Re: Windows Firewall on Domain Controllers
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Fri, 28 Jul 2006 20:22:23 +0100
Are you talking about Windows 2003 or Windows XP?
By default the Windows 2003 don't activate any FW.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Ron" <rhardin@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:68FBE639-4A0C-4982-8F26-C09CC106F976@xxxxxxxxxxxxxxxx
Jorje, thanks for responding. Quick follow-up: you say "don't run a FW on
a
DC", and that was my approach from the beginning. But as I stated,
updates
from Microsoft keep turning the Windows Firewall back on. So how does one
turn it off so it stays off?
--
Ron
"Jorge Silva" wrote:
Hi
* Server 2003 defaults to Windows Firewall active.
* Domain Controller doesn't work with firewally active unless it is
manually
confgured for all the AD ports and you do some voodoo with RPC ports.
Don't use firewall on a DC, use a diferent machine, if you can don't join
the FW to the domain unless you have a good FW solution like ISA 2004 in
a
back to back configuration.
Assuming the above points are correct on my part, what is the best
practice
for administering the firewall on domain controllers (I have about 30
of
them
scattered all over the country)?
Again you shouldn't use a FW on a DC is a bad practice and represents
security issues. Configuring FW on a DC depends on what you need to do
with
it, Applications,DNS,DHCP,Wins,SMB,Replication,etc.
Here's some ports to take:
By default, Active Directory replication over RPC (Remote Procedure
Calls)
takes place dynamically over an available port via the RPC Endpoint
Mapper
(RPCSS) using port 135;
Application protocol Protocol Ports
Global Catalog Server TCP 3269
Global Catalog Server TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
LDAP SSL UDP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 65536
832017 Service overview and network port requirements for the Windows
Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017
224196 Restricting Active Directory replication traffic to a specific
port
http://support.microsoft.com/default.aspx?scid=kb;EN-US;224196
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Ron" <rhardin@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:301A5C97-58EC-426D-B43E-4891BB4E10C0@xxxxxxxxxxxxxxxx
Need input on recommended best practices. Here's what I've figured
out:
* Server 2003 defaults to Windows Firewall active.
* Domain Controller doesn't work with firewally active unless it is
manually
confgured for all the AD ports and you do some voodoo with RPC ports.
* Making a 2003 Server a Domain Controller doesn't automatically
configure
the firewall
* Turning off the firewall only fixes the problem temporarily because
some
Windows Updates automatically turn it back on (without telling you).
Assuming the above points are correct on my part, what is the best
practice
for administering the firewall on domain controllers (I have about 30
of
them
scattered all over the country)?
--
Ron Hardin, CHTP
Director of Technology
Davidson Hotel Company
.
- References:
- Re: Windows Firewall on Domain Controllers
- From: Jorge Silva
- Re: Windows Firewall on Domain Controllers
- From: Ron
- Re: Windows Firewall on Domain Controllers
- Prev by Date: Re: Native 2003 mode and NT4 workstations?
- Next by Date: Re: Native 2003 mode and NT4 workstations?
- Previous by thread: Re: Windows Firewall on Domain Controllers
- Next by thread: Re: Windows Firewall on Domain Controllers
- Index(es):
Relevant Pages
|
