replication through windows firewall server 2003
-
Thursday, June 21, 2012 7:18 PM
hello ,
I see a lot of technical stuff up here...but does anyone have a quick listing of the ports or aother exceptions that are needed to keep replication going when the windows forwall is up?
thanks
All Replies
-
Thursday, June 21, 2012 7:29 PM
Hi,
information about the replication traffic through a firewall you will find further information here:
http://support.microsoft.com/kb/555381
regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Friday, June 22, 2012 4:50 AM
-
Thursday, June 21, 2012 8:01 PM
Hello,
which kind of replication are you talking about? Active Directory, then the minimum is http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
For other services and network ports see http://support.microsoft.com/kb/832017
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Friday, June 22, 2012 4:50 AM
-
Thursday, June 21, 2012 8:08 PM
Yes Active directory
thanks Mr Weber
-
Friday, June 22, 2012 2:12 PM
Mienolf,
I have added all the ports listed in the document your fist link points to. Some of them, when adding, explianed they could not be added possibly since they were already in there .
I added these and then enabled the firwall on the (backup) domain controller (server 2003 r2 sp2) I had 2 problems originally when turning the FW on..
relpication would stop expalining no end points from mapper, and DHCP clients would no longer get requestd DHCP leases
after adding all the listed ports ....DHCP server is working fine but replication is having problems
when I run replmon , my primary DC is listed first and this server ( DC #2) is listed 2nd the firstenry states the mapper erro a=butthe rest (config/schema/DNSzones\Forest DNS zones are all OK
the sencod "section" for this DC#2 all 5 items have the BANG on them ( yellow circle with exclaimation point) and there is no "stuff" displayed at all if you click on one of them
-
Friday, June 22, 2012 3:18 PM
also when I have the FW up ( and then I get the endpoint mapper errors )
I asos l run dcdiag and all test pass (even one called replication )
I also do ahve the FW logs but cant begin to analyse those :(
-
Monday, June 25, 2012 6:39 AM
Hello,
please upload the following files for a better overview:
ipconfig /all >c:\ipconfig.txt [all DCs]
dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) http://explore.live.com/windows-live-skydrive and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Monday, June 25, 2012 5:32 PM
heres the URL
https://skydrive.live.com/#cid=BD95D9F727CB8E30&id=BD95D9F727CB8E30%21120
ipconfig1 = main DC
ipconfig 2= backup DC this is the one that if I put the FireWall on replication fails ( I have the FW off on DC1 intending to learn from this issue with DC2 before I turn the FW on DC1 backon)
Thanks letme know if you need me to do more stuff
-
Monday, June 25, 2012 6:04 PM
Hello,
as you use HP teaming please assure that the configuration is made for failover and NOT for load balancing as this is NOT supported from Microsoft.
What are the Forwarders 192.168.1.21, 192.168.1.22 and 192.168.100.2 for machines, are they domain DNS servers? Normally you should use either the root hints or ISPs DNS server as Forwarders.
Is your domain a child domain and the used forwarders are from the root domain?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Monday, June 25, 2012 6:20 PM
I am going ti dissolve the team..... there is no real value to it atthis point and once again I have found little support out there for the configuration....
the forwarders ...... they are DNS servers in other domains I connect to (trusts stuff)_
-
Tuesday, June 26, 2012 5:37 PM
OK HP adapter team has been disolved on Server #1
I turned the firewall back on on server #2
still get "no end points error"
I am offto do more "no end ppint " research
-
Tuesday, June 26, 2012 5:38 PMthis may be why so many folks dont turn the FW on on their servers .......
-
Friday, June 29, 2012 11:19 AM
Meinolf,
did you get my link to my SkyDrive folder ?
-
Friday, June 29, 2012 4:31 PM
Hello,
we and lots of others have no problems with enabled fiewalls on the DCs, they replicate fine, so please assure the connecticvity, Portquery should help you or your firewall guys to verify http://www.microsoft.com/en-us/download/details.aspx?id=17148
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Monday, July 02, 2012 7:34 AMModerator
Hi,
I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.
Arthur Li
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Arthur Li
TechNet Community Support
-
Monday, July 02, 2012 11:09 AM
Well I do not know where to go from here ....I still have the problen
when the firewall is on ( on my backup domain controller ) AD will not replicate
" there are no more edn points from the end point mapper "
I was able to get my DHCP service to operate correctly when I turn the FW on by adding port exceptions to the FW......and while I was at it, I also added a ton of other exceptions that are listed in that "setting firewals up on Domain controllers" document.....but AD will still not replicate when the FW is on
-
Tuesday, July 03, 2012 1:04 PM
Ok I ran PQ from the Dc to the backup DC
With Firewall ON
IP address resolved to ml350g5bpm
querying...
TCP port 389 (ldap service): FILTERED
UDP port 389 (unknown service): LISTENING or FILTERED
Using ephemeral source port
Sending LDAP query to UDP port 389...LDAP query to port 389 failed
Server did not respond to LDAP queryportqry.exe -n 192.168.50.48 -e 389 -p BOTH exits with return code 0x00000001.
-
Tuesday, July 03, 2012 5:00 PM
hi,
any updates? if your question is answered it would be nice if you mark it accordingly because this may help others who have got the same or a similar question.
Thanks a lot in advance
Kind regards
Thomas
regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
-
Tuesday, July 03, 2012 5:16 PMno change...still have the problem........I know to mark answers..
-
Thursday, July 05, 2012 4:58 PM
Hi Meinholf,
notsure if i have narrowed anyhting down to a level where trouble shooting can begin
In replmon I did the generate repprt ( with the firewall on DC#2 up ) and whe I got to the stanza that listed the no endpoint error it listed Transport = Intra-site RPC
So I was reading up on AD replcation ( the amount of detail that just about any aspect of Windwos Servers is amazing ya know like what is KCC and what does it do...and what ISTG and so on .... for someone like me that is tasked to "do it all" build servers run cabling load servers and do all lthat same stuff at the workstation level run a help desk for end user applciation support, and also be a perimtier guy running Sonicwall appliaicnes and also exchange mgr........I cant seem to dive all the way into any one disapline to the point of gaining more that a cursory understanding of all these detials
anyhow I then ran Port query on port 135 for both TCP and UDP..TCP all looks good ...
but from each server there looks like UDP problems each with epmap service
OK so I have the FW on DC #2 up when query UDP 135 from here to my #1 DC (No FW) I get
UDP PORT 135 NOT LISTENING
When I reverse this and query UDP 135 from my #1 Dc to #2 (whose FW is up) I get
UDP port 135 (epmap service): LISTENING or FILTERED
Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:RPC Endpoint Mapper did not respond
UDP port 135 is FILTEREDAnything here to go on ??
thanks
-
Thursday, July 05, 2012 5:20 PM
Well iam shooting in the dark.....I disabled the Firewall so now as usual replication works
while the FW on DC#2 was down I ran port query from both ends again and now they both say UDP port 135 NOT LISTENING but like I say replication works
If I was to stay on this lead..... it would imply that if UDP 135 is not listening then all will work...but if the FW is up on DC #2 then UDP 125 is tagged as "Listneing or filtered" and then the replication fails
-
Wednesday, July 11, 2012 8:08 AM
Hi Daniel,
Here is my analysis about the issue:
1. Only TCP 135 (RPC protocol) should be listened. No protocol uses UDP 135 so that UDP 135 should not be listened. It is normal that UDP 135 is not listened. It doesn't mean that UDP 135 not listened leads the AD replication to succeed.
2. When the status is FILTERED, it means the packets are blocked by the windows firewall or any other firewall. It seems that both TCP and UDP 389 are blocked by the windows firewall based on your information. Please add rules in windows firewall to ensure that TCP 389 and UDP 389 are allowed.
Best Regards
Scott Xie -
Wednesday, July 11, 2012 7:34 PM
I have both tcp and udp port 389 on the FW exception list( on DC #2)
If (from DC #2) I query UDP port 389.(wi h FW on) .leaving the default 127.0.0.1 host in there I get "not listening"
If I put the IP address if DC#2(not using local loopback 127.0.0.1) in then I get LISTENING
tcp port queries give me the LAP paragraph....I assume that port is listening/working ok
If I go the DC #1 ( primary DC and replcaition partner) and query udp 398 on DC#2 it says "listening'
whaddaya think about that ?
-
Wednesday, July 11, 2012 7:52 PM
Iget the same portquery results on udp port 389 whether the FW is on or off.....
No matter what i cant replicate when the FW is on no more endpoints
-
Friday, July 13, 2012 7:56 AM
Hi,
It seems the replication issue is not caused by port 389. To further troubleshoot the issue, I suggest that you can enable Firewall log on the server. From the firewall log we can check if there is a firewall rule blocks the concerning network traffic:
a. On the concerning server, click "Start"->"Run", type "gpedit.msc", press Enter.
b. In "Local Group Policy Editor" window, in the left panel, locate to: "Computer Configuration/Windows Settings/Security Settings"
c. Expand "Windows Firewall with Advanced Security", click "Windows Firewall with Advanced Security – Local Group policy Object".
d. In the right-panel, click "Windows Firewall Properties".
e. In the new opened window, on "Domain Profile" tab, in "Logging" section, click "Customize".
f. In "Customize Logging Settings for the Domain Profile" window, uncheck the two "Not configured" checkboxes. Set "Log dropped packets" to "Yes". Click "OK".g. Use step e - step f to enable "Log dropped packets" on "Private Profile" and "Public Profile" tab. Click "OK".
Best Regards
Scott Xie
-
Friday, July 13, 2012 1:31 PM
The FW on DC#2 is set to log....I am not sure if I would still need to do the GP proceedure you outlined or if the existing pfirewall.log file is good enough
I have uploaded that file lto my quickdoc folder on Skydrive
https://skydrive.live.com/?cid=BD95D9F727CB8E30&id=BD95D9F727CB8E30%21120
let me know if this is OK
thanks for sticking with me on this issue
-
Monday, July 16, 2012 7:39 AM
Hi Daniel,
You are welcome. Yes, the pfirewall.log file is enough. I have checked the file you uploaded. I find there are many dropped packets which ports is TCP 1025. Please refer to following link:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;179442
Since your DC is windows server 2003, the following dynamic ports need to be opened:
Client Port(s) Server Port(s)
1024-65535/TCP 1024-65535/TCP
Please ensure these dynamic ports have been opened.
Best Regards
Scott Xie
- Marked As Answer by DanielDeCoursey Monday, July 16, 2012 11:12 AM
-
Monday, July 16, 2012 11:18 AM
I had to use one of my complimenry Support calls to Microsoft ...they indicated the same answer......
The key factor here is that I am on Server 2003 which has these dynamic ports blocked by default
Microsoft DOES NNOT RECOMMEND assigning RPC to a specific port some of the docuents I was refered to seem to elude to this.........
Maybe I am one of the last still operating on Server 2003 and this detail (dynamic ports blocked) must be very obscure
on the plus side I know much more a bout DC firewalls and some of the assoicated tools used to troubleshoot............ thanks to all
-
Monday, July 16, 2012 8:04 PM
Well well well....
I thought I would get a lesson on how to add this port range....but NO !! the official MS standpoint is this is not recommeded on Server 2003 domain controller platforms they showed me a technet DOC
http://support.microsoft.com/kb/555381
and theyare refunding my support call since they say is a Microsoft probelm and admit there should be more supportive info on it so folks like me (idiots) can get educated the issue
let me know what you think about their stance on this
thanks
-
Monday, July 16, 2012 8:08 PM
Meinolf.please see my final reply way down below........ sorry to have ben chewing up everyonestime..if I ever thopugh this was an activiy Microsoft really did not support complelty i would never gone down this path
I appreciate everyone help even if it was fruitless for me
.png)
