In general, we often install AD without firewall function on our corporation or lab environment. So do that it will be easy to build AD. Although we know it is not safety or strict on system setting, we always disable window firewall service for avoiding the redundant effort in any troubleshooting. As you know,it will have a little chance for Cracker if there is existing any open port on O.S. If there is extra security hole on O.S., maybe it will be good channel pass through this and let system or application function crash suddenly.
As the previous article "Samba 3 join Windows AD", I also do the same behavior for avoiding firewall limitation. So do that I will focus on the relationship between Samba and AD and it will be easy to troubleshoot for us. But I know, it is not exact action because I assume there is no existing any security on system.
Time is up to enable firewall function on Windows platform!
How to do it?
That is the AD function still be normal after enable firewall service between Windows 2003 AD and Windows 2008 R2 AD.
At first, the AD replication need to be concerned. The second is FRS function. The last is RPC for net logon or join Domain. Please follow the next process to realize how to change setting on AD!
Ø
Configure
all Domain Controllers TCP port number for AD Replication to use a specific
port
1.
Add the following registry value on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
§
If Windows 2003 Server
§ If
Windows 2008 R2 Server
§ Set
“TCP/IP Port” on Value name and “53211” (Decimal) on Value data
2.
Add the following setting on firewall
§
If Windows 2003 Server
Write down
a firewall rule Name and “53211” Port number, next to click “OK”
button
§
If Windows 2008 R2 Server
Select “Port” option next to click
“Next > ” button
Set
“53211” value on Special local ports field next to click “Next >” button
Click
“Next > “ button
Click
“Next > ” button
Write down
a firewall rule Name and click “Finish” button
Ø
Configure
all Domain Controllers TCP port number for FRS to use a specific port
1.
Add the following registry value on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
§
Windows 2003 Server
§ Windows
2008 R2 Server
§ Set
“RPC TCP/IP
Port
Assignment” on Value name and “53212” (Decimal) on Value data
2.
Add the following setting on firewall
§
If Windows 2003 Server
Write down
a firewall rule Name “File Replication Service” and “53212” Port number, next to click
“OK”
button
§
If Windows 2008 R2 Server
Select “Port” option next to click
“Next > ” button
Set
“53212” value on Special local ports field next to click “Next >” button
Click
“Next > “ button
Click
“Next > ” button
Write down
a firewall rule Name and click “Finish” button
Ø
Configure
all Domain Controllers TCP port number for RPC to use a specific port
1.
Add the following registry Key “Internet” under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
§ If Windows
2003 Server
§ If
Windows 2008 R2 Server
1.
2.
Add the following registry value on
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
§ Under the Internet key, add the values "Ports"
(MULTI_SZ)
§ Set
“Ports”
on Value name and “5000-5100” on Value data
§ Under the Internet key, add the values "PortsInternetAvailable"
(REG_SZ) and "UseInternetPorts" (REG_SZ)
§ Set
“PortsInternetAvailable”
on Value name and “Y” on Value data
§ Set
“UseInternetPorts”
on Value name and “Y” on Value data
3.
Add the following setting on firewall
§
If Windows 2003 Server
Create
multiple ports from the command prompt by the following scripts
: Delete multiple ports
by the following scripts
So do that you will see the ports is
created for RPC range
§ If
Windows 2008 R2 Server
Select “Port” option next to click
“Next > ” button
Set
“5000-5100” value on Special local ports field next to click “Next >” button
Click
“Next > “ button
Click
“Next > ” button
Write down
a firewall rule Name and click “Finish” button
When the previous setting has already been finished and firewall service is enabled, the system need to be rebooted next to verify whether AD Replication, FRS and RPC for net logon also are normal. So you can run Dcdiag.exe on prompt command to confirm the function is not any problem.
If there is any error message on report, please double-check whether the setting is wrong or forget to change any parameter. Just only one solution ---- try and error by yourself!
Ø
Verify
the state of all Domain Controllers by
Domain Controller Diagnostic tool (Dcdiag)
Open
a text file to confirm whether exist “passed test” words if it success