Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
9
Replies

Windows DC's cannot talk now...

admin_2
Level 3
Level 3

‎06-06-2003 11:30 AM - edited ‎03-09-2019 03:34 AM

Hell-o,

Just installed a firewall between our main campus and satelite campus. Now my windows dc's cannot talk to eachother. Does anyone know what I need to do to pass windows active directory replications through?

TIA,

Gary

Labels:
0 Helpful
9 Replies 9

ywadhavk
Cisco Employee
Cisco Employee

‎06-06-2003 12:47 PM

Hi Gary,

By default, AD uses ports 1025 or 1026 for logon and AD replication. You may want to open these up on the firewall for these hosts.

Thanks,

yatin

0 Helpful

Not applicable
In response to ywadhavk

‎06-07-2003 03:47 PM

Hello Yatin,

I opened the ports 1025 and 1026 for both udp and tcp. Still having an issue with the DC's talking and replicating across this wan. Any suggestions?

TIA,

Gary

0 Helpful

mostiguy
Level 6
Level 6
In response to

‎06-09-2003 05:30 AM

You really would need to post error messages, but your problem is somewhat MS specific.

Currently, is only one DC behind a firewall? Is there a plan to get both DC behind firewalls?

0 Helpful

mtumarinson
Level 1
Level 1
In response to mostiguy

‎06-09-2003 06:31 AM

Are you using any kind of NAT because kerberos authentication will not work.

0 Helpful

Not applicable
In response to mtumarinson

‎06-10-2003 09:02 AM

Not sure exactly what you are asking. I am using a range of private ip's behind the firewall, but believe it is a PAT (port) translation. Will this work?

0 Helpful

Not applicable
In response to mostiguy

‎06-09-2003 08:12 AM

The dc is at the end of a WAN link and the DC at that end. Do you know if Cisco has any docs related to Cisco firewalls and Windows? I wasn't able to find any.

Gary

0 Helpful

mtumarinson
Level 1
Level 1
In response to

‎06-09-2003 11:07 AM

Last time I checked they only had a document for NT 4.0 not 2000. I got my two domain talking by opening DNS tcp/udp, port 445 tcp, and upd port 389. Also are you building a two way trust or just want to add a membe server to a domain.

0 Helpful

Not applicable
In response to mtumarinson

‎06-10-2003 09:01 AM

Just a member domain. I opened up all the ports you meantion. Still will not see eachother or replicate. I have read that RPC may be an issue, it that it uses port 135, but responds to the cleint request with a random port number. I have modified the registry per a microsoft doc. Cannot reboot the computer until later today to see if successful or not.

0 Helpful

tcavdar
Level 1
Level 1
In response to

‎06-11-2003 09:36 PM

Can you look this article in microsoft : Q224196

y default, Active Directory replication over RPC (Remote Procedure Calls) takes

place dynamically over an available port via the RPC Endpoint Mapper (RPCSS)

using port 135; the same as Microsoft Exchange. As with Microsoft Exchange, the

administrator may override this functionality and specify the port that all

replication traffic passes through, thereby locking the port down.

NOTE: Note that this article does not imply that replication can occur through a

firewall. For example, there are a number of ports that must be opened (for

kerberos, and so on) to make it work. If you need to do so, use Virtual Private

Networking.

MORE INFORMATION

================

WARNING: Using Registry Editor incorrectly can cause serious problems that may

require you to reinstall your operating system. Microsoft cannot guarantee that

problems resulting from the incorrect use of Registry Editor can be solved. Use

Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and

Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete

Information in the Registry" and "Edit Registry Data" Help topics in

Regedt32.exe. Note that you should back up the registry before you edit it. If

you are running Windows NT or Windows 2000, you should also update your

Emergency Repair Disk (ERD).

When connecting to an RPC endpoint, assuming the client does not know the

complete binding, which is the case with DS Replication, the RPC run-time on the

client contacts the RPC endpoint mapper (RPCSS) on the server at a well-known

port (135), and obtains the port to connect to for the service supporting

desired RPC interface.

The service registers the endpoint when it starts, and has the choice of a

dynamically assigned port or a specific port.

If you configure Active Directory to run at "port x," per the below entry, this

becomes the port that gets registered with the endpoint mapper.

Using Registry Editor, modify the following value on each domain controller where

the restricted port is to be used:

Registry key:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

Registry Value: TCP/IP Port

Value Type: REG_DWORD

Value Data: (available port)

Administrators should confirm that if any intermediate network devices or

software is used to filter packets between domain controllers, that

communication over the specified port is enabled.

0 Helpful
Customers Also Viewed These Support Documents