unable to join AD domain from DMZ

Home Forums Server Operating Systems Windows Server 2000 / 2003 / 2003 R2 unable to join AD domain from DMZ

This topic contains 2 replies, has 3 voices, and was last updated by  Akila 9 years, 11 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts

  • us_matrix
    Member
    #137508

    Hi,
    We are running Windows 2003 AD Domain and now like to allow user account authentication from DMZ to 2003 AD internal network. However, when we try to join AD domain from the server in DMZ. We got an error message ‘The RPC Server is unavailable”. I worked with the network guy and for testing purpose, he allowed any traffic between DMZ to the internal network and no traffic was being denied. So, we moved forwared to next troublshooting step for setting up Ethernal and captured traffic from the server in DMZ when tried to join AD domain. We found one error in the Ethernal capture log shown here “384 136.20396 153.178.23.22 192.35.46.81 SAMR GetUserPwInfo response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED”. This was only happend between the DMZ to our internal network. I am able to join AD domain with any clients if it is in internal network. And also, I performed Netstat from the server in DMZ. I can see that LDAP, Netbios-ssn was established but EPMAP was failted to established. I googled it and EPMAP is doing netbios in port 135 but I confirmed with the network guy that was being allowed and no denied shown in sys log. One more thing i also like to mention is that the DMZ is in different subnet as you see in the above error “192.35.x.x” than the internal network “153.178.x.x”. Would that be causing any problem when DMZ and the internal are in two different subnet when trying to join domain? Any suggestion would be very appreciated?
    PS. I was able to ping or [URL=”file://\server”]\server[/URL] to access domain controller or share from the server in DMZ. I also checked the event viewer but no error found.
    Thanks.
    Mugen


    Akila
    Member
    #314981

    Re: unable to join AD domain from DMZ

    Those are the ports that need to be open in your firewall.

    Service Name
    UDP
    TCP
    RPC Endpoint Mapper
    135
    AD Replicator Service
    1024 and above (Dynamic Port)
    LDAP
    389
    389
    LDAP (SSL)
    636 (Secure Sockets Layer [SSL])
    LDAP (Global Catalog)
    3268 (Global Catalog)
    LDAP (Global Catalog SSL)
    3269 (Global Catalog SSL)
    Kerberos
    88
    88
    SMB over IP
    445
    445
    DNS
    53
    53

    NOTE: If NetBIOS is enabled, the standard NetBIOS ports could also be used. A logon by a client running Windows 2000 or later does not require NetBIOS though.


    Killerbe
    Member
    #305974

    Re: unable to join AD domain from DMZ

    An interesting article, which might give some additional info weather or not you should place a Domain Member in the DMZ.

    From our Exchange Guru Sembee:

    http://www.sembee.co.uk/archive/2006/02/23/7.aspx

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.