Re: Unable to join AD domain from DMZ network
- From: "Paul Bergson" <pbbergs@xxxxxxxxxxxxxx>
- Date: Tue, 9 Dec 2008 07:15:41 -0600
I would suggest you temp move the box internally and verify that it will work, even though your network dude said he is allowing all traffic through I'm guessing he wasn't allowing high ports. RPC needs a high port to work unless you lock it down to a specific port.
I have an article on DC replication and port usage which can give you a general idea on what is happening. You should review it and maybe it will give you some new ideas to try.
http://www.pbbergs.com/windows/articles.htm
Select Firewall ports needed for replication
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:5C1A0E67-B3E9-40C6-A709-F365B0800BF2@xxxxxxxxxxxxxxxx
Hi,
We are running Windows 2003 AD Domain and now like to allow user account
authentication from DMZ to 2003 AD internal network. However, when we try to
join AD domain from the server in DMZ. We got an error message 'The RPC
Server is unavailable". I worked with the network guy and for testing
purpose, he allowed any traffic between DMZ to the internal network and no
traffic was being denied. So, we moved forwared to next troublshooting step
for setting up Ethernal and captured traffic from the server in DMZ when
tried to join AD domain. We found one error in the Ethernal capture log shown
here "384 136.20396 153.178.23.22 192.35.46.81 SAMR GetUserPwInfo
response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED". This was only
happend between the DMZ to our internal network. I am able to join AD domain
with any clients if it is in internal network. And also, I performed Netstat
from the server in DMZ. I can see that LDAP, Netbios-ssn was established but
EPMAP was failted to established. I googled it and EPMAP is doing netbios in
port 135 but I confirmed with the network guy that was being allowed and no
denied shown in sys log. One more thing i also like to mention is that the
DMZ is in different subnet as you see in the above error "192.35.x.x" than
the internal network "153.178.x.x". Would that be causing any problem when
DMZ and the internal are in two different subnet when trying to join domain?
Any suggestion would be very appreciated?
PS. I was able to ping or \\server to access domain controller or share from
the server in DMZ. I also checked the event viewer but no error found.
Thanks.
Mugen
.
- Follow-Ups:
- Re: Unable to join AD domain from DMZ network
- From: Mugen
- Re: Unable to join AD domain from DMZ network
- References:
- Unable to join AD domain from DMZ network
- From: Mugen
- Unable to join AD domain from DMZ network
- Prev by Date: Re: Data collection
- Next by Date: Re: Joining imaged workstations with dup SIDs to AD. Effects?
- Previous by thread: Re: Unable to join AD domain from DMZ network
- Next by thread: Re: Unable to join AD domain from DMZ network
- Index(es):
Relevant Pages
|
