Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD through Firewall - tough question

Status
Not open for further replies.
Hondy

Hondy

Technical User
Mar 3, 2003
864
GB
Hi

I have AD running through a firewall for some logistical reasons.

My remote member server needs to attach to my local domain which is live. I have done this before on a dev domain with 10 servers, but I am in the situation where I need to do it on my live domain also. What I am referring to is making the RPC/FRS/NTDS ports static in the registry of the DC's because the endpoint mapper will otherwise use a dynamic range and thus be blocked by the firewall.

My question is this... why didn't Microsoft make these ports static in the first place? Is there some sort of limitation that means my domain will break due to the amount of requests on a single port instead of the nomal 1024-65535 dynamically assigned range?

I want to make these ports static, is there anyone who has done this on a domain of say 150 devices?

Thanks



 
Sort by date Sort by votes
useful article - although we never went for the swiss cheese RPC model which is the dynamic FRS/NTDS/RPC port model.

My question was really that is using a static port a wise idea in a large environment. Can the DC handle everything ok just using one port?

The firewall is for intra-subnet protection, not externally accessible ports.

Cheers
 
Upvote 0 Downvote
I was always under the impression that one port was a bad idea as applications will be restricted to that single port rather than being allocated its own in the >1024 range.

IPSEC is a possible solution unless anyone can offer some different advice on how to handle RPC through a firewall? I know I would be very interested to hear it as well as I have a similar issue (albeit that we have temporarily allowed the "swiss cheese" until we find a solution)

--------------------------------------
"Insert funny comment in here!"
--------------------------------------
 
Upvote 0 Downvote
well, don't get me wrong, I currently have an environment working under one port through a firewall- but whether it is smart idea to change my live environment I don't know.

The other environment works just fine, if you want to try it then do this, its straight forward enough - but I honestly dont know why its not static in the first place:


I know HOW to do it, I can post the required ports if you want when I get into work, but my question is SHOULD i do this on my live environment. Its either that or the swiss cheese effect :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
629
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
255
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
415
DTGMI
DTGMI
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
865
gbaughma
gbaughma
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
203
on3mansh0w
on3mansh0w

Part and Inventory Search

Sponsor

Back
Top