Re: Windows Firewall on Domain Controllers
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Fri, 28 Jul 2006 19:14:07 +0100
Hi
* Server 2003 defaults to Windows Firewall active.
* Domain Controller doesn't work with firewally active unless it is
manually
confgured for all the AD ports and you do some voodoo with RPC ports.
Don't use firewall on a DC, use a diferent machine, if you can don't join
the FW to the domain unless you have a good FW solution like ISA 2004 in a
back to back configuration.
Assuming the above points are correct on my part, what is the best
practice
for administering the firewall on domain controllers (I have about 30 of
them
scattered all over the country)?
Again you shouldn't use a FW on a DC is a bad practice and represents
security issues. Configuring FW on a DC depends on what you need to do with
it, Applications,DNS,DHCP,Wins,SMB,Replication,etc.
Here's some ports to take:
By default, Active Directory replication over RPC (Remote Procedure Calls)
takes place dynamically over an available port via the RPC Endpoint Mapper
(RPCSS) using port 135;
Application protocol Protocol Ports
Global Catalog Server TCP 3269
Global Catalog Server TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
LDAP SSL UDP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 65536
832017 Service overview and network port requirements for the Windows
Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017
224196 Restricting Active Directory replication traffic to a specific port
http://support.microsoft.com/default.aspx?scid=kb;EN-US;224196
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Ron" <rhardin@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:301A5C97-58EC-426D-B43E-4891BB4E10C0@xxxxxxxxxxxxxxxx
Need input on recommended best practices. Here's what I've figured out:
* Server 2003 defaults to Windows Firewall active.
* Domain Controller doesn't work with firewally active unless it is
manually
confgured for all the AD ports and you do some voodoo with RPC ports.
* Making a 2003 Server a Domain Controller doesn't automatically configure
the firewall
* Turning off the firewall only fixes the problem temporarily because some
Windows Updates automatically turn it back on (without telling you).
Assuming the above points are correct on my part, what is the best
practice
for administering the firewall on domain controllers (I have about 30 of
them
scattered all over the country)?
--
Ron Hardin, CHTP
Director of Technology
Davidson Hotel Company
.
- Follow-Ups:
- Prev by Date: Re: GP and logon script
- Next by Date: Re: Schema errors when trying to update for 2003 R2
- Previous by thread: Re: GP and logon script
- Next by thread: Re: Windows Firewall on Domain Controllers
- Index(es):
Relevant Pages
|
