Re: AD what tcp/ip port or registry settings?

I don't think you can configure it to work on 5 ports. Every example I have
seen shows setting the value to a single port number.

Assuming that you applied the TCP/IP port value to all DC/GCs and rebooted
them, I'm still swaying toward a hang-up on the member clients not being
able to process GPOs or user profile. I'm swaying this way because I'm
seeing the same thing in our site where logons take 30-90 seconds*. Are
there any warnings/errors in the event logs on the client to indicate that a
domain controller could not be found?

Have you tried turning on user environment logging to get a feel for where
the hang up is during logon?
http://support.microsoft.com/default.aspx?scid=kb;en-us;221833&sd=RMVP

The only other things I can think that might be a problem is with the
Kerberos authentication or the site is doing some type of RPC filtering.

By default, Kerberos is done over UDP. There is a possibility that the
firewall doesn't like Kerberos over UDP and you would have a better shot of
forcing all Kerberos activity to TCP by using the steps mentioned in
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474&sd=RMVP

For RPC filtering, there is a functional change is SP1 for Windows 2003.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;899148&sd=RMVP
for additional information.

/neo

* While we had no devices that are configured to block ICMP, we found that
ICMP did not work over our Frame over ATM links. (e.g. we could issue ICMP
up to 1702. since windows requires a size of 2048, the member clients would
incur a logon delay.)

"MarcusB" <marcusb@xxxxxxxxx> wrote in message
news:uOpzZbCaFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
> Yes ICMP is allowed. We use iptables firewalls. DNS is also allowed and is
> on the both DC which are also behind the firewall.
> I think that it have to do with RPC, which is comunicating on one port
> only as I described. How to configure it to work on five ports instead for
> example.
>
> MarcusB
>
>
> neo [mvp outlook] wrote:
>> By the way, the size of the ICMP (ping) packet is 2048. Figured this
>> might be worth mentioning as some firewall vendors (e.g. Checkpoint)
>> object to ICMP packets over a given size and/or you might have other
>> devices setup to drop ICMP.
>>
>> I'm also assuming that the client workstations point to a DNS server that
>> contains the required SRV entries for the domain. (e.g. Clients and
>> servers point to the same DNS servers)
>>
>> "neo [mvp outlook]" <neo@xxxxxxxxxxxxxxx> wrote in message
>> news:eBANBs1ZFHA.3572@xxxxxxxxxxxxxxxxxxxxxxx
>>
>>>Is ICMP allowed across the firewall? (ICMP is needed in order to have
>>>GPOs be processed.)
>>>
>>>"MarcusB" <marcusb@xxxxxxxxx> wrote in message
>>>news:OInKwP1ZFHA.3096@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>>>We have our domains controlers behind the firewall. To be able to work
>>>>we opened a lot of ports. All are in the lists below. We changed also
>>>>registry to make RPC to one port.
>>>>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
>>>>"TCP/IP Port"=dword:0000c000
>>>>
>>>>OPENED PORTS ON THE FIREWALL seperating clients and servers. Server and
>>>>cliends are in the same building but seperated by firewall.
>>>>
>>>>Service Port/protocol
>>>>RPC endpoint mapper 135/tcp, 135/udp
>>>>NetBIOS name service 137/tcp, 137/udp
>>>>NetBIOS datagram service 138/udp
>>>>NetBIOS session service 139/tcp
>>>>RPC static port for AD replication 49152/tcp
>>>>SMB over IP (Microsoft-DS) 445/tcp, 445/udp
>>>>LDAP 389/tcp
>>>>LDAP over SSL 636/tcp
>>>>Global catalog LDAP 3268/tcp
>>>>Global catalog LDAP over SSL 3269/tcp
>>>>Kerberos 88/tcp, 88/udp
>>>>DNS 53/tcp, 53/udp
>>>>WINS resolution (if required) 1512/tcp, 1512/udp
>>>>WINS replication (if required) 42/tcp, 42/udp
>>>>Network time protocol (NTP) 123/udp
>>>>
>>>>Everything is working, but it take long time to log in. If I will go
>>>>with laptop directly behind the firewall it takes 2-5 seconds to log in.
>>>>If we are behind firewall it takes 30 seconds or longer.
>>>>How to solve problem??
>>>>
>>>>
>>>>MarcusB
>>>
>>>
>>

.

Relevant Pages

  • Re: blocking chat and instant messaging?
    ... > chat and instant messaging be blocked. ... > application-layer firewall. ... You are correct that filtering packets on port number and IP address is ... Not all IM clients currently scan other well-known ports to attempt ...
    (comp.security.firewalls)
  • Re: AD what tcp/ip port or registry settings?
    ... ICMP packets over a given size and/or you might have other devices setup to ... point to the same DNS servers) ... >> We have our domains controlers behind the firewall. ... >> OPENED PORTS ON THE FIREWALL seperating clients and servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ccmexec log shows winhttp errors connecting to MP . . . help!
    ... My test machine is not connecting to the MP according to the ... My clients aren't showing as installed on the machine and I ... I enabled the firewall and put in an exception ... for port 80 and it seems to be working fine now. ...
    (microsoft.public.sms.setup)
  • Re: Slow client logon
    ... "For Active Directory to function correctly through a firewall, ... Control Message Protocol (ICMP) protocol must be allowed through the ... firewall from the clients to the domain controllers so that the clients can ... >> adequate for the logon process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Catching very specific exceptions
    ... management package (including ICMP ping) to windows; ... It could be that some firewall between you and the target is ... The traditional way to tell if a node is up is to send it an ICMP echo ... rather than trying to connect to a TCP port. ...
    (comp.lang.python)
Quantcast