homelabguy
asked on
What ports are needed to connect to a domain controller
I have a domain controller behind a firewall and I want to join machines in a DMZ to it. I found this article https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx but for group policy it just says "UDP Dynamic"
Do I really need to open EVERY UDP port to it through DMZ? Any way I can limit that range or no?
Environment notes:
DC and clients are Server 2012R2.
Firewall between DC and DMZ is pfSense
Do I really need to open EVERY UDP port to it through DMZ? Any way I can limit that range or no?
Environment notes:
DC and clients are Server 2012R2.
Firewall between DC and DMZ is pfSense
The link below outlines all of the ports required for Active Directory communication.
https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
However, i would highly NOT RECOMMEND putting a DC in a DMZ. I would not even put a RODC in a DMZ. This posses a security risk. If you are trying to do some sort of Federation/Authentication they implementing something like ADFS (federated services) would be more suitable, if this is what you are trying to achieve.
I just wanted to be upfront with you.
Will.
https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
However, i would highly NOT RECOMMEND putting a DC in a DMZ. I would not even put a RODC in a DMZ. This posses a security risk. If you are trying to do some sort of Federation/Authentication they implementing something like ADFS (federated services) would be more suitable, if this is what you are trying to achieve.
I just wanted to be upfront with you.
Will.
You can't do what you want. But joining a server in a DMZ to an domain behind the DMZ firewall would pretty much make th DMZ useless anyways. Not much (or any) benefit to such a configuration, so no changes to the product have been made to enable such a scenario.
ASKER
@Shadowless127 No workstations in the DMZ. By "client" I meant other Server 2012 machines that will be exposed to other locations. The DMZ is what is accessible to other physical locations in a cluster of site-to-site VPN links. So a Windows File Server or IIS server would go in the DMZ. Clients are in the LAN. "DMZ" is really a poor name for servers shared with other locations. There is still another firewall between "DMZ" and the internet.
Mostly I want to know if in that link I posted "UDP Dynamic" for Group Policy is a certain range of UDP ports or all UDP ports.
Mostly I want to know if in that link I posted "UDP Dynamic" for Group Policy is a certain range of UDP ports or all UDP ports.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If accessing a Domain over the internet, I would recommend implementing a VPN solution for clients accessing your network. Then the network and DC would be secure and limited to just your users.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info!
You can't change the ports AD uses.