12-02-2011 07:54 AM - edited 03-11-2019 02:58 PM
We need to deploy a RODC in a perimeter network and allow replication via IPsec through our ASA from the DC. Was wondering if anyone here has done this and if so could you share with me what worked and didn't work. We are using several Microsoft documents to do this deployment but none of the documents can agree on what ports are needed to be opened on the ASA to allow this traffic through, and from which direction.
Any help or advice would be greatly appreciated. Thank you.
Jim
Solved! Go to Solution.
12-09-2011 01:32 AM
Hi,
I have been doing this exercise during this week.
I have used this document:
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx - Required communication ports
And also, required communication on 135-139 (udp i tcp) and 80 (tcp) toward CA.
Everything seems to be working with this setup ok.
It all has been done on one ASA (from DMZ to trusted server network).
But if you use IPSec, I suppose that IPsec is created from ASA (not from Windows server), so port requirements should be same.
Please rate if help.
Pavel
12-08-2011 02:01 PM
RODC as in Read-Only Domain Controller?
I see so many deployment guides on google as well. Best thing to do is watch the logs on the ASA and look for denied packets due to access-list message and selectively open ports for those that are blocked.
http://forums.techarena.in/active-directory/1303925.htm
Enable logging on the ASA:
conf t
loggin on
logging buffered 7
exit
sh logg | i x.x.x.x (where x.x.x.x is the iP address of RODC)
-Kureli
12-14-2011 02:53 AM
Good work Kureli....Deserves a high 5!! James, please rate the query and mark it as answered. Regards, Ankur thukral Community Manager: Security and VPN
12-14-2011 03:39 AM
Will do thank u.
12-09-2011 01:32 AM
Hi,
I have been doing this exercise during this week.
I have used this document:
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx - Required communication ports
And also, required communication on 135-139 (udp i tcp) and 80 (tcp) toward CA.
Everything seems to be working with this setup ok.
It all has been done on one ASA (from DMZ to trusted server network).
But if you use IPSec, I suppose that IPsec is created from ASA (not from Windows server), so port requirements should be same.
Please rate if help.
Pavel
12-13-2011 05:41 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: