Solved

Joining a DMZ server to the domain

Posted on 2014-04-25
4
2,155 Views
Last Modified: 2014-05-26
I have built a web and proxy server, configured with an IP range 192.168.x.x (DMZ IP Subnet) that is currently being used as our DMZ environment.

Our normal internal network operates on the 172.x.x.x network.

I can't join the new server to the domain which is configured with a static 192.168.x.x DMZ address and I have manually created a DNS Host Record on the DC which has replicated across all DCs, and rebooted the server twice.

I also can't ping the DCs on the 172.x addresses from the new server on the 192.x address.

Should I now be looking at configuring the firewall to all cross subnet and environment comms?
0
Comment
Question by:CTCRM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 300 total points
ID: 40022756
If you want your DMZ server to join the domain you'll have to open firewall ports between DMZ and your Domain Controller.

Following ports are needed for AD communication:
LDAP TCP-in - 389
LDAP UDP in - 389
LDAP for Global Catalog TCP in - 3268
NetBIOS name Resolution UDP in - 138
SAM/LSA TCP in - 445
SAM/LSA UDP in - 445
Secure LDAP TCP in -  636
Secure LDAP for Global Catalog TCP in - 3269
W32Time NTP UDP in - 123
RPC - RPC Dynamic
RPC Endpoint Mapper
DNS - TCP and UDP 53
Kerberos V5 UDP in - 88
Netbios Datagram UDP in - 137

More info: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
0
 
LVL 37

Expert Comment

by:bbao
ID: 40024593
what's point for you to put a domain member server, which is supposed to be sitting on your internal LAN, into the DMZ zone?

similarly, what's the point for you to allow a DMZ server, which is supposed to be internet facing (not intranet facing), to join your internal domain?

better let us know the background info and business requirement rather than the abive technical requirement, as we can commonly find a better and safer way to do the same thing.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40026764
OK Guys, here's some more information.

I am configuring AD FS IFD services to allow external domain users to access our internal CRM environment and with that in mind I have done the following.

Built an internal AD FS server on the internal LAN
Built an external AD FS Proxy server in the DMZ to act as a proxy between the external users and our internal AD FS server
Built a Front End Web server in the DMZ to redirect authenticated external users to the internal CRM environment.

I didn't know whether both or either of the AD FS and/or the Front End CRM Web server should be members on the domain. If not and it does make sense that they don't if they're located in on my DMZ, just wasn't sure as they will need to communicate with the internal ADFS server and also CRM SQL DB.
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40090868
I have configured the above using some but not all of the ports outlined.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question