Re: Unable to join AD domain from DMZ network
- From: Mugen <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 10 Dec 2008 11:18:01 -0800
It fixed. It was the RDC Dynamic high port blocking the traffic. Thanks
everyone!
"Paul Bergson" wrote:
Just had another thought what about your routes? Do you have those defined.
properly so the external machine can get internally or is this handled via
the network goons?
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8C11BD54-AA3E-4DC2-A148-07166FD8022A@xxxxxxxxxxxxxxxx
I did not move to inside but I tried my other laptop running XP from the
DMZ
and still getting the exact same problem. I turned off firewall on all
client machine.
"Paul Bergson" wrote:
so did you try moving inside and testing to see if you could join it? Do
you have on the firewall on the server itself?
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5F56B404-A951-45CD-A132-A8A60C2AC1C2@xxxxxxxxxxxxxxxx
Hi Paul,
Thanks for your advice. We already found a document about ports need to
be
opened in firewall. And I don't think the firewall is blocking anything
becausee nothing is being denied when we checked the syslog. We use
Ethernal
the captured traffic between the server in DMZ to the DC from internal
network. Both are talking as we saw in the capture log but somehow the
DC
not
allow the machine to join domain. Another thing I found out from Active
Directory users and computers was , the server from the DMZ registered
the
computer account but is in disabled status. The server from the DMZ is
talking to the DC and trying to join the domain and have computer
account
there with disabled status.
Thanks.
"Paul Bergson" wrote:
I would suggest you temp move the box internally and verify that it
will
work, even though your network dude said he is allowing all traffic
through
I'm guessing he wasn't allowing high ports. RPC needs a high port to
work
unless you lock it down to a specific port.
I have an article on DC replication and port usage which can give you
a
general idea on what is happening. You should review it and maybe it
will
give you some new ideas to try.
http://www.pbbergs.com/windows/articles.htm
Select Firewall ports needed for replication
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no rights.
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5C1A0E67-B3E9-40C6-A709-F365B0800BF2@xxxxxxxxxxxxxxxx
Hi,
We are running Windows 2003 AD Domain and now like to allow user
account
authentication from DMZ to 2003 AD internal network. However, when
we
try
to
join AD domain from the server in DMZ. We got an error message 'The
RPC
Server is unavailable". I worked with the network guy and for
testing
purpose, he allowed any traffic between DMZ to the internal network
and
no
traffic was being denied. So, we moved forwared to next
troublshooting
step
for setting up Ethernal and captured traffic from the server in DMZ
when
tried to join AD domain. We found one error in the Ethernal capture
log
shown
here "384 136.20396 153.178.23.22 192.35.46.81 SAMR
GetUserPwInfo
response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED". This
was
only
happend between the DMZ to our internal network. I am able to join
AD
domain
with any clients if it is in internal network. And also, I
performed
Netstat
from the server in DMZ. I can see that LDAP, Netbios-ssn was
established
but
EPMAP was failted to established. I googled it and EPMAP is doing
netbios
in
port 135 but I confirmed with the network guy that was being allowed
and
no
denied shown in sys log. One more thing i also like to mention is
that
the
DMZ is in different subnet as you see in the above error
"192.35.x.x"
than
the internal network "153.178.x.x". Would that be causing any
problem
when
DMZ and the internal are in two different subnet when trying to join
domain?
Any suggestion would be very appreciated?
PS. I was able to ping or \\server to access domain controller or
share
from
the server in DMZ. I also checked the event viewer but no error
found.
Thanks.
Mugen
- References:
- Unable to join AD domain from DMZ network
- From: Mugen
- Re: Unable to join AD domain from DMZ network
- From: Paul Bergson
- Re: Unable to join AD domain from DMZ network
- From: Mugen
- Re: Unable to join AD domain from DMZ network
- From: Paul Bergson
- Re: Unable to join AD domain from DMZ network
- From: Mugen
- Re: Unable to join AD domain from DMZ network
- From: Paul Bergson
- Unable to join AD domain from DMZ network
- Prev by Date: Re: A g;lobal catalog cannot be located to retrieve the icons from the member list
- Next by Date: AD replication error on new DC
- Previous by thread: Re: Unable to join AD domain from DMZ network
- Next by thread: ntfrs errors
- Index(es):
Relevant Pages
|
Loading
