rules to allow a machine to join a windows domain

rules to allow a machine to join a windows domain

[Kirk]

Hello everyone,

I need to start moving three windows servers behind a firewall. Could
someone tell me what ports I need to open so that the servers can join
a windows domain?

I already allow access to DNS( udp 53, tcp 53)  and WINS(tcp 137)
servers but the test server still can't join the domain. The error I
get is "a domain controller could not be contacted".

I should point out that I'm able to connect to websites from the test
server and I can connect to the web server I installed for testing
incoming connections. Also, I'm able to join the domain when I take
the machine off the firewall.

Any hints will be appreciated.
Thanks,
-K

Re: rules to allow a machine to join a windows domain

[Jason Opperisano]

On Tue, May 03, 2005 at 11:07:03AM -0700, Kirk wrote:
> Hello everyone,
> 
> I need to start moving three windows servers behind a firewall. Could
> someone tell me what ports I need to open so that the servers can join
> a windows domain?

for what it's worth--this is the first match when you search for
'firewall domain controller' on support.microsoft.com:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

-j

--
"Peter: Guys. I got invited to Sharon Tate's house. Now you can
 come, but you gotta promise not to embarrass me."
        --Family Guy

RE: rules to allow a machine to join a windows domain

[Fabiano]

Hi Kirk,

Windows 2000 AD Authentication uses LDAP, so u need to open another ports too, like LDAP: 389 UDP/TCP and 3268 TCP, kerberos: 88 UDP/TCP and maybe another ones, like 135 TCP (RPC Service).
What version of Windows r u using?


-----Original Message-----
From: Kirk [mailto:whereisgui@gmail.com]
Sent: terça-feira, 3 de maio de 2005 15:07
To: netfilter@lists.netfilter.org
Subject: rules to allow a machine to join a windows domain


Hello everyone,

I need to start moving three windows servers behind a firewall. Could
someone tell me what ports I need to open so that the servers can join
a windows domain?

I already allow access to DNS( udp 53, tcp 53)  and WINS(tcp 137)
servers but the test server still can't join the domain. The error I
get is "a domain controller could not be contacted".

I should point out that I'm able to connect to websites from the test
server and I can connect to the web server I installed for testing
incoming connections. Also, I'm able to join the domain when I take
the machine off the firewall.

Any hints will be appreciated.
Thanks,
-K

Re: rules to allow a machine to join a windows domain

[Kirk]

Thanks Fabiano. I'll try it.

We have the following servers.
Windows 2000 -DC
Windows 3000 server -DC's backup
NT4

On 5/3/05, Fabiano <Fabiano@drive.com.br> wrote:
> Hi Kirk,
> 
> Windows 2000 AD Authentication uses LDAP, so u need to open another ports too, like LDAP: 389 UDP/TCP and 3268 TCP, kerberos: 88 UDP/TCP and maybe another ones, like 135 TCP (RPC Service).
> What version of Windows r u using?
> 
> 
> -----Original Message-----
> From: Kirk [mailto:whereisgui@gmail.com]
> Sent: terça-feira, 3 de maio de 2005 15:07
> To: netfilter@lists.netfilter.org
> Subject: rules to allow a machine to join a windows domain
> 
> Hello everyone,
> 
> I need to start moving three windows servers behind a firewall. Could
> someone tell me what ports I need to open so that the servers can join
> a windows domain?
> 
> I already allow access to DNS( udp 53, tcp 53)  and WINS(tcp 137)
> servers but the test server still can't join the domain. The error I
> get is "a domain controller could not be contacted".
> 
> I should point out that I'm able to connect to websites from the test
> server and I can connect to the web server I installed for testing
> incoming connections. Also, I'm able to join the domain when I take
> the machine off the firewall.
> 
> Any hints will be appreciated.
> Thanks,
> -K
> 
>

RE: rules to allow a machine to join a windows domain

[Fabiano]

Well man, if you are using ADC, u will need to open these ports: 53(T/U),88(T/U),135(TCP),139(TCP),389(T/U),445(TCP) and 691(TCP), and maybe one high port to configure RPC Service to use as outgoing port.
It's very interesting to use Ethereal to monitor and check what ports are in effective use.

Ok.Hgs.

-----Original Message-----
From: Kirk [mailto:whereisgui@gmail.com]
Sent: terça-feira, 3 de maio de 2005 17:38
To: Fabiano; netfilter@lists.netfilter.org
Subject: Re: rules to allow a machine to join a windows domain


Thanks Fabiano. I'll try it.

We have the following servers.
Windows 2000 -DC
Windows 3000 server -DC's backup
NT4

On 5/3/05, Fabiano <Fabiano@drive.com.br> wrote:
> Hi Kirk,
> 
> Windows 2000 AD Authentication uses LDAP, so u need to open another ports too, like LDAP: 389 UDP/TCP and 3268 TCP, kerberos: 88 UDP/TCP and maybe another ones, like 135 TCP (RPC Service).
> What version of Windows r u using?
> 
> 
> -----Original Message-----
> From: Kirk [mailto:whereisgui@gmail.com]
> Sent: terça-feira, 3 de maio de 2005 15:07
> To: netfilter@lists.netfilter.org
> Subject: rules to allow a machine to join a windows domain
> 
> Hello everyone,
> 
> I need to start moving three windows servers behind a firewall. Could
> someone tell me what ports I need to open so that the servers can join
> a windows domain?
> 
> I already allow access to DNS( udp 53, tcp 53)  and WINS(tcp 137)
> servers but the test server still can't join the domain. The error I
> get is "a domain controller could not be contacted".
> 
> I should point out that I'm able to connect to websites from the test
> server and I can connect to the web server I installed for testing
> incoming connections. Also, I'm able to join the domain when I take
> the machine off the firewall.
> 
> Any hints will be appreciated.
> Thanks,
> -K
> 
>