UDP 53

UDP 389

TCP 445

TCP 135

TCP 139

you can try :)

Thanks Adul,

I know these ports, I opened all ports (Permit ip any any) and static NAT DNS server in inside zone to dmz zone but it still failed. Currently, I have to make a tunnel between 2 points. It is working well but I still try to find out other way to sysnc them (server in DMZ can joint to DNS server in inside)

Do you have any idea ?

Here are the ports I allow for logging into a Win2000/2003 domain controller across a pix, (there shouldn't be any additional ports required for joining a domain):

tcp/udp 53 - for DNS (you will only need tcp 53 for zone transfers)

tcp/udp 88 - for Kerberos

tcp/udp 389 - for LDAP

tcp 135 - for DCOM (epmap)

tcp 445 - for MS Directory Services

tcp 3268 - for Global Catalog

tcp 5000 5020 - I configure each server to use this range of ports for RPC

You can do it with less than these, but it will take more configuration on each server. You generally don't want these ports exposed to the internet. Let me know if you'd like the object-groups and acls I used to deploy this.

Cheers,

Eric

Hi Eric,

I know these ports but I mean is NAT should be problem while join workstation to DNS server in Inside zone because I permited all traffic from inside to dmz and dns server.

Diagram: DNS server---PIX----Outside

|DMZ

|

Workstation

DNS server is mapped to dmz and full permit by ACL.

I think that NAT packet carries wrong information to provide to Workstation. So Workstation notify error message as...."wrong DNS or DNS address is not correct....". That is the reason why I make tunnel between DNS and workstation to transparent and it can join to domain successful

Do you think so ?

Rrgds

Khanh

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

i don't sure that RPC used vary port > 1024 , u can check from this article.