> * Value: some number between 1025 and 65534, we > will standardize on "1025"
You REALLY need to change that. Ephemeral ports (ie 1024 and above) are assigned on a first come, first served basis. While it hasn't happened yet, it is VERY possible (I'd say probable) that, depending on service startup order, a different service could grab port 1025 before the replication service kicks in, and it will cause that service to fail. I've seen it happen plenty of times in the past. Its far safer to choose static high ports over 1500-2000 for such things. The first few dozen are so often used that relying on them for permanent assignment is asking for trouble. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 13, 2003 4:44 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Locking down network access > > > > There is a technote out there but this may help > > > How to enable communication from a Windows OS Active > Directory Client to the Active Directory Server across a firewall > > The following ports will be used for outbound communication > from the client to the server. This assumes that a stateful > firewall is being used to allow inbound communication from > the server. > > > * DNS will be using TCP and UDP port 53 > * Network Time Protocol (NTP) if required uses TCP port 123 > * Microsoft's implementation of Kerberos will be using > TCP and UDP port 88 (Note this may be non-standard compared > to the MIT Kerberos implementation) > * The EndpointMapper for RPC services will use TCP port 135 > * LDAP will use TCP port 389 and Microsoft uses an LDAP > "ping" on UDP port 389 > * Server Messaging Block services (SMB, SAMBA) will use > TCP port 445 > * Global Catalog services use TCP port 3268 - this should > be necessary when logging into forests with more than one domain > * The last port is used for Active Directory Logon and > replication. Normally this is a dynamic port. For security > reasons this should be configured to use a static port, so > that the firewall rules can be specific. To configure this > open the registry on each Domain controller that needs to be > contacted through the firewall. Navigate to the following Key > - > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Para > meters Add a new value with the following properties: > > * Value Name: "TCP/IP Port" > * Data Type: "REG_DWORD" > * Radix: "Decimal" > * Value: some number between 1025 and 65534, we > will standardize on "1025" > > > Additional configuration will be needed for specific > application access and use, such as Exchange > > > > > "Brad Martin" <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > > 02/13/2003 04:37 PM > Please respond to ActiveDir > To: "Active Directory Mailing List" > <[EMAIL PROTECTED]> > cc: > Subject: [ActiveDir] Locking down network access > > > > Does anyone have a list of what ports need to be open > on a firewall to access things like Active Directory, WINS, > DNS, mapping drives, etc.? We need to lock down a section of > our network and we only want to let the bare minimum through > our firewall. Thanks. > > Brad Martin > Go Daddy Software, Inc. > 480.505.8800 ext. 250 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > http://www.godaddy.com <http://www.godaddy.com/> > > > > > > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
