Firewall ports for AD domains in 2 different forests--SMS indirect

From: Richard (Richard_at_discussions.microsoft.com)
Date: 02/28/05 

Date: Mon, 28 Feb 2005 11:49:10 -0800

I would like to get input on which firewall ports are needed to be opened for
the below in relation to Active Directory only before I have our Headquarters
Firewall Team open the ports on the routers:

Question at bottom and response from SMS Newsgroup below.

"Since someone brought up the supported word, I will tackle that first.
Prior to SP1, splitting up 1 sms Site over multiple forests was
unsupported. Since SP1, your clients can be in a different forest, but
all site systems have to be installed in the same forest.

What you actually want to do is authenticate to a different domain
through a firewall.
So you will need access to dns,
Global Catalog TCP 3268
Global Catalog SSL TCP 3269
Ldap TCP/UDP 389
Ldap SSL TCP/UDP 636
Kerberos TCP/UDP 88

I think that should be about it, I am pretty sure there has to be a KB
article about this, but I can't seem to locate it.

If all else fails you could go and ask the guys in the active directory
newsgroups.

Kim Oppalfens
Proud father of Lennart Oppalfens
Since 05/11/2004 08.53 GMT+1"

In article <BFC86512-96EA-40C3-ADF1-63F4DF24351E@microsoft.com>,
Richard@discussions.microsoft.com says...
> We have our office in Florida, which is running SMS 2003 SP1 in an AD
> environment. We want to be able to use the Client Push Installation Wizard
> to push Advanced clients to a seperate AD domain in Georgia (another office
> which wants to join our SMS site). This domain is in another forest.
>
> I saw http://support.microsoft.com/default.aspx?kbid=826852 , but which are
> the ports that are needed only for discovery and to push the SMS agents to
> Georgia using the Push Install Wizard? We also want to be able to especially
> do inventory.
>
> How do I configure SMS so it can see the Georgia AD domain? In the
> Discovery methods, it asks to "Specify an Active Directory location in which
> to search for the container". If SMS can't see the domain, how do I do this?
> Will opening up the ports on the firewall allow SMS to see the Georgia
> domain?
>

Relevant Pages

  • Re: SMS and FireWall
    ... Ok, personal opinion here, but if they really want the firewall in between ... Again IMHO, a firewall, that has ports open for active directory access, ... MVP Windows Server System - SMS ...
    (microsoft.public.sms.admin)
  • Re: Access to user properties
    ... These subnet are separated by a firewall, ... Active Directory communication requires about 29 ports to be allowed through, including the emepheral response ports. ... "To comply with Internet Assigned Numbers Authority recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Authentication Ports
    ... which Active Directory uses to authenticate users. ... Otherwise you must open up a slew of ports to the point it swiss-cheeses the firewall. ... They are the random service ports that Windows uses to communicate, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Disable Windows Firewall
    ... I would use a GPO to open the ports on the firewall and here are the firewall ports you need. ... Now i have MOM 2003 and i need to install the agent on all our clients but am having a problem because of windows firewall blocking the agent install. ... My question is there a way to use SMS to install the agent on all our clients? ...
    (microsoft.public.sms.admin)
  • Re: [SLE] SLED 10 Firewall Ports and Active Directory
    ... authentication. ... I want to enable the firewall feature but don't know ... what services or ports should be enabled within the firewall? ... SuSEfirewall2 services do I need enable to ensure Active Directory ...
    (SuSE)