?
Solved

Joining a DMZ server to the domain

Posted on 2014-04-25
4
Medium Priority
?
2,342 Views
Last Modified: 2014-05-26
I have built a web and proxy server, configured with an IP range 192.168.x.x (DMZ IP Subnet) that is currently being used as our DMZ environment.

Our normal internal network operates on the 172.x.x.x network.

I can't join the new server to the domain which is configured with a static 192.168.x.x DMZ address and I have manually created a DNS Host Record on the DC which has replicated across all DCs, and rebooted the server twice.

I also can't ping the DCs on the 172.x addresses from the new server on the 192.x address.

Should I now be looking at configuring the firewall to all cross subnet and environment comms?
0
Comment
Question by:CTCRM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 900 total points
ID: 40022756
If you want your DMZ server to join the domain you'll have to open firewall ports between DMZ and your Domain Controller.

Following ports are needed for AD communication:
LDAP TCP-in - 389
LDAP UDP in - 389
LDAP for Global Catalog TCP in - 3268
NetBIOS name Resolution UDP in - 138
SAM/LSA TCP in - 445
SAM/LSA UDP in - 445
Secure LDAP TCP in -  636
Secure LDAP for Global Catalog TCP in - 3269
W32Time NTP UDP in - 123
RPC - RPC Dynamic
RPC Endpoint Mapper
DNS - TCP and UDP 53
Kerberos V5 UDP in - 88
Netbios Datagram UDP in - 137

More info: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
0
 
LVL 37

Expert Comment

by:bbao
ID: 40024593
what's point for you to put a domain member server, which is supposed to be sitting on your internal LAN, into the DMZ zone?

similarly, what's the point for you to allow a DMZ server, which is supposed to be internet facing (not intranet facing), to join your internal domain?

better let us know the background info and business requirement rather than the abive technical requirement, as we can commonly find a better and safer way to do the same thing.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40026764
OK Guys, here's some more information.

I am configuring AD FS IFD services to allow external domain users to access our internal CRM environment and with that in mind I have done the following.

Built an internal AD FS server on the internal LAN
Built an external AD FS Proxy server in the DMZ to act as a proxy between the external users and our internal AD FS server
Built a Front End Web server in the DMZ to redirect authenticated external users to the internal CRM environment.

I didn't know whether both or either of the AD FS and/or the Front End CRM Web server should be members on the domain. If not and it does make sense that they don't if they're located in on my DMZ, just wasn't sure as they will need to communicate with the internal ADFS server and also CRM SQL DB.
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40090868
I have configured the above using some but not all of the ports outlined.
0

Featured Post

Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question