is domain controller = AD server = DNS server ?

I need to permit firewall rules to domain controllers for MS AAG.
Is domain controller = AD server = DNS server?  How do I find out
the domain controller from my SQL server that has joined the domain.


Below are the rules I'm trying to get permitted:

The following is the list of services and their ports used for Active Directory communication for SQL Server AlwaysOn:

·         UDP port 88 for Kerberos authentication

·         UDP and TCP port 135 for domain controllers-to-domain controller and client to domain controller operations.

·         TCP port 139 and UDP port 138 for File Replication Service between domain controllers.

·         UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

·         TCP and UDP port 445 for File Replication Service

·         TCP and UDP port 464 for Kerberos Password Change

·         TCP port 3268 and 3269 for Global Catalog from client to domain controller.

·         TCP and UDP port 53 for DNS from client to domain controller and domain controller to domain controller.
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

skullnobrainsCommented:
domain controller = AD server : yes

by default, a DC will also act as a DNS server for the domain it handles but this can be changed.
you can easily determine this from the output of "ipconfig /all" on a client machine.

you can determine which machine hosts your AD by running a dns query of type RR for _ldap._tcp.dc._msdcs.Active_Directory_domain_name
0
Mike KlineCommented:
Do you have more than one domain controller that the SQL server might communicate with.  If so you will want to open the ports between all of them.

DC to DC communication also requires the dynmaic RPC ports (aka "high ports"), more on that

http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
What is the OS version of SQL server if it is Windows 2003 server you can download Windows support tool and run netdom query dc command to check the nos of DCs.If it is windows 2008 then no need to install the tool open cmd and run the netdom command.You can also run ipconfig /all and check the dns server ip address.Run set l  command to know from which DC it authenticated.

By default there is no firewall policy applied but if it is SBS version then there is default firewall GPO.You need to modify  or create the policy as per requirement.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

To perform GPO check and modification you need to contact AD admin for the same.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

sunhuxAuthor Commented:
I'm on Win2012 DC & Win2008 R2 Std.


>a dns query of type RR for _ldap._tcp.dc._msdcs.Active_Directory_domain_name
What's the exact command to do the above?  If it's nslookup, I can't get the
command right:

D:\>nslookup
Default Server:  app.optus.com.au
Address:  192.168.1.254

> type RR
*** Can't find address for server RR: Non-existent domain
>
0
skullnobrainsCommented:
the syntax should be "set type=rr" and not "type rr"
or you can directly use "nslookup -type=rr ..."

i do not have a windows box around but nslookup has a decent builtin help
0
sunhuxAuthor Commented:
That syntax doesn't work on our Win2008 R2 (Std or Ent):


> set type=rr
unknown query type: rr
> type rr
*** Can't find address for server rr: Non-existent domain
> set type ?
Unrecognized command: set type ?
> ?
Commands:   (identifiers are shown in uppercase, [] means optional)
NAME            - print info about the host/domain NAME using default server
NAME1 NAME2     - as above, but use NAME2 as server
help or ?       - print info on common commands
set OPTION      - set an option
    all                 - print options, current server and host
    [no]debug           - print debugging information
    [no]d2              - print exhaustive debugging information
    [no]defname         - append domain name to each query
    [no]recurse         - ask for recursive answer to query
    [no]search          - use domain search list
    [no]vc              - always use a virtual circuit
    domain=NAME         - set default domain name to NAME
    srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.
    root=NAME           - set root server to NAME
    retry=X             - set number of retries to X
    timeout=X           - set initial time-out interval to X seconds
    type=X              - set query type (ex. A,AAAA,A+AAAA,ANY,CNAME,MX,NS,PTR,
SOA,SRV)
    querytype=X         - same as type
0
skullnobrainsCommented:
try using q=SRV
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Smartphones

From novice to tech pro — start learning today.