?
Solved

Active Directory Replication Through Firewall Question

Posted on 2014-10-13
5
Medium Priority
?
345 Views
Last Modified: 2014-10-19
Our company has a few Windows Server 2012 R2 Domain Controller and need to do AD replication through our corporate Firewall as DCs are separate by the firewall.  I will follow the link from MS

http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx 

for firewall ports opening.

My question is when I put in the firewall rules shall I put the Source Domain Controller ports to ANY (i.e. Source Port) and the Destination Domain Controller ports (i.e. Destination Ports) to the ports described on the about link ?

Also, I suppose if I have two DCs, I need to put two firewall rules, one for allow replication from the first DC to the second one and another rule to allow replication from second DC to the first one ?

For Example :

Local Address      Local Port       Remote Address     Remote Port
DC1 IP                    Any                 DC2 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....
DC2 IP                    Any                 DC1 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....



Appreciate your kind advice in advance.

Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40378900
Looks good to me

you could make it wide open

Local Address      Local Port       Remote Address     Remote Port   Protocol
on DC1
DC1 IP                    Any                 DC2 IP                      Any                      UDP
DC1 IP                   Any                 DC2 IP                      Any                      TCP
On DC2
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
0
 

Author Comment

by:patricktam
ID: 40378980
We are going to conduct security audit soon so only the neccessary ports are allowed to be open.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40380303
Is implementing IPSec a possibility? It's a nontrivial task, but it would allow you to open far fewer ports for replication between DCs. (You'll note in that link you posted that "TCP Dynamic" refers to a block of 16,384 ports.)
0
 
LVL 62

Accepted Solution

by:
gheist earned 1500 total points
ID: 40381024
Microsoft describes ports to open quite well.
0
 

Author Closing Comment

by:patricktam
ID: 40391023
Thank you for your advice
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question