Yep that much I knew, but thanks for clarifying here. A registry entry will allow you to use a narrow range for high ports: http://support.microsoft.com/kb/154596
Dave From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, December 01, 2010 1:14 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN > RPC normally uses random ports above 1024 for specific RPC communications Since OP was talking about 2008 R2 it's noteworthy that In 2K8 & above the RPC range (AKA RPC randomly allocated high TCP ports) is from 49152-65535, not 1024-65535 From: VIPCS [mailto:vi...@stny.rr.com] Sent: Monday, November 29, 2010 7:57 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Sidestepping the follow-on questions of whether a domain is appropriate in the first place, port 445 seems to be missing (it is used for some RPC functions), and possibly ports 137-139 (for NetBIOS). You should do a netstat -a -b -n to see what ports are open on the internal AD server, and also check the firewall logs to see what ports are being blocked when you try and authenticate (if you have not already). RPC normally uses random ports above 1024 for specific RPC communications between client/server applications, but there are registry changes that can restrict the range of ports used. Sincerely, Jeffrey and Mary Jane Harris VIPCS ________________________________ From: David Lum [mailto:david....@nwea.org] Sent: Monday, November 29, 2010 1:09 PM To: NT System Admin Issues Subject: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN I have a 2008 R2 server in a DMZ and I need it to authenticate it with our AD but it tells me "domain is not available. Per this article: http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx I have the following firewall ruled from the DMZ server --> inbound. RADIUS is not used. TCP/UDP 53 (DNS) --> DC's TCP 88 (Kerberos) --> DC's TCP 135 (RPC) --> DC's TCP/UDP 389 (LDAP) -- > DC's, RDS servers TCP/UDP 443 (SSL) --> DC's, RDS servers TCP/UDP 24158 (WMI) --> RDS servers * (I set this port to be fixed on the RDS servers) TCP 3389 (RDP) --> LAN TCP 5504 --> RDS Broker Do I also need to have TCP > 1024 opened up? I can't log into this system via a domain account. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin