Solved

Active Directory Replication Through Firewall Question

Posted on 2014-10-13
5
296 Views
Last Modified: 2014-10-19
Our company has a few Windows Server 2012 R2 Domain Controller and need to do AD replication through our corporate Firewall as DCs are separate by the firewall.  I will follow the link from MS

http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx 

for firewall ports opening.

My question is when I put in the firewall rules shall I put the Source Domain Controller ports to ANY (i.e. Source Port) and the Destination Domain Controller ports (i.e. Destination Ports) to the ports described on the about link ?

Also, I suppose if I have two DCs, I need to put two firewall rules, one for allow replication from the first DC to the second one and another rule to allow replication from second DC to the first one ?

For Example :

Local Address      Local Port       Remote Address     Remote Port
DC1 IP                    Any                 DC2 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....
DC2 IP                    Any                 DC1 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....



Appreciate your kind advice in advance.

Patrick
0
Comment
Question by:patricktam
5 Comments
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40378900
Looks good to me

you could make it wide open

Local Address      Local Port       Remote Address     Remote Port   Protocol
on DC1
DC1 IP                    Any                 DC2 IP                      Any                      UDP
DC1 IP                   Any                 DC2 IP                      Any                      TCP
On DC2
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
0
 

Author Comment

by:patricktam
ID: 40378980
We are going to conduct security audit soon so only the neccessary ports are allowed to be open.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40380303
Is implementing IPSec a possibility? It's a nontrivial task, but it would allow you to open far fewer ports for replication between DCs. (You'll note in that link you posted that "TCP Dynamic" refers to a block of 16,384 ports.)
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40381024
Microsoft describes ports to open quite well.
0
 

Author Closing Comment

by:patricktam
ID: 40391023
Thank you for your advice
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question