04-15-2009 08:34 AM - edited 02-21-2020 03:24 AM
I am attempting to get AD to cooperate from a parent domain on the outside of the ASA to a child domain on the inside of the ASA.
So far when I first setup the child domain all is well (assuming because the inside server is initiating the chatter) but after a little while (not sure of time frame) AD stops synching and get errors on the servers about such.
04-16-2009 05:57 AM
This is just off the top of my head, but you'll need LDAP, DNS, and Kerberos opened up. If you want filing browsing, you'll have to open RPC all ports >1024 and 137-139, & 445. You have a couple of other options though. You can use an IPSec tunnel between the two servers and/or RPC over HTTPS.
Hope that helps.
04-16-2009 06:33 AM
I will try to illustrate my setup here.
Internet----ASA1--Domain1
|
|
ASA2--Domain1.1
I'll post my configs from both ASAs later today.
04-16-2009 11:47 AM
I would recommend using an IPSEC tunnel for this if possible.
The following link shows a list of required ports
http://technet.microsoft.com/en-us/library/bb727063.aspx
HTH
Steve
04-16-2009 11:49 AM
Nice link Steve, thanks.
04-16-2009 11:50 AM
I have attempted this, but all I get when I ping is negotiating IP security.
I think this should be working but I'm obviously missing something.
04-16-2009 11:53 AM
If you are able to, please post your configs for us to review.
Thanks
Steve
04-20-2009 08:38 AM
Here my 2 configs.
Outside is the ASA connected to Internet, inside is the ASA on the inside interface of the outside ASA.
There are 3 AD servers on the inside interface of the outside ASA, and there are 2 AD servers on the inside interface of the inside ASA. all 5 of these servers need to speak AD to each other.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide