none
Ports necessary for password sync to a secondary AD forest RRS feed

  • Question

  • Dear All,

    I have external AD forests I need to synchronize passwords to (from a primary internal forest).  What are the ports that are absolutely necessary from the Sync Server for this?  I am using the ADMA agent  (importing and joining the users and syncing  passwords).  

    Is there a way to do this just via LDAPS port? Perhaps using ADLDS Agent?  

    Please comment?



    • Edited by UNDPMSDN Wednesday, October 2, 2013 8:42 PM
    Wednesday, October 2, 2013 8:19 PM

All replies

  • Hello,

    you can not use the LDS Agent on an AD DS since there are some differences.

    Here is an Overview of Ports in the documentation.
    You need to open Firewall for normal MA operation and the RPC communication for password sync.

    Hope that helps.

    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com


    • Edited by Peter_Stapf Thursday, October 3, 2013 8:07 AM
    Thursday, October 3, 2013 8:05 AM
  • Thanks. I was hoping if there is a way to do this just using LDAP (which is why I mentioned LDS agent).

    1. Import / delta import from the external forest (this forest has just one domain).

    2. Sync/delta sync to MV

    3. Enable password synchronization to the external forest.

    ---

    FYI:
    I have a specific requirement from my network guys which is why I do not want to open all the ports mentioned in the doc.


    • Edited by UNDPMSDN Thursday, October 3, 2013 2:26 PM
    Thursday, October 3, 2013 2:25 PM
  • Hello,

    i think you dont need all of the ports in the documentation, but i never had this scenarion by myself, or the open all ports when i have it.

    So you need at least Ports for LDAP, GC, Kerberos, and the TCP/UDP 464 for PW Changes.
    Maybe you need more but i think the above is minimum, not quite sure at the moment.

    Try only the SSL Ports first, so the list goes like this:

    TCP 636 (LDAP over SSL)

    TCP 3269 (GC SSL)

    TCP/UDP 88 (Kerberos)

    TCP/UDP 464 (Kerberos Change/Set Password)

    Thats the minimum i guess.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Thursday, October 3, 2013 4:51 PM