Solved

Joining a DMZ server to the domain

Posted on 2014-04-25
4
1,424 Views
Last Modified: 2014-05-26
I have built a web and proxy server, configured with an IP range 192.168.x.x (DMZ IP Subnet) that is currently being used as our DMZ environment.

Our normal internal network operates on the 172.x.x.x network.

I can't join the new server to the domain which is configured with a static 192.168.x.x DMZ address and I have manually created a DNS Host Record on the DC which has replicated across all DCs, and rebooted the server twice.

I also can't ping the DCs on the 172.x addresses from the new server on the 192.x address.

Should I now be looking at configuring the firewall to all cross subnet and environment comms?
0
Comment
Question by:CTCRM
  • 2
4 Comments
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 300 total points
Comment Utility
If you want your DMZ server to join the domain you'll have to open firewall ports between DMZ and your Domain Controller.

Following ports are needed for AD communication:
LDAP TCP-in - 389
LDAP UDP in - 389
LDAP for Global Catalog TCP in - 3268
NetBIOS name Resolution UDP in - 138
SAM/LSA TCP in - 445
SAM/LSA UDP in - 445
Secure LDAP TCP in -  636
Secure LDAP for Global Catalog TCP in - 3269
W32Time NTP UDP in - 123
RPC - RPC Dynamic
RPC Endpoint Mapper
DNS - TCP and UDP 53
Kerberos V5 UDP in - 88
Netbios Datagram UDP in - 137

More info: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
what's point for you to put a domain member server, which is supposed to be sitting on your internal LAN, into the DMZ zone?

similarly, what's the point for you to allow a DMZ server, which is supposed to be internet facing (not intranet facing), to join your internal domain?

better let us know the background info and business requirement rather than the abive technical requirement, as we can commonly find a better and safer way to do the same thing.
0
 
LVL 2

Author Comment

by:CTCRM
Comment Utility
OK Guys, here's some more information.

I am configuring AD FS IFD services to allow external domain users to access our internal CRM environment and with that in mind I have done the following.

Built an internal AD FS server on the internal LAN
Built an external AD FS Proxy server in the DMZ to act as a proxy between the external users and our internal AD FS server
Built a Front End Web server in the DMZ to redirect authenticated external users to the internal CRM environment.

I didn't know whether both or either of the AD FS and/or the Front End CRM Web server should be members on the domain. If not and it does make sense that they don't if they're located in on my DMZ, just wasn't sure as they will need to communicate with the internal ADFS server and also CRM SQL DB.
0
 
LVL 2

Author Closing Comment

by:CTCRM
Comment Utility
I have configured the above using some but not all of the ports outlined.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now