Greetings folks,
Okay after reviewing the attached firewall configuration KB 280132 it
appears there is two ports that MSFT AD Clients use for authentication.
1025-26. Just for FYI.
One port for the Active Directory logon and directory replication interface
(universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb
and e3514235-4b06-11d1-ab04-00c04fc2dcd2). This is typically assigned port
1025 or 1026 during startup. This value is not set in the DSProxy or System
attendant (MAD) source code. Therefore, you must map the port in the
registry on any domain controllers that the Exchange 2000 computer must
contact through the firewall to process logons, and then open the port on
the firewall.
To map the port in the registry:
a. Start Registry Editor (Regedt32.exe).
b. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
c. On the Edit menu, click Add Value, and then add the following registry
value:
Value Name: TCP/IP Port
Data Type: REG_DWORD
Radix: Decimal
Value: greater than 1024
d. Quit Registry Editor.
Make sure that the slash in TCP/IP is a forward slash, and that the value
that you assign is greater than 1024, in decimal format. That number is the
extra port that you have to open (TCP, UDP) on the firewall. Setting this
registry value on every domain controller inside the firewall does not
affect performance, and covers any logon request redirects that occur as a
result of servers that are down, roles that change, or bandwidth
requirements.
NOTES:
For the server inside the firewall to communicate back through the firewall
to the external server, you also must have ports 1024 through 65535
configured for outbound communications. Computers that initiate the
communication through the firewall use a client-side port that is
dynamically assigned and cannot be configured.
Windows 2000 takes the form of a sequence of TCP/IP ping requests to the
destination server when Windows 2000 Server-based computers log on to the
domain through the firewall. Windows 2000 does this to determine whether a
client computer is gaining access to a domain controller over a slow link to
apply Group Policy or to download a roaming user profile.
Todd Myrick
From: Myrick, Todd (NIH/CIT)
Sent: Tuesday, April 06, 2004 9:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Joining computer to a domain... And Kpassword po rt
446.
Excellent Source...
This is what I wanted...
Thanks...
Todd
From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 9:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Joining computer to a domain... And Kpassword port
446.
This might help
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
Santhosh
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Monday, April 05, 2004 9:26 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Joining computer to a domain... And Kpassword port 446.
Greetings all...
I just had someone stop by my office asking what ports need to be open to
allow a machine to join a domain. It appears these security experts feel
that they need to limit the communication both inbound... and outbound.
(Don't get me started on the outbound part...)
They said that when they tried to join the computer to the domain that it
wouldn't work. But when the turn off the outbound rule set in the high
order range, Communication worked. I have several papers on firewall
configuration for AD. But I have not found a reference that discusses what
ports are necessary to all a machine to be joined to a domain.
My assumption is that it would require all the base ports... 88, 123, 54,
389, 445, but does it require any dynamic ports. I will probably run a
packet sniffer later this week to check this out myself, but if anyone can
quickly comment, it would be appreciated.
Also,
Reading the latest Microsoft Whitepaper on Kerberos Troubleshooting, I
noticed that they listed port 446, for password resets for Kerberos V5.
According to Microsoft Firewall White Papers for AD, this port is never
mentioned. So my question is, is it required for Microsoft Kerberos
clients, or if you are using a mixture of clients.
Thanks,
Todd
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
