none
GPMC open ports to PDCe?

    Question

  • I have a single domain forest with multiple firewalls between domain controllers and network segments, with multiple versions of Windows Server, with at least one of each of 2003, 2008, 2008R2 and 2012.

    The domain is running on Windows Server 2008 in Windows Server 2003 mode.

    I have firewall rules in place that allow domain controller to domain controller replication, authentication and access - these are all working.

    One of the network tiers is a 'management tier' with a number of servers running in it. This tier has two domain controllers in it, which are up to date and working correctly, with no errors.

    I have installed the GPMC on a Windows 2012 server in this tier, and can manage group policies. What I cannot do is manage 'Windows Firewall with Advanced Security' and 'Advanced Audit Policy Configuration' - I get errors when I try to open these nodes within GPMC.

    Windows Firewall with Advanced Security fails with: an error occurred while trying to open the policy, The specified domain either does not exist or could not be contacted. Code 0c54B

    Advanced Audit Policy Configuration fails with: A severe error occurred which has caused Advanced Audit Configuration to unload. Following messages can help debug this error: The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B).

    And my question: Does GPMC need to be able to communicate with the PDCe directly itself? or is it sufficient to only communicate with a local Domain Controller? If GPMC needs to talk to the PDCe directly, what ports does it use?

    


    • Edited by KeithDW Tuesday, August 27, 2013 4:06 PM
    Tuesday, August 27, 2013 3:57 PM

Answers

All replies

  • Hi ,

    Thank you for posting your issue in the forum.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Wednesday, August 28, 2013 8:55 AM
  • By default, GPMC only talks to the PDCe. You can specify a different DC by right clicking on the  "domain" node in GPMC. But that doesn't help in all aspects - some GP elements spuriously still talk to the PDCe (that's the error you seem to encounter).

    Which Ports? The usual ones - 88, 389, 3268, 445, 135 and dynamic RPC should do the trick.


    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Thursday, August 29, 2013 10:44 AM
  • Hi KeithDW,

    If you want to use GPMC, please open ports as the article mentioned.

    Configure Firewall Port Requirements for Group Policy

    http://technet.microsoft.com/en-us/library/jj572986.aspx

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 29, 2013 12:15 PM
  • Hi KeithDW,

    any update?

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, August 31, 2013 2:45 AM