Announcement

Collapse
No announcement yet.

unable to join AD domain from DMZ

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • unable to join AD domain from DMZ

    Hi,
    We are running Windows 2003 AD Domain and now like to allow user account authentication from DMZ to 2003 AD internal network. However, when we try to join AD domain from the server in DMZ. We got an error message 'The RPC Server is unavailable". I worked with the network guy and for testing purpose, he allowed any traffic between DMZ to the internal network and no traffic was being denied. So, we moved forwared to next troublshooting step for setting up Ethernal and captured traffic from the server in DMZ when tried to join AD domain. We found one error in the Ethernal capture log shown here "384 136.20396 153.178.23.22 192.35.46.81 SAMR GetUserPwInfo response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED". This was only happend between the DMZ to our internal network. I am able to join AD domain with any clients if it is in internal network. And also, I performed Netstat from the server in DMZ. I can see that LDAP, Netbios-ssn was established but EPMAP was failted to established. I googled it and EPMAP is doing netbios in port 135 but I confirmed with the network guy that was being allowed and no denied shown in sys log. One more thing i also like to mention is that the DMZ is in different subnet as you see in the above error "192.35.x.x" than the internal network "153.178.x.x". Would that be causing any problem when DMZ and the internal are in two different subnet when trying to join domain? Any suggestion would be very appreciated?
    PS. I was able to ping or \\server to access domain controller or share from the server in DMZ. I also checked the event viewer but no error found.
    Thanks.
    Mugen

  • #2
    Re: unable to join AD domain from DMZ

    Those are the ports that need to be open in your firewall.

    Service Name
    UDP
    TCP
    RPC Endpoint Mapper
    135
    AD Replicator Service
    1024 and above (Dynamic Port)
    LDAP
    389
    389
    LDAP (SSL)
    636 (Secure Sockets Layer [SSL])
    LDAP (Global Catalog)
    3268 (Global Catalog)
    LDAP (Global Catalog SSL)
    3269 (Global Catalog SSL)
    Kerberos
    88
    88
    SMB over IP
    445
    445
    DNS
    53
    53

    NOTE: If NetBIOS is enabled, the standard NetBIOS ports could also be used. A logon by a client running Windows 2000 or later does not require NetBIOS though.

    Comment


    • #3
      Re: unable to join AD domain from DMZ

      An interesting article, which might give some additional info weather or not you should place a Domain Member in the DMZ.

      From our Exchange Guru Sembee:

      http://www.sembee.co.uk/archive/2006/02/23/7.aspx
      [Powershell]
      Start-DayDream
      Set-Location Malibu Beach
      Get-Drink
      Lay-Back
      Start-Sleep
      ....
      Wake-Up!
      Resume-Service
      Write-Warning
      [/Powershell]

      BLOG: Therealshrimp.blogspot.com

      Comment

      Working...
      X