Re: Access to user properties

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Eugen" <meugen@xxxxxxxxx> wrote in message news:ADC27215-6E82-4477-8674-9CEEBBFC9519@xxxxxxxxxxxxxxxx
Hi,
So there is a conditional forwarding between forests and teach forest is
based on diffrent subnet. These subnet are separated by a firewall, with TCP
389 opened.
Many thanks for your answer,


I see. The firewall is probably blocking your efforts. Active Directory communication requires about 29 ports to be allowed through, including the emepheral response ports (UDP 1024-5000). YOu will need to discuss this with your network group to make these ports available. Actually, the better solution is to create a VPN tunnel between your office and the partner office and allow ALL ports open (block nothing).

Here is more info on firewall ports required for AD.
======================================================================================================
======================================================================================================
Active Directory Firewall ports

Active Directory Replication over FirewallsJan 31, 2006. Active Directory relies on remote procedure call (RPC)
http://technet.microsoft.com/en-us/library/bb727063.aspx

How to configure a firewall for domains and trusts
http://support.microsoft.com/?id=179442

Configuring an Intranet FirewallApr 14, 2006. Protocol ports required for the intranet firewall.
Ports required for Active Directory communication and Kerberos ...
http://technet.microsoft.com/en-us/library/bb125069.aspx

Active Directory and Firewall PortsI found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls. ...
http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx

Default emepheral ports are 1024-5000, but can be changed. In Vista and Windows 2008, the default start port is 49152, and the default end port is 65535.

Quoted from link below: "To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000."

I know the one is MaxUserPort, but not sure of the low end. I would test and monitor trying "LowUserPort" or "MinUserPort." But whether you know the low end key or not, you can set it with the netsh command. See this for more info:
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/?kbid=929851

Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
http://support.microsoft.com/default.aspx/kb/899148

---

Checkpoint Firewall and AD Communications and Replication

Checkpoint firewalls have a known issue if you are running R55 or older. You will need to
make a registry entry to allows traffic to flow between the 2 sites via the vpn. The preferred solution is to upgrade the Checkpoint firewall.

More info:
Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
http://support.microsoft.com/default.aspx/kb/899148

For Windows 2003 R2 and non-R2 remote domain controller we added the Server2003NegotiateDisable entry in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
======================================================================================================
======================================================================================================


Ace



.

Relevant Pages

  • Re: DCOM 10009 errors on SBS2008 with NAS
    ... make a specific GP rule that allows the ports to that NAS unit. ... The DCOM event id 10009 will occur when a client workstation has a miss-configured firewall or other issues affecting its network communications within the domain, for example if the workstation is not managed by an SBS GPO. ... Depending on your firewall solution this might be implemented or might require opening several ports. ... If the workstation is on a different subnet than the SBS server and it is running Windows XP SP2 or higher, the firewall exceptions provided by the SBS group policies will not properly allow the required connectivity. ...
    (microsoft.public.windows.server.sbs)
  • Re: XP SP2 and ports required to view a remote event log
    ... So for Windows XP SP2 with an enabled firewall, to handle this, ... Group Policy Settings Reference for Windows XP Professional Service Pack 2 ... Windows Firewall: Allow remote administration exception ... TCP ports 135 and 445. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: [fw-wiz] how prevelant
    ... over the same few ports), and the tendency of script kiddies to run ... Windows attack tools, I tend to suggest that if you open your firewall up ... > it amazing they were passing domain information across the internet. ...
    (Firewall-Wizards)
  • Re: Windows Firewall on Domain Controllers
    ... Are you talking about Windows 2003 or Windows XP? ... confgured for all the AD ports and you do some voodoo with RPC ports. ... Don't use firewall on a DC, use a diferent machine, if you can don't join ... Global Catalog Server TCP 3269 ...
    (microsoft.public.windows.server.active_directory)
  • Re: NETFW.INF, Preconfigured Firewall settings and dialogs
    ... it is Windows Server 2003 SP1 firewall that i'm using. ... Using the document '832017 Port Requirements for the Microsoft Windows ... > to achieve the following goal: some ports are open by default and others ...
    (microsoft.public.windows.server.networking)