網頁

2011年9月4日 星期日

Enable Firewall Service between windows 2003 AD and 2008 R2 AD

In general, we often install AD without firewall function on our corporation or lab environment. So do that it will be easy to build AD. Although we know it is not safety or strict on system setting, we always disable window firewall service for avoiding the redundant effort in any troubleshooting. As you know,it will have a little chance for Cracker if there is existing any open port on O.S. If there is extra security hole on O.S., maybe it will be good channel pass through this and let system or application function crash suddenly.

As the previous article "Samba 3 join Windows AD", I also do the same behavior for avoiding firewall limitation. So do that I will focus on the relationship between Samba and AD and it will be easy to troubleshoot for us. But I know, it is not exact action because I assume there is no existing any security on system.

Time is up to enable firewall function on Windows platform!
How to do it?
That is the AD function still be normal after enable firewall service between Windows 2003 AD and Windows 2008 R2 AD.

At first, the AD replication need to be concerned. The second is FRS function. The last is RPC for net logon or join Domain. Please follow the next process to realize how to change setting on AD!

Ø  Configure all Domain Controllers TCP port number for AD Replication to use a specific port
1.      Add the following registry value on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
§  If Windows 2003 Server

§  If Windows 2008 R2 Server

§  Set “TCP/IP Port” on Value name and “53211” (Decimal) on Value data

2.      Add the following setting on firewall
§  If Windows 2003 Server

Write down a firewall rule Name and “53211” Port number, next to click “OK” button

§  If Windows 2008 R2 Server

Select “Port” option next to click “Next > ”  button

Set “53211” value on Special local ports field next to click “Next >”  button

Click “Next > “ button

Click “Next > ” button

Write down a firewall rule Name and click “Finish” button



Ø  Configure all Domain Controllers TCP port number for FRS to use a specific port
1.       Add the following registry value on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
§  Windows 2003 Server

§  Windows 2008 R2 Server

§  Set “RPC TCP/IP Port Assignment” on Value name and “53212” (Decimal) on Value data



2.       Add the following setting on firewall
§  If Windows 2003 Server

Write down a firewall rule Name “File Replication Service” and “53212” Port number, next to click “OK” button


§  If Windows 2008 R2 Server

Select “Port” option next to click “Next > ”  button

Set “53212” value on Special local ports field next to click “Next >”  button

Click “Next > “ button

Click “Next > ” button

Write down a firewall rule Name and click “Finish” button




Ø  Configure all Domain Controllers TCP port number for RPC to use a specific port
1.      Add the following registry Key “Internet” under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
§  If Windows 2003 Server

§  If Windows 2008 R2 Server

2.      Add the following registry value on
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
§  Under the Internet key, add the values "Ports" (MULTI_SZ)

§  Set “Ports” on Value name and “5000-5100” on Value data

§  Under the Internet key, add the values "PortsInternetAvailable" (REG_SZ) and "UseInternetPorts" (REG_SZ)

§  Set “PortsInternetAvailable” on Value name and “Y” on Value data

§  Set “UseInternetPorts” on Value name and “Y” on Value data

3.      Add the following setting on firewall
§  If Windows 2003 Server

Create multiple ports from the command prompt by the following scripts

: Delete multiple ports by the following scripts

So do that you will see the ports is created for RPC range

§  If Windows 2008 R2 Server

Select “Port” option next to click “Next > ”  button

Set “5000-5100” value on Special local ports field next to click “Next >”  button

Click “Next > “ button

Click “Next > ” button

Write down a firewall rule Name and click “Finish” button

When the previous setting has already been finished and firewall service is enabled, the system need to be rebooted next to verify whether AD Replication, FRS and RPC for net logon also are normal. So you can run Dcdiag.exe on prompt command to confirm the function is not any problem.

If there is any error message on report, please double-check whether the setting is wrong or forget to change any parameter. Just only one solution ---- try and error by yourself!
Ø  Verify the state of  all Domain Controllers by Domain Controller Diagnostic tool (Dcdiag)

Open a text file to confirm whether exist “passed test” words if it success

沒有留言:

張貼留言

Since 2010 Design by Davidwa
©Copyright Davidwa Inc. All rights reserved.