Greetings folks, Okay after reviewing the attached firewall configuration KB 280132 it appears there is two ports that MSFT AD Clients use for authentication. 1025-26. Just for FYI.
One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2). This is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System attendant (MAD) source code. Therefore, you must map the port in the registry on any domain controllers that the Exchange 2000 computer must contact through the firewall to process logons, and then open the port on the firewall. To map the port in the registry: a. Start Registry Editor (Regedt32.exe). b. Locate the following key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters c. On the Edit menu, click Add Value, and then add the following registry value: Value Name: TCP/IP Port Data Type: REG_DWORD Radix: Decimal Value: greater than 1024 d. Quit Registry Editor. Make sure that the slash in "TCP/IP" is a forward slash, and that the value that you assign is greater than 1024, in decimal format. That number is the extra port that you have to open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not affect performance, and covers any logon request redirects that occur as a result of servers that are down, roles that change, or bandwidth requirements. NOTES: For the server inside the firewall to communicate back through the firewall to the external server, you also must have ports 1024 through 65535 configured for outbound communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured. Windows 2000 takes the form of a sequence of TCP/IP ping requests to the destination server when Windows 2000 Server-based computers log on to the domain through the firewall. Windows 2000 does this to determine whether a client computer is gaining access to a domain controller over a slow link to apply Group Policy or to download a roaming user profile. Todd Myrick ________________________________________ From: Myrick, Todd (NIH/CIT) Sent: Tuesday, April 06, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining computer to a domain... And Kpassword po rt 446. Excellent Source... This is what I wanted... Thanks... Todd ________________________________________ From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining computer to a domain... And Kpassword port 446. This might help http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 Santhosh ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, April 05, 2004 9:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Joining computer to a domain... And Kpassword port 446. Greetings all... I just had someone stop by my office asking what ports need to be open to allow a machine to join a domain. It appears these security "experts" feel that they need to limit the communication both inbound... and outbound. (Don't get me started on the outbound part...) They said that when they tried to join the computer to the domain that it wouldn't work. But when the turn off the outbound rule set in the high order range, "Communication" worked. I have several papers on firewall configuration for AD. But I have not found a reference that discusses what ports are necessary to all a machine to be "joined" to a domain. My assumption is that it would require all the base ports... 88, 123, 54, 389, 445, but does it require any dynamic ports. I will probably run a packet sniffer later this week to check this out myself, but if anyone can quickly comment, it would be appreciated. Also, Reading the latest Microsoft Whitepaper on Kerberos Troubleshooting, I noticed that they listed port 446, for password resets for Kerberos V5. According to Microsoft Firewall White Papers for AD, this port is never mentioned. So my question is, is it required for Microsoft Kerberos clients, or if you are using a mixture of clients. Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
