Re: Unable to join AD domain from DMZ network
- From: "Paul Bergson" <pbbergs@xxxxxxxxxxxxxx>
- Date: Wed, 10 Dec 2008 07:28:56 -0600
To me that points to something outside the machine (Firewall most likely culprit)
I would move inside to test, I'm betting it works if moved inside.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:8C11BD54-AA3E-4DC2-A148-07166FD8022A@xxxxxxxxxxxxxxxx
I did not move to inside but I tried my other laptop running XP from the DMZ
and still getting the exact same problem. I turned off firewall on all
client machine.
"Paul Bergson" wrote:
so did you try moving inside and testing to see if you could join it? Do
you have on the firewall on the server itself?
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5F56B404-A951-45CD-A132-A8A60C2AC1C2@xxxxxxxxxxxxxxxx
> Hi Paul,
>
> Thanks for your advice. We already found a document about ports need to > be
> opened in firewall. And I don't think the firewall is blocking anything
> becausee nothing is being denied when we checked the syslog. We use
> Ethernal
> the captured traffic between the server in DMZ to the DC from internal
> network. Both are talking as we saw in the capture log but somehow the > DC
> not
> allow the machine to join domain. Another thing I found out from Active
> Directory users and computers was , the server from the DMZ registered
> the
> computer account but is in disabled status. The server from the DMZ is
> talking to the DC and trying to join the domain and have computer > account
> there with disabled status.
>
> Thanks.
>
> "Paul Bergson" wrote:
>
>> I would suggest you temp move the box internally and verify that it >> will
>> work, even though your network dude said he is allowing all traffic
>> through
>> I'm guessing he wasn't allowing high ports. RPC needs a high port to
>> work
>> unless you lock it down to a specific port.
>>
>> I have an article on DC replication and port usage which can give you >> a
>> general idea on what is happening. You should review it and maybe it
>> will
>> give you some new ideas to try.
>>
>> http://www.pbbergs.com/windows/articles.htm
>> Select Firewall ports needed for replication
>>
>> -- >> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup >> This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>>
>> "Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:5C1A0E67-B3E9-40C6-A709-F365B0800BF2@xxxxxxxxxxxxxxxx
>> > Hi,
>> >
>> > We are running Windows 2003 AD Domain and now like to allow user
>> > account
>> > authentication from DMZ to 2003 AD internal network. However, when >> > we
>> > try
>> > to
>> > join AD domain from the server in DMZ. We got an error message 'The >> > RPC
>> > Server is unavailable". I worked with the network guy and for >> > testing
>> > purpose, he allowed any traffic between DMZ to the internal network >> > and
>> > no
>> > traffic was being denied. So, we moved forwared to next >> > troublshooting
>> > step
>> > for setting up Ethernal and captured traffic from the server in DMZ
>> > when
>> > tried to join AD domain. We found one error in the Ethernal capture >> > log
>> > shown
>> > here "384 136.20396 153.178.23.22 192.35.46.81 SAMR >> > GetUserPwInfo
>> > response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED". This >> > was
>> > only
>> > happend between the DMZ to our internal network. I am able to join >> > AD
>> > domain
>> > with any clients if it is in internal network. And also, I >> > performed
>> > Netstat
>> > from the server in DMZ. I can see that LDAP, Netbios-ssn was
>> > established
>> > but
>> > EPMAP was failted to established. I googled it and EPMAP is doing
>> > netbios
>> > in
>> > port 135 but I confirmed with the network guy that was being allowed
>> > and
>> > no
>> > denied shown in sys log. One more thing i also like to mention is >> > that
>> > the
>> > DMZ is in different subnet as you see in the above error >> > "192.35.x.x"
>> > than
>> > the internal network "153.178.x.x". Would that be causing any >> > problem
>> > when
>> > DMZ and the internal are in two different subnet when trying to join
>> > domain?
>> > Any suggestion would be very appreciated?
>> >
>> > PS. I was able to ping or \\server to access domain controller or >> > share
>> > from
>> > the server in DMZ. I also checked the event viewer but no error >> > found.
>> >
>> > Thanks.
>> > Mugen
>>
.
- References:
- Unable to join AD domain from DMZ network
- From: Mugen
- Re: Unable to join AD domain from DMZ network
- From: Paul Bergson
- Re: Unable to join AD domain from DMZ network
- From: Mugen
- Re: Unable to join AD domain from DMZ network
- From: Paul Bergson
- Re: Unable to join AD domain from DMZ network
- From: Mugen
- Unable to join AD domain from DMZ network
- Prev by Date: Re: VBscript to extract userlogon to Workstations
- Next by Date: Re: Unable to join AD domain from DMZ network
- Previous by thread: Re: Unable to join AD domain from DMZ network
- Next by thread: Re: Unable to join AD domain from DMZ network
- Index(es):
Relevant Pages
|
