Firewall and Active Directory

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello,

Please help me to configure Windows Firewall with Active Directory, I enabled ports according to the tutorial below: http://support.microsoft.com/kb/179442
- I can at least join AD now but there is still some problem as it's loading very long time during logo on and DHCP is not functioning properly
When I disable firewall everything works fine
It's odd there is now to much information about such a important thing in any of MSCE books

System: Windows 2003

Regards

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm not sure what your problem is to be honest, you don't need to follow those instructions to join a computer to a domain. That article is describing what you need to do to enable 'trust relationships' between domain controllers across firewalled sites.

Presuming you are using XP, you should run the networking wizard, which will allow communication between computers on your local network.

Also, I would suspect you have not configured DNS properly, your domain controller needs to be the DNS server for your internal LAN traffic and your clients need to be configured with 'your DNS servers IP address, as their preferred DNS server.

This can be done using the DHCP function of your domain controller. Maybe, you are using another DHCP server device?

We need more info really to be able to give you explicit advice.

 

Did you also compare the Microsoft KB article ports with the following? http://www.jarmanator.net/kb/server2k3fwports.htm

If user logon is taking a long time, enable userenv logging. This will give you additional information on which process is taking a long time and there's a few well known messages that get displayed in the logs (like "could not enumerate DNS..."), and by looking at the code number to the left of the userenv log, you can also convert it to the PID for the process which may be your primary source of slow down (say lsass.exe).

good luck, it's fun to troubleshoot slow logons (tongue in cheek )

 

I would say it's fun to troubleshoot anything in lab environment but in production if it's not solved quickly it becomes a nightmare

 

Erm... the OP has an A+ i would suggest the KISS principle

 

I know plenty of people dabbling in Active Directory and they don't have a single certification. Remember, certification does not necessarily mean that you're an expert on a subject ;)

If he's managed to get this far and is able to follow a KB article to configure ports on a firewall (client or otherwise), then he should be able to follow userenv logging articles as well.

Personally, I do not enjoy troubleshooting slow logons, they're always very random when it comes down to the source of the issue in my experience (and yes, I've done plenty of troubleshooting of this in production environments as well ).

That's why I said good luck... hope it's a lab he's playing in

*edit* you guys are right about DHCP, let's hope the OP starts off "super simple" by doing a static IP mapping or something to begin with... I guess at least the machine policies have finished applying if he's getting to the logon portion. Not knowing what message he sees during that portion is anyones guess (as we're not able to see screenshots or event log entries to determine if the machine succesfully contacted a DC), but if just that part alone takes +10 minutes after the firewall is enabled, yup, he's got a problem all right. Usually a simple one which unfortunately is not always the first thing you look at.

 

Thinking about this a bit more...

Personally, i would not run the Windows firewall, or any other personal firewall on a domain controller (if that is what the OP is doing) as they block many of the necessary communications that a DC depends on and therefore causes problems.

The source..

http://support.microsoft.com/kb/555381

 

Hi,

Thx for all help, after few tests/configurations I can definitely say it's firewall issue as soon as it's disabled everything's was fine but when I enabled back same problem occur. Also all is fine with DNS configuration as I can ping DNS server by name ect.


If firewall is not preferable in AD environment so how to secure the AD server as it's open to WAN?

 

You have proper firewalls, like ISA ((being Microsoft concentric)) on the perimeter of your network.

 

Yep, it does. More info here.

 

Windows Firewall, may still be on via Group Policy.

If it is go to the following Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall

Below are examples of Program & Port Exceptions that I have successfully implemented in a Windows Server 2003 environment.

Program Exceptions

%Program Files%\AVG\AVG8\avgemc.exe:192.168.0.0/24:Enabled:AVG Email Scanner
%Program Files%\AVG\AVG8\avgiproxy.exe:192.168.0.0/24:Enabled:AVG Proxy
%Program Files%\AVG\AVG8\avgupd.exe:192.168.0.0/24:Enabled:AVG Update
%Program Files%\Microsoft Office\Office 12\Outlook.exe.:192.168.0.0/24:Enabled:Outlook
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:192.168.0.0/24:Enabled:Remote Assistant
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:192.168.0.0/24:Enabled:Offer Remote Assistant
%WINDIR%\SYSTEM32\Sessmgr.exe:192.168.0.0/24:Enabled:Remote Assistance

Port Exceptions

135:TCP:192.168.0.0/24:Enabled:Offer Remote Assistance
1701:UDP:192.168.0.0/24:Enabled:L2TP IPSec
1723:TCP:192.168.0.0/24:Enabled:PPTP
25:TCP:192.168.0.0/24:Enabled:SMTP
3389:TCP:192.168.0.0/24:Enabled:Offer Remote Assistance
443:TCP:192.168.0.0/24:Enabled:HTTP SSL
80:TCP:192.168.0.0/24:Enabled:HTTP
88:TCP192.168.0.0/24:Enabled:Kerberos

 

On the server, I tried many times and it's not working with firewall turned on what is strange as the server is not secure at all now even if it's just my lab server at home - unfortunatelly it's behind router firewall so I hope it's enough ;). When I enabled ports for DHCP service works fine but with DNS it's not

 

I think you meant *fortunately