us_matrixMemberDecember 8, 2008 at 6:39 pm #137508
We are running Windows 2003 AD Domain and now like to allow user account authentication from DMZ to 2003 AD internal network. However, when we try to join AD domain from the server in DMZ. We got an error message ‘The RPC Server is unavailable”. I worked with the network guy and for testing purpose, he allowed any traffic between DMZ to the internal network and no traffic was being denied. So, we moved forwared to next troublshooting step for setting up Ethernal and captured traffic from the server in DMZ when tried to join AD domain. We found one error in the Ethernal capture log shown here “384 136.20396 22.214.171.124 126.96.36.199 SAMR GetUserPwInfo response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED”. This was only happend between the DMZ to our internal network. I am able to join AD domain with any clients if it is in internal network. And also, I performed Netstat from the server in DMZ. I can see that LDAP, Netbios-ssn was established but EPMAP was failted to established. I googled it and EPMAP is doing netbios in port 135 but I confirmed with the network guy that was being allowed and no denied shown in sys log. One more thing i also like to mention is that the DMZ is in different subnet as you see in the above error “192.35.x.x” than the internal network “153.178.x.x”. Would that be causing any problem when DMZ and the internal are in two different subnet when trying to join domain? Any suggestion would be very appreciated?
PS. I was able to ping or [URL=”file://\server”]\server[/URL] to access domain controller or share from the server in DMZ. I also checked the event viewer but no error found.
AkilaMemberDecember 9, 2008 at 11:40 pm #314981
Re: unable to join AD domain from DMZ
Those are the ports that need to be open in your firewall.
RPC Endpoint Mapper
AD Replicator Service
1024 and above (Dynamic Port)
636 (Secure Sockets Layer [SSL])
LDAP (Global Catalog)
3268 (Global Catalog)
LDAP (Global Catalog SSL)
3269 (Global Catalog SSL)
SMB over IP
NOTE: If NetBIOS is enabled, the standard NetBIOS ports could also be used. A logon by a client running Windows 2000 or later does not require NetBIOS though.
You must be logged in to reply to this topic.