• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2746
  • Last Modified:

Joining a DMZ server to the domain

I have built a web and proxy server, configured with an IP range 192.168.x.x (DMZ IP Subnet) that is currently being used as our DMZ environment.

Our normal internal network operates on the 172.x.x.x network.

I can't join the new server to the domain which is configured with a static 192.168.x.x DMZ address and I have manually created a DNS Host Record on the DC which has replicated across all DCs, and rebooted the server twice.

I also can't ping the DCs on the 172.x addresses from the new server on the 192.x address.

Should I now be looking at configuring the firewall to all cross subnet and environment comms?
0
CTCRM
Asked:
CTCRM
  • 2
1 Solution
 
Zephyr ICTCloud ArchitectCommented:
If you want your DMZ server to join the domain you'll have to open firewall ports between DMZ and your Domain Controller.

Following ports are needed for AD communication:
LDAP TCP-in - 389
LDAP UDP in - 389
LDAP for Global Catalog TCP in - 3268
NetBIOS name Resolution UDP in - 138
SAM/LSA TCP in - 445
SAM/LSA UDP in - 445
Secure LDAP TCP in -  636
Secure LDAP for Global Catalog TCP in - 3269
W32Time NTP UDP in - 123
RPC - RPC Dynamic
RPC Endpoint Mapper
DNS - TCP and UDP 53
Kerberos V5 UDP in - 88
Netbios Datagram UDP in - 137

More info: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
0
 
bbaoIT ConsultantCommented:
what's point for you to put a domain member server, which is supposed to be sitting on your internal LAN, into the DMZ zone?

similarly, what's the point for you to allow a DMZ server, which is supposed to be internet facing (not intranet facing), to join your internal domain?

better let us know the background info and business requirement rather than the abive technical requirement, as we can commonly find a better and safer way to do the same thing.
0
 
CTCRMInfrastructure EngineerAuthor Commented:
OK Guys, here's some more information.

I am configuring AD FS IFD services to allow external domain users to access our internal CRM environment and with that in mind I have done the following.

Built an internal AD FS server on the internal LAN
Built an external AD FS Proxy server in the DMZ to act as a proxy between the external users and our internal AD FS server
Built a Front End Web server in the DMZ to redirect authenticated external users to the internal CRM environment.

I didn't know whether both or either of the AD FS and/or the Front End CRM Web server should be members on the domain. If not and it does make sense that they don't if they're located in on my DMZ, just wasn't sure as they will need to communicate with the internal ADFS server and also CRM SQL DB.
0
 
CTCRMInfrastructure EngineerAuthor Commented:
I have configured the above using some but not all of the ports outlined.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now