unable to join AD domain from DMZ

Home Forums Server Operating Systems Windows Server 2000 / 2003 / 2003 R2 unable to join AD domain from DMZ

This topic contains 2 replies, has 3 voices, and was last updated by  Akila 9 years, 11 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author

  • us_matrix

    We are running Windows 2003 AD Domain and now like to allow user account authentication from DMZ to 2003 AD internal network. However, when we try to join AD domain from the server in DMZ. We got an error message ‘The RPC Server is unavailable”. I worked with the network guy and for testing purpose, he allowed any traffic between DMZ to the internal network and no traffic was being denied. So, we moved forwared to next troublshooting step for setting up Ethernal and captured traffic from the server in DMZ when tried to join AD domain. We found one error in the Ethernal capture log shown here “384 136.20396 SAMR GetUserPwInfo response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED”. This was only happend between the DMZ to our internal network. I am able to join AD domain with any clients if it is in internal network. And also, I performed Netstat from the server in DMZ. I can see that LDAP, Netbios-ssn was established but EPMAP was failted to established. I googled it and EPMAP is doing netbios in port 135 but I confirmed with the network guy that was being allowed and no denied shown in sys log. One more thing i also like to mention is that the DMZ is in different subnet as you see in the above error “192.35.x.x” than the internal network “153.178.x.x”. Would that be causing any problem when DMZ and the internal are in two different subnet when trying to join domain? Any suggestion would be very appreciated?
    PS. I was able to ping or [URL=”file://\server”]\server[/URL] to access domain controller or share from the server in DMZ. I also checked the event viewer but no error found.


    Re: unable to join AD domain from DMZ

    Those are the ports that need to be open in your firewall.

    Service Name
    RPC Endpoint Mapper
    AD Replicator Service
    1024 and above (Dynamic Port)
    LDAP (SSL)
    636 (Secure Sockets Layer [SSL])
    LDAP (Global Catalog)
    3268 (Global Catalog)
    LDAP (Global Catalog SSL)
    3269 (Global Catalog SSL)
    SMB over IP

    NOTE: If NetBIOS is enabled, the standard NetBIOS ports could also be used. A logon by a client running Windows 2000 or later does not require NetBIOS though.


    Re: unable to join AD domain from DMZ

    An interesting article, which might give some additional info weather or not you should place a Domain Member in the DMZ.

    From our Exchange Guru Sembee:


Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.