Domain controller firewall

I have recently deployed a domain controller (Active Directory) in a small office. I have suspected that Firewall configuration/exceptions will be updated auto-magically… I should just work, it nothing hard to automate… but no. Anyway , instructions said go there for firewall configuration instructions, so I have went and I read:

Windows Firewall: Domain controller
Updated: March 02, 2005

You must turn off Windows Firewall to use this server role.

Was this information helpful? No it was NOT! Anyway Google was helpful as ever, it found: this http://support.microsoft.com/default.aspx?scid=kb;en-us;555381&sd=rss&spid=3198

a. Windows Firewall: Protect all network connections – Enabled

b. Windows Firewall: Allow remote administration exception – Enabled (enables port 135 and 445 which are both required for Domain Controllers)

b. Windows Firewall: Allow file and printer sharing exception: – Enabled

c. Windows Firewall: Define port exceptions: – Enabled (in the list of port exceptions below, the * indicates incoming requests from any IP address will be accepted. Other values are possible – see the text on the Setting tab in Group Policy Editor for details. For example, localsubnet may be applicable in some circumstances). The strings below are exactly what needs to be in the list of port exceptions.
123:udp:*:enabled:NTP
3268:tcp:*:enabled:Global Catalog LDAP
389:tcp:*:enabled:LDAP
389:upd:*:enabled:LDAP
53:tcp:*:enabled:DNS
53:udp:*:enabled:DNS
53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)
88:tcp:*:enabled:Kerberos
88:udp:*:enabled:Kerberos

I sometimes wonder how Microsoft documentation says one thing in one place and other things in the other places…

…anyway, that’s not all 🙁 Cause you will get a strange RPC connected error message when you’ll try to add a computer to the domain (or already added computer will search for a domain list forever). After firewall log investigation I have opened 1025 TCP port and it seems to work OK… for now ;).

One Comment

  1. Pingback: It should just work! » Blog Archive » Logging into a W2K3 domain taking forever?

Dodaj komentarz