Could not join domain after Windows Server 2003 R2 Firewall is ON

Dear All,

I have tried to turn on the following ports at the Firewall, but still my XP
Client couldn't connect to the database.

TCP port 42 (nameserver service)

TCP port 53 (domain service)

TCP port 88 (kerberos service)

TCP port 135 (epmap service)

UDP port 137 (netbios-ns service)

UDP port 138 (netbios-dgm service)

TCP port 139 (netbios-ssn service)

TCP port 389 (ldap service)

TCP port 445 (microsoft-ds service)

TCP port 636 (ldaps service)

TCP port 3268

TCP port 3269

Are there any other ports that i should open?
Thanks.


Regards,
Hong Jin

"Hong Jin" <HongJin@discussions.microsoft.com> wrote in message
news:F3382996-DEC2-460E-BF6E-D6A5FD97EBE8@microsoft.com...
> Dear All,
>
> I have tried to turn on the following ports at the Firewall, but still my
> XP
> Client couldn't connect to the database.
>
> TCP port 42 (nameserver service)
>
> TCP port 53 (domain service)
>
> TCP port 88 (kerberos service)
>
> TCP port 135 (epmap service)
>
> UDP port 137 (netbios-ns service)
>
> UDP port 138 (netbios-dgm service)
>
> TCP port 139 (netbios-ssn service)
>
> TCP port 389 (ldap service)
>
> TCP port 445 (microsoft-ds service)
>
> TCP port 636 (ldaps service)
>
> TCP port 3268
>
> TCP port 3269
>
> Are there any other ports that i should open?
> Thanks.
>
>
> Regards,
> Hong Jin
>

Hello Hong Jin,

You missed a few, such as UDP 42, 53, 88, 389, 445, 3268, 3269. You will
also need to open the emepheral response ports (Random service ports) all
Windows machines use, TCP & UDP 1024 - 65535 (See KB179442 below), but for
Vista and Windows 2008 it's different. Their default start port is UDP
49152, and the default end port is UDP 65535 (see KB899148 below).

Curious, why swiss-cheese your firewall? You may as well leave it wide open
instead of opening all these ports.

The following articles should help guide you to open the required ports.

==================================================================================================== ==
==================================================================================================== ==
Active Directory Firewall ports

Active Directory Replication over FirewallsJan 31, 2006. Active Directory
relies on remote procedure call (RPC)
http://technet.microsoft.com/en-us/l.../bb727063.aspx

How to configure a firewall for domains and trusts
http://support.microsoft.com/?id=179442

Configuring an Intranet Firewall, Apr 14, 2006. Protocol ports required for
the intranet firewall.
Ports required for Active Directory and Kerberos communications
http://technet.microsoft.com/en-us/l.../bb125069.aspx

Active Directory and Firewall Ports - I found it hard to find a definitive
list on the internet for what ports needed opening for Active Directory to
replication between Firewalls. ...
http://geekswithblogs.net/TSCustomis...09/112357.aspx

Default emepheral ports are 1024-5000, but can be changed. In Vista and
Windows 2008, the default start port is 49152, and the default end port is
65535.

Quoted from link below: "To comply with Internet Assigned Numbers Authority
(IANA) recommendations, Microsoft has increased the dynamic client port
range for outgoing connections in Windows Vista and in Windows Server 2008.
The new default start port is 49152, and the default end port is 65535. This
is a change from the configuration of earlier versions of Microsoft Windows
that used a default port range of 1025 through 5000."

I know the one is MaxUserPort, but not sure of the low end. I would test and
monitor trying "LowUserPort" or "MinUserPort." But whether you know the low
end key or not, you can set it with the netsh command. See this for more
info:
The default dynamic port range for TCP/IP has changed in Windows Vista and
in Windows Server 2008
http://support.microsoft.com/?kbid=929851

Some firewalls may reject network traffic that originates from Windows
Server 2003 Service Pack 1-based or Windows Vista-based computers
(This one also relates to the Checkpoint issue documented below.)
http://support.microsoft.com/default.aspx/kb/899148

---

Checkpoint Firewall and AD Communications and Replication

Checkpoint firewalls have a known issue if you are running R55 or older. You
will need to
make a registry entry to allows traffic to flow between the 2 sites via the
vpn. The preferred solution is to upgrade the Checkpoint firewall.

More info:
Some firewalls may reject network traffic that originates from Windows
Server 2003 Service Pack 1-based or Windows Vista-based computers
http://support.microsoft.com/default.aspx/kb/899148

For Windows 2003 R2 and non-R2 remote domain controller we added the
Server2003NegotiateDisable entry in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
==================================================================================================== ==
==================================================================================================== ==

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Hello Hong,

Yes, there are some others. But why using domain internal the firewall? See
this articles about needed open ports when using AD:
http://support.microsoft.com/kb/555381

http://support.microsoft.com/kb/179442/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Dear All,
>
> I have tried to turn on the following ports at the Firewall, but still
> my XP Client couldn't connect to the database.
>
> TCP port 42 (nameserver service)
>
> TCP port 53 (domain service)
>
> TCP port 88 (kerberos service)
>
> TCP port 135 (epmap service)
>
> UDP port 137 (netbios-ns service)
>
> UDP port 138 (netbios-dgm service)
>
> TCP port 139 (netbios-ssn service)
>
> TCP port 389 (ldap service)
>
> TCP port 445 (microsoft-ds service)
>
> TCP port 636 (ldaps service)
>
> TCP port 3268
>
> TCP port 3269
>
> Are there any other ports that i should open?
> Thanks.
> Regards,
> Hong Jin

Disable the firewall and forget it.

By the time you open everything required for domain usage there really isn't
anything left protected. So turn off the firewall and forget it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Hong Jin" <HongJin@discussions.microsoft.com> wrote in message
news:F3382996-DEC2-460E-BF6E-D6A5FD97EBE8@microsoft.com...
> Dear All,
>
> I have tried to turn on the following ports at the Firewall, but still my
> XP
> Client couldn't connect to the database.
>
> TCP port 42 (nameserver service)
>
> TCP port 53 (domain service)
>
> TCP port 88 (kerberos service)
>
> TCP port 135 (epmap service)
>
> UDP port 137 (netbios-ns service)
>
> UDP port 138 (netbios-dgm service)
>
> TCP port 139 (netbios-ssn service)
>
> TCP port 389 (ldap service)
>
> TCP port 445 (microsoft-ds service)
>
> TCP port 636 (ldaps service)
>
> TCP port 3268
>
> TCP port 3269
>
> Are there any other ports that i should open?
> Thanks.
>
>
> Regards,
> Hong Jin
>