Firewall and Active Directory

[HTF]

Hello,

Please help me to configure Windows Firewall with Active Directory, I enabled ports according to the tutorial below: http://support.microsoft.com/kb/179442
- I can at least join AD now but there is still some problem as it's loading very long time during logo on and DHCP is not functioning properly
When I disable firewall everything works fine
It's odd there is now to much information about such a important thing in any of MSCE books

System: Windows 2003

Regards

[Bluerinse]

I'm not sure what your problem is to be honest, you don't need to follow those instructions to join a computer to a domain. That article is describing what you need to do to enable 'trust relationships' between domain controllers across firewalled sites.

Presuming you are using XP, you should run the networking wizard, which will allow communication between computers on your local network.

Also, I would suspect you have not configured DNS properly, your domain controller needs to be the DNS server for your internal LAN traffic and your clients need to be configured with 'your DNS servers IP address, as their preferred DNS server.

This can be done using the DHCP function of your domain controller. Maybe, you are using another DHCP server device?

We need more info really to be able to give you explicit advice.

[Shinigami]

Did you also compare the Microsoft KB article ports with the following? http://www.jarmanator.net/kb/server2k3fwports.htm

If user logon is taking a long time, enable userenv logging. This will give you additional information on which process is taking a long time and there's a few well known messages that get displayed in the logs (like "could not enumerate DNS..."), and by looking at the code number to the left of the userenv log, you can also convert it to the PID for the process which may be your primary source of slow down (say lsass.exe).

good luck, it's fun to troubleshoot slow logons (tongue in cheek )

[LukeP]

Quote:

Originally Posted by Shinigami

good luck, it's fun to troubleshoot slow logons (tongue in cheek )

I would say it's fun to troubleshoot anything in lab environment but in production if it's not solved quickly it becomes a nightmare

[Sparky]

You may have another DHCP source on your network (such as your home router) which may be causing problems for your test network to operate correctly.

A few basic rules for your lab:

- Make sure the DNS on the client is configured to use the IP address of the domain controller
- Only have one DHCP source on your test network.
- Also make sure there are no third party firewalls installed on the clients.

[Bluerinse]

Quote:

Originally Posted by Shinigami

Did you also compare the Microsoft KB article ports with the following? http://www.jarmanator.net/kb/server2k3fwports.htm

If user logon is taking a long time, enable userenv logging. This will give you additional information on which process is taking a long time and there's a few well known messages that get displayed in the logs (like "could not enumerate DNS..."), and by looking at the code number to the left of the userenv log, you can also convert it to the PID for the process which may be your primary source of slow down (say lsass.exe).

good luck, it's fun to troubleshoot slow logons (tongue in cheek )

Erm... the OP has an A+ i would suggest the KISS principle

[Shinigami]

I know plenty of people dabbling in Active Directory and they don't have a single certification. Remember, certification does not necessarily mean that you're an expert on a subject ;)

If he's managed to get this far and is able to follow a KB article to configure ports on a firewall (client or otherwise), then he should be able to follow userenv logging articles as well.

Personally, I do not enjoy troubleshooting slow logons, they're always very random when it comes down to the source of the issue in my experience (and yes, I've done plenty of troubleshooting of this in production environments as well ).

That's why I said good luck... hope it's a lab he's playing in

*edit* you guys are right about DHCP, let's hope the OP starts off "super simple" by doing a static IP mapping or something to begin with... I guess at least the machine policies have finished applying if he's getting to the logon portion. Not knowing what message he sees during that portion is anyones guess (as we're not able to see screenshots or event log entries to determine if the machine succesfully contacted a DC), but if just that part alone takes +10 minutes after the firewall is enabled, yup, he's got a problem all right. Usually a simple one which unfortunately is not always the first thing you look at.

[Bluerinse]

Thinking about this a bit more...

Personally, i would not run the Windows firewall, or any other personal firewall on a domain controller (if that is what the OP is doing) as they block many of the necessary communications that a DC depends on and therefore causes problems.

Quote:

A Windows Server 2003 SP1 Domain Controller does not function correctly when the Windows Firewall is enabled. The computer may fail to act as a Domain Controller or replication of some Active Directory objects (e.g. GPOs) may not get replicated.

Symptoms might include:
1. client computers can not establish secure connections with the Domain Controller
2. users can not logon at client computers with domain user accounts
3. users can not access domain resources (e.g. file or printer shares) on domain member computers
4. a computer that is promoted to be a Domain Controller fails to function as a Domain Controller
5. in the File Replication Service Event Log, Event ID 13508 "The File Replication Service is having trouble enabling replication from …" appears without a subsequent Event ID 13509 "The File Replication Service has enabled replication from …" or 13516 "The File Replication Service is no longer preventing the computer … from becoming a domain controller."
6. on a computer that is promoted to be a Domain Controller, the SYSVOL and NETLOGON shares are not present
7. on a computer that is promoted to be a Domain Controller, the %systemroot%\SYSVOL\domain\Policies folder does not get populated from another Domain Controller

The source..

http://support.microsoft.com/kb/555381

[HTF]

Hi,

Thx for all help, after few tests/configurations I can definitely say it's firewall issue as soon as it's disabled everything's was fine but when I enabled back same problem occur. Also all is fine with DNS configuration as I can ping DNS server by name ect.


If firewall is not preferable in AD environment so how to secure the AD server as it's open to WAN?

[Bluerinse]

Quote:

Originally Posted by HTF

Hi,

Thx for all help, after few tests/configurations I can definitely say it's firewall issue as soon as it's disabled everything's was fine but when I enabled back same problem occur. Also all is fine with DNS configuration as I can ping DNS server by name ect.


If firewall is not preferable in AD environment so how to secure the AD server as it's open to WAN?

You have proper firewalls, like ISA ((being Microsoft concentric)) on the perimeter of your network.

[Sparky]

Quote:

Originally Posted by HTF

Hi,

Thx for all help, after few tests/configurations I can definitely say it's firewall issue as soon as it's disabled everything's was fine but when I enabled back same problem occur. Also all is fine with DNS configuration as I can ping DNS server by name ect.


If firewall is not preferable in AD environment so how to secure the AD server as it's open to WAN?

On what device are you switching off the firewall? The DC or the client PC?

Edit: I would have to double check but Im fairly sure Windows firewall is switched off when you run DCpromo.

[Boycie]

Quote:

Originally Posted by Sparky

Edit: I would have to double check but Im fairly sure Windows firewall is switched off when you run DCpromo.

Yep, it does. More info here.

[craigie]

Windows Firewall, may still be on via Group Policy.

If it is go to the following Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall

Below are examples of Program & Port Exceptions that I have successfully implemented in a Windows Server 2003 environment.

Program Exceptions

%Program Files%\AVG\AVG8\avgemc.exe:192.168.0.0/24:Enabled:AVG Email Scanner
%Program Files%\AVG\AVG8\avgiproxy.exe:192.168.0.0/24:Enabled:AVG Proxy
%Program Files%\AVG\AVG8\avgupd.exe:192.168.0.0/24:Enabled:AVG Update
%Program Files%\Microsoft Office\Office 12\Outlook.exe.:192.168.0.0/24:Enabled:Outlook
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:192.168.0.0/24:Enabled:Remote Assistant
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:192.168.0.0/24:Enabled:Offer Remote Assistant
%WINDIR%\SYSTEM32\Sessmgr.exe:192.168.0.0/24:Enabled:Remote Assistance

Port Exceptions

135:TCP:192.168.0.0/24:Enabled:Offer Remote Assistance
1701:UDP:192.168.0.0/24:Enabled:L2TP IPSec
1723:TCP:192.168.0.0/24:Enabled:PPTP
25:TCP:192.168.0.0/24:Enabled:SMTP
3389:TCP:192.168.0.0/24:Enabled:Offer Remote Assistance
443:TCP:192.168.0.0/24:Enabled:HTTP SSL
80:TCP:192.168.0.0/24:Enabled:HTTP
88:TCP192.168.0.0/24:Enabled:Kerberos

[HTF]

Quote:

Originally Posted by Sparky

On what device are you switching off the firewall? The DC or the client PC?

On the server, I tried many times and it's not working with firewall turned on what is strange as the server is not secure at all now even if it's just my lab server at home - unfortunatelly it's behind router firewall so I hope it's enough ;). When I enabled ports for DHCP service works fine but with DNS it's not

[Bluerinse]

Quote:

Originally Posted by HTF

- unfortunatelly it's behind router firewall so I hope it's enough ;)

I think you meant *fortunately