Lev Kaytsner
asked on
AD DC in Azure Communications failing with AD DC On Premise
I am working on a project to create SSO for Office 365. So, I built a VM in Azure and upgraded it to DC from my on premise AD (2008r2 level)
I have opened following ports on my firewall and in Azure:
• UDP Port 88 for Kerberos authentication
• UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
• TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
• UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
• TCP and UDP Port 445 for File Replication Service
• TCP and UDP Port 464 for Kerberos Password Change
• TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
• TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
I only get hits on UDP ports in my ASA firewall and I was able to promote this VM to DC and synchronize it so it works half way.
Now I need to install ADFS on it and that's where problem comes in. Configuration fails and when I go to the event viewer I see a lot of DNS and Domain Synch errors.
One of the problems I discovered is that Azure DC cannot communicate with my PDC even though I have opened ports in my firewall between Azure IP and my DC IP on prem. I do have IPSec VPN tunnel, but the server subnet (public) is not covered in it.
I need some thoughts and advice here.
Thanks,
Lev
I have opened following ports on my firewall and in Azure:
• UDP Port 88 for Kerberos authentication
• UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
• TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
• UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
• TCP and UDP Port 445 for File Replication Service
• TCP and UDP Port 464 for Kerberos Password Change
• TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
• TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
I only get hits on UDP ports in my ASA firewall and I was able to promote this VM to DC and synchronize it so it works half way.
Now I need to install ADFS on it and that's where problem comes in. Configuration fails and when I go to the event viewer I see a lot of DNS and Domain Synch errors.
One of the problems I discovered is that Azure DC cannot communicate with my PDC even though I have opened ports in my firewall between Azure IP and my DC IP on prem. I do have IPSec VPN tunnel, but the server subnet (public) is not covered in it.
I need some thoughts and advice here.
Thanks,
Lev
UDP 137, 123
tcp/udp 88
tcp 389
also missing in addition to high RPC port
tcp/udp 88
tcp 389
also missing in addition to high RPC port
ASKER
Thank you. I added all these ports and I am able to communicate now. Interestingly enough, I don't think it's going thru my VPN Tunnel.
It only works if public IP address is enabled to come thru my on prem firewall.
It only works if public IP address is enabled to come thru my on prem firewall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you. That's how I see it, but the fact that I had to open ports in my firewall tells me that this particular traffic is not going over the VPN tunnel and also because I had to enable public IP address on the server tells me that this data travels over public internet. I need to figure out routing in my Azure tenant to understand the flow.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I got it to work. My Azure IPsec VPN tunnel works with my on-prem infrastructure. I had to transfer PCD/RID role to DC in the subnet that is attached to the VPN tunnel and now my Azure DC is synching with my on-prem DC. So, I am good to go.
Thank you for your help,
Lev
Thank you for your help,
Lev
The points should be split between Jian and me as he have identified missed ports 1st
Whatever your closing comment is mentioning, the tunnel ideally should connect to PDC server and other ADC servers in central site
As long as you are able to connect to all DCs in central location from Azure DCs, u need not to transfer FSMO roles
Whatever your closing comment is mentioning, the tunnel ideally should connect to PDC server and other ADC servers in central site
As long as you are able to connect to all DCs in central location from Azure DCs, u need not to transfer FSMO roles
Please revisit all the ports
I notice that you don
t have the high port 49152 -65535/TCP/UDP