P
Pheng Yang
Scenario:
I am setting up a Windows 2000 AD domain controller inside a firewall. On
the other side is the DMZ, and I want my machines in the DMZ to be able to
authenticate against the AD controller within the LAN area of the firewall.
What are the ports that are needed to allow this to work so that new
machines in the DMZ can join the domain within the LAN?
Currently, I have the following ports open from the DMZ to the LAN per the
Microsoft knowledge base article 179442:
UDP ports:
53 - DNS
88 - Kerberos
137 - NetBIOS Name
138 - NetBIOS Netlogon and Browsing
389 - LDAP
TCP ports:
42 - WINS replication
53 - DNS
88 - Kerberos
135 - RPC end point mapper
139 - NetBIOS Session
389 - LDAP
445 - SMB
636 - LDAPS
3268 - Global catalog
3269 - Secure global catalog
5000 - 5020 for RPC static ports as suggested in Microsoft knowledge base
article: 154596
I guess the problem I have right now is that even with the ports described
by the
Microsoft knowledge base articles open, the machines I have in the DMZ are
not able to join the domain. It gives me the following error when I attempt
to join
a machine in the DMZ to the domain:
The following error occurred validating the name "<domain name>".
This condition may be caused by a DNS lookup problem. For information
about troubleshooting common DNS lookup problems, please see the following
Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkId=5171
The specified domain either does not exist or could not be contacted.
I know that DNS is resolving correctly, because I can perform an NSLOOKUP
successfully, and I can ping the internal AD domain controller machine by
name.
Any help would be appreciated.
Thanks in advance,
Pheng Yang
Systems Engineer
I am setting up a Windows 2000 AD domain controller inside a firewall. On
the other side is the DMZ, and I want my machines in the DMZ to be able to
authenticate against the AD controller within the LAN area of the firewall.
What are the ports that are needed to allow this to work so that new
machines in the DMZ can join the domain within the LAN?
Currently, I have the following ports open from the DMZ to the LAN per the
Microsoft knowledge base article 179442:
UDP ports:
53 - DNS
88 - Kerberos
137 - NetBIOS Name
138 - NetBIOS Netlogon and Browsing
389 - LDAP
TCP ports:
42 - WINS replication
53 - DNS
88 - Kerberos
135 - RPC end point mapper
139 - NetBIOS Session
389 - LDAP
445 - SMB
636 - LDAPS
3268 - Global catalog
3269 - Secure global catalog
5000 - 5020 for RPC static ports as suggested in Microsoft knowledge base
article: 154596
I guess the problem I have right now is that even with the ports described
by the
Microsoft knowledge base articles open, the machines I have in the DMZ are
not able to join the domain. It gives me the following error when I attempt
to join
a machine in the DMZ to the domain:
The following error occurred validating the name "<domain name>".
This condition may be caused by a DNS lookup problem. For information
about troubleshooting common DNS lookup problems, please see the following
Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkId=5171
The specified domain either does not exist or could not be contacted.
I know that DNS is resolving correctly, because I can perform an NSLOOKUP
successfully, and I can ping the internal AD domain controller machine by
name.
Any help would be appreciated.
Thanks in advance,
Pheng Yang
Systems Engineer