Just installed a firewall between our main campus and satelite campus. Now my windows dc's cannot talk to eachother. Does anyone know what I need to do to pass windows active directory replications through?
By default, AD uses ports 1025 or 1026 for logon and AD replication. You may want to open these up on the firewall for these hosts.
I opened the ports 1025 and 1026 for both udp and tcp. Still having an issue with the DC's talking and replicating across this wan. Any suggestions?
You really would need to post error messages, but your problem is somewhat MS specific.
Currently, is only one DC behind a firewall? Is there a plan to get both DC behind firewalls?
Not sure exactly what you are asking. I am using a range of private ip's behind the firewall, but believe it is a PAT (port) translation. Will this work?
The dc is at the end of a WAN link and the DC at that end. Do you know if Cisco has any docs related to Cisco firewalls and Windows? I wasn't able to find any.
Last time I checked they only had a document for NT 4.0 not 2000. I got my two domain talking by opening DNS tcp/udp, port 445 tcp, and upd port 389. Also are you building a two way trust or just want to add a membe server to a domain.
Just a member domain. I opened up all the ports you meantion. Still will not see eachother or replicate. I have read that RPC may be an issue, it that it uses port 135, but responds to the cleint request with a random port number. I have modified the registry per a microsoft doc. Cannot reboot the computer until later today to see if successful or not.
Can you look this article in microsoft : Q224196
y default, Active Directory replication over RPC (Remote Procedure Calls) takes
place dynamically over an available port via the RPC Endpoint Mapper (RPCSS)
using port 135; the same as Microsoft Exchange. As with Microsoft Exchange, the
administrator may override this functionality and specify the port that all
replication traffic passes through, thereby locking the port down.
NOTE: Note that this article does not imply that replication can occur through a
firewall. For example, there are a number of ports that must be opened (for
kerberos, and so on) to make it work. If you need to do so, use Virtual Private
WARNING: Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that
problems resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and
Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete
Information in the Registry" and "Edit Registry Data" Help topics in
Regedt32.exe. Note that you should back up the registry before you edit it. If
you are running Windows NT or Windows 2000, you should also update your
Emergency Repair Disk (ERD).
When connecting to an RPC endpoint, assuming the client does not know the
complete binding, which is the case with DS Replication, the RPC run-time on the
client contacts the RPC endpoint mapper (RPCSS) on the server at a well-known
port (135), and obtains the port to connect to for the service supporting
desired RPC interface.
The service registers the endpoint when it starts, and has the choice of a
dynamically assigned port or a specific port.
If you configure Active Directory to run at "port x," per the below entry, this
becomes the port that gets registered with the endpoint mapper.
Using Registry Editor, modify the following value on each domain controller where
the restricted port is to be used:
Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)
Administrators should confirm that if any intermediate network devices or
software is used to filter packets between domain controllers, that
communication over the specified port is enabled.