Solved

Joining a DMZ server to the domain

Posted on 2014-04-25
4
1,694 Views
Last Modified: 2014-05-26
I have built a web and proxy server, configured with an IP range 192.168.x.x (DMZ IP Subnet) that is currently being used as our DMZ environment.

Our normal internal network operates on the 172.x.x.x network.

I can't join the new server to the domain which is configured with a static 192.168.x.x DMZ address and I have manually created a DNS Host Record on the DC which has replicated across all DCs, and rebooted the server twice.

I also can't ping the DCs on the 172.x addresses from the new server on the 192.x address.

Should I now be looking at configuring the firewall to all cross subnet and environment comms?
0
Comment
Question by:CTCRM
  • 2
4 Comments
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 300 total points
ID: 40022756
If you want your DMZ server to join the domain you'll have to open firewall ports between DMZ and your Domain Controller.

Following ports are needed for AD communication:
LDAP TCP-in - 389
LDAP UDP in - 389
LDAP for Global Catalog TCP in - 3268
NetBIOS name Resolution UDP in - 138
SAM/LSA TCP in - 445
SAM/LSA UDP in - 445
Secure LDAP TCP in -  636
Secure LDAP for Global Catalog TCP in - 3269
W32Time NTP UDP in - 123
RPC - RPC Dynamic
RPC Endpoint Mapper
DNS - TCP and UDP 53
Kerberos V5 UDP in - 88
Netbios Datagram UDP in - 137

More info: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
0
 
LVL 37

Expert Comment

by:bbao
ID: 40024593
what's point for you to put a domain member server, which is supposed to be sitting on your internal LAN, into the DMZ zone?

similarly, what's the point for you to allow a DMZ server, which is supposed to be internet facing (not intranet facing), to join your internal domain?

better let us know the background info and business requirement rather than the abive technical requirement, as we can commonly find a better and safer way to do the same thing.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40026764
OK Guys, here's some more information.

I am configuring AD FS IFD services to allow external domain users to access our internal CRM environment and with that in mind I have done the following.

Built an internal AD FS server on the internal LAN
Built an external AD FS Proxy server in the DMZ to act as a proxy between the external users and our internal AD FS server
Built a Front End Web server in the DMZ to redirect authenticated external users to the internal CRM environment.

I didn't know whether both or either of the AD FS and/or the Front End CRM Web server should be members on the domain. If not and it does make sense that they don't if they're located in on my DMZ, just wasn't sure as they will need to communicate with the internal ADFS server and also CRM SQL DB.
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40090868
I have configured the above using some but not all of the ports outlined.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question