Solved

Active Directory Replication Through Firewall Question

Posted on 2014-10-13
5
303 Views
Last Modified: 2014-10-19
Our company has a few Windows Server 2012 R2 Domain Controller and need to do AD replication through our corporate Firewall as DCs are separate by the firewall.  I will follow the link from MS

http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx 

for firewall ports opening.

My question is when I put in the firewall rules shall I put the Source Domain Controller ports to ANY (i.e. Source Port) and the Destination Domain Controller ports (i.e. Destination Ports) to the ports described on the about link ?

Also, I suppose if I have two DCs, I need to put two firewall rules, one for allow replication from the first DC to the second one and another rule to allow replication from second DC to the first one ?

For Example :

Local Address      Local Port       Remote Address     Remote Port
DC1 IP                    Any                 DC2 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....
DC2 IP                    Any                 DC1 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....



Appreciate your kind advice in advance.

Patrick
0
Comment
Question by:patricktam
5 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40378900
Looks good to me

you could make it wide open

Local Address      Local Port       Remote Address     Remote Port   Protocol
on DC1
DC1 IP                    Any                 DC2 IP                      Any                      UDP
DC1 IP                   Any                 DC2 IP                      Any                      TCP
On DC2
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
0
 

Author Comment

by:patricktam
ID: 40378980
We are going to conduct security audit soon so only the neccessary ports are allowed to be open.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40380303
Is implementing IPSec a possibility? It's a nontrivial task, but it would allow you to open far fewer ports for replication between DCs. (You'll note in that link you posted that "TCP Dynamic" refers to a block of 16,384 ports.)
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40381024
Microsoft describes ports to open quite well.
0
 

Author Closing Comment

by:patricktam
ID: 40391023
Thank you for your advice
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question