Re: Windows Firewall Port requirements on Server 2003 SP1 DC
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Mon, 17 Oct 2005 00:32:14 -0400
In news:B5AEF2FE-7983-45D2-8E3D-8EB01ED8EE5E@xxxxxxxxxxxxx,
Mehul <Mehul@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then
commented about below:
> Hi,
> I am interested in knowing which ports should be enabled on the Domain
> Controller which is on Server 2003 SP1 EE with Windows Firewall
> turned ON. This is to ensure that replication happens successfully
> between the domain controllers.
>
> This KB article:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;179442 lists
> the ports required to be configured on firewall to establish domain
> trust. After turning allowing these ports, I noticed that there are
> KCC event Id 1311, 1312 and 1865 error logs in the Directory Service
> Folder of Eventviewer on the DC.
>
> When I manually try to replicate between two DCs in the site using
> command 'repadmin /replicate <dc 1> <dc 2> <NC>, it gives me the
> following error:
>
> DsReplicaSync() failed with status 1753 (0x6d9):
> 'No more endpoints available from the endpoint mapper'
>
> Has anyone been able to successfully configure Windows Firewall on
> the DC so that all DC to DC communication happens successfully.
>
> I also noticed that as soon as I turn the Firewall OFF on the DC, the
> above command works successfully.
>
> Any pointers to troubleshoot the issue would be very much appreciated.
>
> Thanks,
> --Mehul
You may have not allowed UDP >1023, which opens UDP wide open 1024 and
above, but required by DCs and Windows clients.
Normally, we'll leave the firewall service disabled on a DC and rely on an
entrance point device that uses stateful packet inspection to protect the
network. Firewalled DCs can become problematic.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
.
- Prev by Date: Re: Problems adding replica DC to child domain
- Next by Date: Re: What is the 'swing' method? re: an AD migration
- Previous by thread: What is the 'swing' method? re: an AD migration
- Next by thread: AD password change and Novell password
- Index(es):
Relevant Pages
|
