Re: Help Understanding LDAP Variants

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eK3Ovy0LHHA.320@xxxxxxxxxxxxxxxxxxxxxxx
The GC ports are used A LOT by normal Windows operations - it is how
Windows finds things in the directory. For instance START | SEARCH |
PRINTERS, COMPUTERS, OR PEOPLE will hit the GC.

Thanks for that.


If you don't have certs on the DCs the ports are effectively dead. Apps
will connect to the port and send a SSLV2 Hello and then get bounced by
the DS service when it realizes it doesn't have a cert. Nothing else on
the DC should be able to use those ports as LSASS will grab them right
off.

Great to know as well.


Obviously if you really want to know if you can block a port, the best
way is to do a long term trace on the machine for the ports in question
and look at what is coming through. Untold numbers of issues have been
caused by people just throwing up traffic filters and then having no
clue how it will impact them and then when weird things occur don't make
the connection with the changes they made. From that you can probably
see that I am not a proponent of firewalling between DCs any anything.

Yes, but in our case we examine the firewall logs frequently, and run dcdiag
/v on each of two domain controllers in a domain that uses the firewalls,
and we have studied the problem of puttng a domain controller behind a
firewall in a lab environment for a long time now.

I do understand that the craziness of the current era of computing is that
operating systems are starting to *look* like they are easy to use and
configure, when in fact they are still hideously complex, and non standard
configurations are non trivial. At the same time the people who sometimes
get charged with running these things don't know what to look at to diagnose
issues, and don't understand computer and network architecture issues well.
So of course the support groups never want to recommend any configuration
that puts a domain controller behind a firewall, because that will mean
another 14 hours on the phone getting all the pieces to work.

--
Will


.

Relevant Pages

  • Re: Adding additionl DC to existing windows 2003 Domain
    ... Paul is probably right in respect of the ports being blocked. ... If your wan connection does not go through a firewall and only throught the ... I have added the new windows 2003 server to the ... "Could not find the domain controller for this domain." ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2003 Domain Controller (Open Port 593)
    ... says placing a DC so firewall separates it from its members is not ... This approach allows you to take just the RPC services required for a domain ... That way you do NOT open up ranges of ports on the ... be able to open up a secure channel to the domain controller, ...
    (microsoft.public.windows.server.security)
  • Re: router and firewall?
    ... choice that could affect thier computers security is the incorrect option. ... The counter said that Zone Alarm have stopped about... ... I even have a router with firewall ON. ... The log showed port in the destinationports that are ...
    (microsoft.public.windowsxp.general)
  • Re: Windows Firewall on Domain Controllers
    ... * Domain Controller doesn't work with firewally active unless it is ... confgured for all the AD ports and you do some voodoo with RPC ports. ... Don't use firewall on a DC, use a diferent machine, if you can don't join ... Active Directory replication over RPC ...
    (microsoft.public.windows.server.active_directory)
  • Re: Socket timeout
    ... There are three desktop computers let's call them S, C1 and C2, and I've ... On the firewall of all computers three ports are opened. ... I even tried disabling Windows firewall, ... If not LSP / Winsock corruption, the next candidate for cause of this problem ...
    (microsoft.public.windowsxp.network_web)