none
Ports between RODC and member servers in same DMZ

    Question

  • Experts,

    We need to open ports from RODC's to member servers within the same DMZ. I was reading this article https://technet.microsoft.com/en-us/library/dd728028(v=ws.10).aspx#secure_rodc_comm and it mentions about TCP Dynamic ports.

    Is there a way to restrict to one/few high end RPC ports between RODC's and member servers? if yes, how?

    Also, will it effect any replication between RODC's and DC's in internal network?


    • Edited by Helpful guy Wednesday, May 3, 2017 2:30 PM clarify
    Wednesday, May 3, 2017 2:13 PM

All replies

  • Hi,

    Yes it is possible to open up specific RPC ports between the RODC and the member server, however you will have to allow same port range from the firewall to allow communication between the writeable DC.

    https://support.microsoft.com/en-gb/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port

    Other article you can have a look at this one 

    https://support.microsoft.com/en-gb/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

    You can use old Netmon or Message Analyzer to check the traffic if you hit any issues and portquery utility.

    Hope this helps.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Wednesday, May 3, 2017 2:30 PM
  • Sorry forgot to ask Do you have a reason that member servers are in DMZ? This should be reviewed as this zone is internet facing and can cause Security issues if exposed to the Internet.

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Wednesday, May 3, 2017 2:33 PM
  • these are servers for internet facing applications and needs to be in domain
    Wednesday, May 3, 2017 2:39 PM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, June 2, 2017 9:24 AM
    Moderator