is domain controller = AD server = DNS server ?

Posted on 2013-10-06
Medium Priority
Last Modified: 2013-10-26
I need to permit firewall rules to domain controllers for MS AAG.
Is domain controller = AD server = DNS server?  How do I find out
the domain controller from my SQL server that has joined the domain.

Below are the rules I'm trying to get permitted:

The following is the list of services and their ports used for Active Directory communication for SQL Server AlwaysOn:

·         UDP port 88 for Kerberos authentication

·         UDP and TCP port 135 for domain controllers-to-domain controller and client to domain controller operations.

·         TCP port 139 and UDP port 138 for File Replication Service between domain controllers.

·         UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

·         TCP and UDP port 445 for File Replication Service

·         TCP and UDP port 464 for Kerberos Password Change

·         TCP port 3268 and 3269 for Global Catalog from client to domain controller.

·         TCP and UDP port 53 for DNS from client to domain controller and domain controller to domain controller.
Question by:sunhux
LVL 27

Assisted Solution

skullnobrains earned 1000 total points
ID: 39550834
domain controller = AD server : yes

by default, a DC will also act as a DNS server for the domain it handles but this can be changed.
you can easily determine this from the output of "ipconfig /all" on a client machine.

you can determine which machine hosts your AD by running a dns query of type RR for _ldap._tcp.dc._msdcs.Active_Directory_domain_name
LVL 57

Accepted Solution

Mike Kline earned 500 total points
ID: 39550868
Do you have more than one domain controller that the SQL server might communicate with.  If so you will want to open the ports between all of them.

DC to DC communication also requires the dynmaic RPC ports (aka "high ports"), more on that



LVL 24

Assisted Solution

Sandeshdubey earned 500 total points
ID: 39553918
What is the OS version of SQL server if it is Windows 2003 server you can download Windows support tool and run netdom query dc command to check the nos of DCs.If it is windows 2008 then no need to install the tool open cmd and run the netdom command.You can also run ipconfig /all and check the dns server ip address.Run set l  command to know from which DC it authenticated.

By default there is no firewall policy applied but if it is SBS version then there is default firewall GPO.You need to modify  or create the policy as per requirement.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

To perform GPO check and modification you need to contact AD admin for the same.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!


Author Comment

ID: 39555360
I'm on Win2012 DC & Win2008 R2 Std.

>a dns query of type RR for _ldap._tcp.dc._msdcs.Active_Directory_domain_name
What's the exact command to do the above?  If it's nslookup, I can't get the
command right:

Default Server:  app.optus.com.au

> type RR
*** Can't find address for server RR: Non-existent domain
LVL 27

Expert Comment

ID: 39558635
the syntax should be "set type=rr" and not "type rr"
or you can directly use "nslookup -type=rr ..."

i do not have a windows box around but nslookup has a decent builtin help

Author Comment

ID: 39570824
That syntax doesn't work on our Win2008 R2 (Std or Ent):

> set type=rr
unknown query type: rr
> type rr
*** Can't find address for server rr: Non-existent domain
> set type ?
Unrecognized command: set type ?
> ?
Commands:   (identifiers are shown in uppercase, [] means optional)
NAME            - print info about the host/domain NAME using default server
NAME1 NAME2     - as above, but use NAME2 as server
help or ?       - print info on common commands
set OPTION      - set an option
    all                 - print options, current server and host
    [no]debug           - print debugging information
    [no]d2              - print exhaustive debugging information
    [no]defname         - append domain name to each query
    [no]recurse         - ask for recursive answer to query
    [no]search          - use domain search list
    [no]vc              - always use a virtual circuit
    domain=NAME         - set default domain name to NAME
    srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.
    root=NAME           - set root server to NAME
    retry=X             - set number of retries to X
    timeout=X           - set initial time-out interval to X seconds
    type=X              - set query type (ex. A,AAAA,A+AAAA,ANY,CNAME,MX,NS,PTR,
    querytype=X         - same as type
LVL 27

Assisted Solution

skullnobrains earned 1000 total points
ID: 39571951
try using q=SRV

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question