Firewall ports for RODCs in a DMZ - A DEFINITIVE LIST
-
Tuesday, June 28, 2011 4:09 PM
Hi
I have been looking for a definitive list of ports required on a firewall between writable DCs and RODCs.
From two sources I have slightly conflicting information, but have compiled the two lists as follows: (sources are the MS document from April 2008 entitled "Active Directory Domain Services in the Perimeter Network (Windows Server 2008)" and http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx)
Here is the list:
==================================
DC --> RODC
===========
TCP 135 EPM
TCP Static 53248 FrsRpc 1
TCP 389 LDAP
RODC --> DC
===========
TCP 49152-65535 LSASS 2
TCP 57344 DRSUAPI, LsaRpc, NetLgonR 3
TCP Static 53248 FrsRpc 1
TCP 135 EPM
TCP 389 LDAP
TCP 3268 GC, LDAP
TCP 445 DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 53 DNS
TCP 88 Kerberos
UDP 123 NTP
UDP 389 C-LDAP
UDP 53 DNS
TCP 5722 DFS-R
TCP and UDP 464 Kerberos Change/Set PasswordFrom the key above, I have the following questions:
- Are these needed? - we use DFS-R only, so I guess any NTFRS rules are not required
- Is this dynamic range needed? - one source says yes, the other no
- As this is within the dynaic range, it is a static-set port?
On a wider issue, if the dynamic ports are required and we wish to lock these down to one port, as the dynamic ports are those initiated FROM the RODCs, can I make the changes to define the dynamic ports ONLY on the RODCs, or do I need to do it on all DCs within the forest?
Thanks!
All Replies
-
Tuesday, June 28, 2011 8:37 PM
You won't need all the normal ports in that list, such as even GC access, but you do need to allow access from the RODC to the RWDC. Of course you'll need to allow other ports for users/apps to have access back to HQ or other sites, such as if you're using Exchange/Outlook, etc, which will then involve GC port,TCP 3268 and the emepheral port ranges. Here's more:
Designing RODCs in the Perimeter Network (firewall ports, too)
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspxRestricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196Good discussion on RODC firewall ports:
http://forums.techarena.in/active-directory/1303925.htmPort Type of traffic
TCP 135 RPC, EPM
TCP static 53248 FRsRpc
TCP 389 LDAPAce
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Wednesday, June 29, 2011 1:37 AM
-
Wednesday, June 29, 2011 7:59 AM
Hi Ace,
Thanks for the reply, but it doesn't really answer my questions to be honest. The first article you link is actually in my question as one of the sources of my confusion. The other articles are ones I have read, with the second one telling me about a process I know about.
My questions are:
1a. Given that one list (the article we both refer to) refers to a dynamic port range FROM the RODCs TO the WDCs while the other document I refer to does not, is it actually needed?
1b. If yes, can I use the process in link 2 (Ace's reply) ONLY on the RODCs given that the traffic will originate from them, or do I need to apply this change to all WDCs in the entire forest also?
2a. Are the NTFRS ports needed given we use entriely DFS-R?
2b. If yes, given it is written as "TCP Static 53248 - FrsRpc" and the port is within the 2008 dynamic range, does this mean it always uses this port or the article assumes the process in link 2 (Ace's reply) has been followed?
Thanks!
-
Wednesday, June 29, 2011 9:13 AMModerator
For your 1st question, you need to follow 1b. You can restrict the dynamic ports. As far as I know, when you completely switch to DFSR, FRS service is not used neither NTFRS. You can lock down the dynamic ports to a single port.
Restricting AD replication ports in windows 2008
Regards
Awinish Vishwakarma| CHECK MY BLOG
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed As Answer by Ace Fekay [MCT]MVP Wednesday, June 29, 2011 4:26 PM
- Marked As Answer by ChadInStoke Thursday, June 30, 2011 8:13 AM
-
Wednesday, June 29, 2011 2:21 PM
Hi Awinish,
Thanks for that! Thngs are a little clearer now!
We have a root domain and three child domains in our forest, over a well-connected geo site.
I have left all DCs for 3 of the domains in one site, and created ChildX-WDC and ChildX-RODC sites, and placed the writable DCs for domain ChildX into the first site, and the RODCs for domain ChildX (in the DMZ) into the second site.
The links are:
- Default-First-Site-Name --> ChildX-WDC
- Child-WDC --> Child-RODC
I will specify / lock-down AD and SYSVOL (DFS-R) replication ports on all ChildX DCs (writable and RO) only. I will leave all other forest DCs to use dynamic ports.
I think / hope this covers everything! Anything I have missed, please let me know!
Thanks.
-
Thursday, June 30, 2011 5:06 AMModerator
The above plan looks good to me, but as a caution would recommend to keep an eye on the traffic using Netmon/Wireshark/Ethereal between RODC/RWDC for packet transmission,just to be on safe side.
Understanding “Read Only Domain Controller” authentication
Regards
Awinish Vishwakarma| CHECK MY BLOG
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.
.png)
