Policy for AD authentication across zones

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy for AD authentication across zones

L1 Bithead

Trying to narrow it down and determine the minimum set of applications/services that need to be allowed for a user to login into a Windows 7 client in one zone and authenticate against a Server 2008R2 AD Domain Controller in a different zone? The Windows 7 client is a member of the domain. Need the ability for users to change passwords, access a read-only file share and also for GPO to work.

 

Any ideas are very much appreciated.

 

4 REPLIES 4

L7 Applicator

This documentation on MS TechNet details the AD port requirements and their function.

 

https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks Steve,

 

This is a useful TechNet article, but it is about DC to DC communications; I'm looking for client to DC communications info.

 

Cheers,

Pierre

Can't seem to find the client to DC article.  But here are the ports I pulled when setting this up a few years back.

 

53/tcp and 53/udp (only if the DC is also the DNS source)
749/udp
88/tcp/udp
389/tcp/udp
3268/tcp 

445/tcp/udp
123/udp
135/tcp

tcp random range: 49152 to 65535

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hello and sorry for the late reply. Here are the applications I have setup for my cross zone AD authentication:

 

active-directoy

dns

kerberos

ldap

ms-ds-smb

ms-kms

ms-netlogon

ms-product-activation

msrpc

netbios-dg

netbios-ns

netbios-ss

ntp

ssl

 

I'm sure you might not need all, but its a start.

 

Cheers!

  • 2650 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!