Re: Windows firewall for domain controllers

When a user on a client computer attempts to connect to a share on another computer, that computer (the one with the share) will attempt to authenticate the user by contacting the domain controller. If this authentication attempt fails, access to the share will be denied. So, if the Windows Firewall on the Domain Controllers is blocking the authentication requests, you will get the symptoms your users report.

As Jeremy stated, you must ensure that the firewall settings listed in KB article 555381 are indeed applied to all of the Domain Controllers.

It is quite possible that the Firewall Policy you configured for the Domain (intended for member servers and workstations) has different settings for the Standard Profile than for the Domain Profile in the Windows Firewall part of the GPO. This would be normal - more restrictive firewall settings for when the computer (e.g. laptop) is not connected to the corporate network.

Domain Controllers normally use the Windows Firewall's Standard Profile, NOT the Domain Profile, so make sure these settings are in both the Domain Profile and Standard Profile portion of Administrative Templates, Network, Network Connection.

Verify the settings on the domain controller(s) using Control Panel, Windows Firewall or the command

netsh firewall show state

Also, if there are multiple domain controllers, you must configure the Active Directory and File Replication services to use the same specific port on every domain controller in the forest (section 1 in the Resolutions part of the KB article), then restart every domain controller.

I've been using this firewall configuration on my (small) domain successfully since Windows Server 2003 SP1 (the domain has since been upgraded to Windows Server 2003 R2 SP2).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Sandra L Miller" <slm@xxxxxxxxxxxxxx> wrote in message news:4644DAB7.8090208@xxxxxxxxxxxxxxxxx
Once, long ago, I read that you should not turn on Windows firewall
on domain controllers. So we had 'Protect all network connections'
enabled for our entire domain, with it disabled in the Default Domain
Controllers Policy. Everything was working fine.

Recently, I found a white paper from MS titled "How to configure
Windows Server 2003 SP1 firewall for a Domain Controller"
(http://support.microsoft.com/kb/555381). It said to set:

Windows Firewall: Protect all network connections - Enabled
Windows Firewall: Allow remote exception - Enabled
Windows Firewall: Allow file and printer sharing exception - Enabled
Windows Firewall: Define port exceptions - Enabled
123:udp:*:enabled:NTP
3268:tcp:*:enabled:Global Catalog LDAP
389:tcp:*:enabled:LDAP
389:udp:*:enabled:LDAP
53:tcp:*:enabled:DNS
53:udp:*:enabled:DNS
53211:tcp:*:enabled:AD Replication
53212:tcp:*:enabled:File Replication Service
88:tcp:*:enabled:Kerberos
88:udp:*:enabled:Kerberos

I followed the instructions in the paper to turn on the firewall
on our two domain controllers. Almost immediately, users started
reporting that they could not access shares on other machines (not
on the domain controllers, themselves). I also discovered that I
could no longer Remote Desktop to the domain controllers.

I assumed that the firewall policy we had in place for the entire
domain would apply to the DCs and these new settings would be added
to the DCs (in other words, the settings that were 'Not configured'
in the DC Policy would be the same as for the entire domain. Is
that not true?

Why would turning on the firewall on the domain controllers cause
a share on one workstation to be inaccessible to another workstation?
Is there another port that must be added to the list of port exceptions?
And why would I no longer be able to Remote Desktop to the DCs when
'Allow Remote Desktop exception' is Enabled in a policy applied to
the entire domain, and Undefined in the DC policy?

Thanks,
Sandy

--
Sandra L Miller
Windows System Administrator
Department of Computer Science
University of Arizona

"The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of Arizona."

.

Relevant Pages

  • Re: How To Force LDAP Queries Through One Domain?
    ... In any case, my focus wasn't on whether a firewall was necessary, but more ... Other white papers on the topic of isolating domain controllers behind ... Windows 2003 that documents behavior between two forests in a trust, ... >> When you login to a domain on a computer that is a member server in the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows firewall for domain controllers
    ... If you have the policy defined in a higher level policy and in the DC policy only the DC policy will apply, since all the exceptions are in one settings. ... So as far as the share acces failing, I'm not sure about, you'll need to do some troubleshooting with the firewall log file to see what is being blocked, but I would say it had something to do with authentication to the DC not working properly. ... Windows Firewall: Protect all network connections - Enabled ... on our two domain controllers. ...
    (microsoft.public.windows.group_policy)
  • Windows Firewall GPO domain vs. standard settings
    ... The domain settings for Windows Firewall are ... when the computer is connected to a network that contains domain controllers ...
    (microsoft.public.windowsxp.security_admin)
  • RE: SP1 Firewall Question
    ... it is a patch management tool that incorporates windows firewall management ... > firewall settings are being" applied to the domain controllers. ...
    (microsoft.public.windows.server.security)
  • Re: Stand Alone DHCP Servers and Windows 2000
    ... but I stand by the statement that a firewall limits ... client network from domain controllers by an ISA Server 2004 firewall, ... RPC, and that is solved by ISA Server 2004. ... Every virus I have ever been hit with would not have even been slowed down ...
    (microsoft.public.windows.server.networking)