Solved

Active Directory Replication Through Firewall Question

Posted on 2014-10-13
5
285 Views
Last Modified: 2014-10-19
Our company has a few Windows Server 2012 R2 Domain Controller and need to do AD replication through our corporate Firewall as DCs are separate by the firewall.  I will follow the link from MS

http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx 

for firewall ports opening.

My question is when I put in the firewall rules shall I put the Source Domain Controller ports to ANY (i.e. Source Port) and the Destination Domain Controller ports (i.e. Destination Ports) to the ports described on the about link ?

Also, I suppose if I have two DCs, I need to put two firewall rules, one for allow replication from the first DC to the second one and another rule to allow replication from second DC to the first one ?

For Example :

Local Address      Local Port       Remote Address     Remote Port
DC1 IP                    Any                 DC2 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....
DC2 IP                    Any                 DC1 IP                      TCP 389, 88, 9389, 135, 445 ....      UDP 389, 445, 88 .....



Appreciate your kind advice in advance.

Patrick
0
Comment
Question by:patricktam
5 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40378900
Looks good to me

you could make it wide open

Local Address      Local Port       Remote Address     Remote Port   Protocol
on DC1
DC1 IP                    Any                 DC2 IP                      Any                      UDP
DC1 IP                   Any                 DC2 IP                      Any                      TCP
On DC2
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
DC2 IP                    Any                 DC1 IP                      ANY                    UDP
0
 

Author Comment

by:patricktam
ID: 40378980
We are going to conduct security audit soon so only the neccessary ports are allowed to be open.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40380303
Is implementing IPSec a possibility? It's a nontrivial task, but it would allow you to open far fewer ports for replication between DCs. (You'll note in that link you posted that "TCP Dynamic" refers to a block of 16,384 ports.)
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40381024
Microsoft describes ports to open quite well.
0
 

Author Closing Comment

by:patricktam
ID: 40391023
Thank you for your advice
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now