Solved

Active Directory Replication Through Firewall Question

Posted on 2014-10-13
5
274 Views
Last Modified: 2014-10-19
Our company has a few Windows Server 2012 R2 Domain Controller and need to do AD replication through our corporate Firewall as DCs are separate by the firewall.  I will follow the link from MS

http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

for firewall ports opening.

My question is when I put in the firewall rules shall I put the Source Domain Controller ports to ANY (i.e. Source Port) and the Destination Domain Controller ports (i.e. Destination Ports) to the ports described on the about link ?

Also, I suppose if I have two DCs, I need to put two firewall rules, one for allow replication from the first DC to the second one and another rule to allow replication from second DC to the first one ?

For Example :

Local Address      Local Port       Remote Address     Remote Port
DC1 IP                    Any                 DC2 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....
DC2 IP                    Any                 DC1 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....



Appreciate your kind advice in advance.

Patrick
0
Comment
Question by:patricktam
5 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
Looks good to me

you could make it wide open

Local Address      Local Port       Remote Address     Remote Port   Protocol
on DC1
DC1 IP                    Any                 DC2 IP                      Any                      UDP
DC1 IP                   Any                 DC2 IP                      Any                      TCP
On DC2
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
0
 

Author Comment

by:patricktam
Comment Utility
We are going to conduct security audit soon so only the neccessary ports are allowed to be open.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Is implementing IPSec a possibility? It's a nontrivial task, but it would allow you to open far fewer ports for replication between DCs. (You'll note in that link you posted that "TCP Dynamic" refers to a block of 16,384 ports.)
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
Comment Utility
Microsoft describes ports to open quite well.
0
 

Author Closing Comment

by:patricktam
Comment Utility
Thank you for your advice
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now