If you run netstat -an on both DC's do you see ip:port's in common? Or use the resource monitor in Task Manager to watch the Network stack on the primary to see what it is trying to talk to on the remote. Or turn off the domain firewall profile and do the either of the above to see what ip:port's are in common on both. If any of the ip:port's in common are not in the Domain Profile allowed stack then you may want to add them. Just my .02 Turn the Domain Profile back on after testing.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, May 13, 2015 8:43 PM To: [email protected] Subject: RE: [NTSysADM] Firewall settings for DCs Another option would be to run PortQryUI (https://www.microsoft.com/en-us/download/details.aspx?id=24009). The "Domain and Trusts" service query option runs through many of the common ports, although it doesn’t include all of them used in replication. Otherwise, the options MBS and Brian suggested will help. -Aakash Shah -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, May 13, 2015 2:55 PM To: [email protected] Subject: RE: [NTSysADM] Firewall settings for DCs You can also use firewall tracing. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Wednesday, May 13, 2015 4:58 PM To: [email protected] Subject: RE: [NTSysADM] Firewall settings for DCs Have you collected a network trace? If there's a port being blocked, that should be pretty apparent there. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Wednesday, May 13, 2015 1:13 PM To: [email protected] Subject: [NTSysADM] Firewall settings for DCs I am having a hard time finding a list of what the settings for a Win2012 R2 DC should be. Here's my problem - running a "dcdiag /a" is reporting problems not finding the network path to a DC in a remote site. I know the remote DC is there; I can ping it; etc. So something in the firewall is blocking it, but it's unclear to me as to which rule specifically. The DC shows it's connected to a domain, with the Windows firewall on. I imagine that it must be an outbound rule blocking me, but I see all "Active Directory (TCP and UDP out)" enabled; all "Core Networking" enabled; all "File and Printer Sharing" entries with a green check mark (Echo, NB, SMB). Shouldn't that be enough? I shouldn't need any of the "Network Discovery" rules enabled, should I? (correct me if I am wrong, but if I can't do a "\\<remote-DC>\C$", then the dcdiag diag will also fail?) What am I missing here? There are no hardware firewalls between me and the remote DC, and the remote DC has all firewalls turned off (for testing). This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
