+1, someone is being ignorant AND lazy (bad mix). The reg ports change is this (this sets it to use ports 5000-5100): ---- Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet] "Ports"=hex(7):35,00,30,00,30,00,30,00,2d,00,35,00,31,00,30,00,30,00,00,00,00,\ 00 "PortsInternetAvailable"="Y" "UseInternetPorts"="Y" --- Save that as .REG, run on a DC and reboot. Yeah that’s way too tough… As with any reg change on a DC make sure you run DCDIAG afterward and again 30 mins after that. Dave From: My New Display Name for Bob. :) [mailto:[email protected]] Sent: Thursday, January 06, 2011 1:38 PM To: NT System Admin Issues Subject: Re: AD and firewall ports Translation = I don't know how to do that and its too hard for me... Sent from my Verizon Wireless BlackBerry ________________________________ From: joseph palmieri <[email protected]> Date: Thu, 6 Jan 2011 13:24:29 -0800 (PST) To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: RE: AD and firewall ports Brought up to option to limit ports with reg change and ipsec tunnel both shot down by admin sighting to difficult to setup, manage and overhead...go figure --- On Wed, 1/5/11, David Lum <[email protected]> wrote: From: David Lum <[email protected]> Subject: RE: AD and firewall ports To: "NT System Admin Issues" <[email protected]> Date: Wednesday, January 5, 2011, 8:40 PM Look up what it takes to put a Windows RDS gateway (was Terminal Server) server in a DMZ and you’ll have the info you need. Also FYI Microsoft recommends 100 ports and I wouldn’t drop below that unless you’ve monitored over a fair span of time and were certain. Also, we opened that range of ports to ONLY the DC’s. There is a reg change you can use to force the use of a specific range of ports for AD communication – I did exactly this and it works well. Dave From: joseph palmieri [mailto:[email protected]] Sent: Wednesday, January 05, 2011 4:54 PM To: NT System Admin Issues Subject: AD and firewall ports Need assistance with firewall ports and active directory our server admin submitted a change request to open over 1000 port to support AD. The change was denied and resubmitted requesting a minimum of 100 ports to support RPC communications to a member server within our DMZ. Our firewall engineers stated while monitoring the firewall only 20 ports were communicated over and 100 ports are not needed. Has anyone had experience with this issue and can provide some clarity…are the server admin looking for an easy way out by requesting all these ports? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<http://us.mc394.mail.yahoo.com/mc/[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<http://us.mc394.mail.yahoo.com/mc/[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
