active directory over the internet (across NAT).  This is because the server is not able to initiate communications with computers on a network that it cannot route to.  That being said, this is probably what's happening:

1) You moved your server to the DMZ without changing the domainname.com (not www.domainname.com, just domainname.com) root entry to specify the external IP.

AND/OR

2) You didn't open enough ports in your firewall if routing is enabled between the two subnets.  See here: http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Let us know if this worked for you!
piattnd

What type of server did you move to the DMZ?  What type of blocked events do you see on the firewall coming from your server in the DMZ?  What ports and what were you doing at the time of the request?
Sandesh Dubey

What is the role of server in DMZ is it DC or member server.

Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Aaron_Gruber



Expert Comment

by: DesktopNinjaPosted on 2013-08-28 at 14:46:46ID: 39447149
Currently, Microsoft does not support using active directory over the internet (across NAT).  This is because the server is not able to initiate communications with computers on a network that it cannot route to.  That being said, this is probably what's happening:
The server is not communicating over the internet, it is on the edge of our network between our outside and inside firewalls.




Expert Comment

by: piattndPosted on 2013-08-28 at 15:38:05ID: 39447266
What type of server did you move to the DMZ?  What type of blocked events do you see on the firewall coming from your server in the DMZ?  What ports and what were you doing at the time of the request?
The server is just an application/web server but needs to be able to resolve AD usernames. The server is a Windows Server 2008 R2 (virtual machine). I have not had my network admin do a packet capture on the firewall yet. Was hoping for a quick "You need this port" answer.
What ports and what were you doing at the time of the request?
I have no idea what you are asking.




Expert Comment

by: SandeshdubeyPosted on 2013-08-28 at 21:12:03ID: 39447768
What is the role of server in DMZ is it DC or member server.
Member server.
piattnd


The server is just an application/web server but needs to be able to resolve AD usernames. The server is a Windows Server 2008 R2 (virtual machine). I have not had my network admin do a packet capture on the firewall yet. Was hoping for a quick "You need this port" answer.

According to your original post, you've already opened the ports on the firewall that are needed for LDAP communication, therefore I think it's necessary to move onto the next step which is to identify why traffic would still be blocked.

The first part of doing so is to identify whether the traffic is being sent over the ports you expect (that depends on the method you're using to communicate back to AD) and that the port traffic isn't being blocked (possible rule with your ACL).

All of us experts would love to give a quick answer of "open port ####", as it's quick points for us, but your question is not that simple.
ASKER
Aaron_Gruber

I am able to successfully telnet to a domain controller using all of the ports I listed. Not sure if that helps. My network admin is doing a packet capture on the firewall now.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Kaffiend

You need port 636 ("secure" LDAP)

You could use port 389, but that would be kind of sloppy from a security standpoint.

You probably need the network/firewall team's involvement in this one.  They need to make sure traffic on port 636 can flow from and to both ends.  You might also need port 53 so your DMZ member server knows the IP addresses of DCs for making LDAP queries.
ASKER
Aaron_Gruber

Expert Comment

by: KaffiendPosted on 2013-08-29 at 07:51:32ID: 39449209
You need port 636 ("secure" LDAP)

You could use port 389, but that would be kind of sloppy from a security standpoint.

You probably need the network/firewall team's involvement in this one.  They need to make sure traffic on port 636 can flow from and to both ends.  You might also need port 53 so your DMZ member server knows the IP addresses of DCs for making LDAP queries.

Currently, I have 80, 443, 389, 636, 1025, and 135 open as well as DNS ports.
ASKER CERTIFIED SOLUTION
piattnd

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Feroz Ahmed

Hi,

You can add DNS entries in tcp/ip advanced settings this will solve the issue if the issue is not resolved then you can disjoin from domain and add to domain this will solve the issue .
Your help has saved me hundreds of hours of internet surfing.
fblack61