Unable to join AD domain from DMZ network

Hi,

We are running Windows 2003 AD Domain and now like to allow user account
authentication from DMZ to 2003 AD internal network. However, when we try to
join AD domain from the server in DMZ. We got an error message 'The RPC
Server is unavailable". I worked with the network guy and for testing
purpose, he allowed any traffic between DMZ to the internal network and no
traffic was being denied. So, we moved forwared to next troublshooting step
for setting up Ethernal and captured traffic from the server in DMZ when
tried to join AD domain. We found one error in the Ethernal capture log shown
here "384 136.20396 153.178.23.22 192.35.46.81 SAMR GetUserPwInfo
response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED". This was only
happend between the DMZ to our internal network. I am able to join AD domain
with any clients if it is in internal network. And also, I performed Netstat
from the server in DMZ. I can see that LDAP, Netbios-ssn was established but
EPMAP was failted to established. I googled it and EPMAP is doing netbios in
port 135 but I confirmed with the network guy that was being allowed and no
denied shown in sys log. One more thing i also like to mention is that the
DMZ is in different subnet as you see in the above error "192.35.x.x" than
the internal network "153.178.x.x". Would that be causing any problem when
DMZ and the internal are in two different subnet when trying to join domain?
Any suggestion would be very appreciated?

PS. I was able to ping or \\server to access domain controller or share from
the server in DMZ. I also checked the event viewer but no error found.

Thanks.
Mugen

Why would you want to do that? I've only seen few environments where
this is necessary. Only think of the security - you're basically putting
a DC (with the "keys to your castle") into a zone it can be accessed
from outsiders and the internet. That's a no-go.

What are you trying to do, really? Note the requirements down and see
whether you can't do it with ADAM (now AD-LDS) or ADFS. Putting a DC
into the DMZ is not a good idea in general.

[dkumar]

Use PortQueryUI.. U will have better Idea.

Kidding.. Ask ur netwok team to open All ports from Untrust to TRUST :)

Not sure what idea is the more kidding one..

F.
--

I would suggest you temp move the box internally and verify that it will
work, even though your network dude said he is allowing all traffic through
I'm guessing he wasn't allowing high ports. RPC needs a high port to work
unless you lock it down to a specific port.

I have an article on DC replication and port usage which can give you a
general idea on what is happening. You should review it and maybe it will
give you some new ideas to try.

I did not setup another DC in DMZ. Our DCs is in internal network. Instead
of setting up standalone workgroup account database for the server in DMZ, I
want to have the server in DMZ able to join the AD Domain from our internal
network for account authentication.

We just allowed traffic between Server ------ AD DC for testing pupose.

Hi Paul,

Thanks for your advice. We already found a document about ports need to be
opened in firewall. And I don't think the firewall is blocking anything
becausee nothing is being denied when we checked the syslog. We use Ethernal
the captured traffic between the server in DMZ to the DC from internal
network. Both are talking as we saw in the capture log but somehow the DC not
allow the machine to join domain. Another thing I found out from Active
Directory users and computers was , the server from the DMZ registered the
computer account but is in disabled status. The server from the DMZ is
talking to the DC and trying to join the domain and have computer account
there with disabled status.

Thanks.

so did you try moving inside and testing to see if you could join it? Do
you have on the firewall on the server itself?

--
Paul Bergson

I did not move to inside but I tried my other laptop running XP from the DMZ
and still getting the exact same problem. I turned off firewall on all
client machine.

To me that points to something outside the machine (Firewall most likely
culprit)

I would move inside to test, I'm betting it works if moved inside.

--
Paul Bergson

Just had another thought what about your routes? Do you have those defined
properly so the external machine can get internally or is this handled via
the network goons?

--
Paul Bergson
MVP - Directory Services

It fixed. It was the RDC Dynamic high port blocking the traffic. Thanks
everyone!

[dannykor]

Well, I’m running the same situation. DC 2008 r2 enterprise in the internal, subnet 10.1.2.0/24. Exchange server in the DMZ on subnet 192.168.10.0/24.
All ports and FW roles setup in accordance with Microsoft recommendation.
Can ping both ways from/to DC to Exchange server. When trying to join the Exchange server to the domain, get message "Network path was not found"
Any ideas?

Thanks,

Danny.

[Expertz]

Quote:

Originally Posted by dannykor

Well, I’m running the same situation. DC 2008 r2 enterprise in the internal, subnet 10.1.2.0/24. Exchange server in the DMZ on subnet 192.168.10.0/24.
All ports and FW roles setup in accordance with Microsoft recommendation.
Can ping both ways from/to DC to Exchange server. When trying to join the Exchange server to the domain, get message "Network path was not found"
Any ideas?

Thanks,

Danny.

First of all you will have to make it sure that your Dns is configured properly and verify your SRV records. After that try disabling the firewall and Antivirus Application for a while on the Windows 2008 server and try. After that perform a Dcdiag and see if you find and errors, if at all you are not able to troubleshoot please post the dcdiag results we will help you. If the above solutions doesnt helps try a clean boot.