2008 AD 复制有防火墙要开什么端口
2011-06-20 14:31
183 查看
DC之间要做Replication, 假如DC间的通信有防火墙隔着,需要开什么端口呢,TechNet有个Wiki说得很清楚,以下是一些摘录,和大家分享下。
Introduction
Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service architecture:
Initially promoting a server to a domain controller.
Replicating traffic between domain controllers.
Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple Mail Transfer Protocol [SMTP] can be used in certain situations—schema, configuration, and global catalog replication, but not domain naming context—limiting its usefulness.) Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. There are three possible approaches:
Open the firewall wide to permit RPC's native dynamic behavior.
Limit RPC's use of TCP ports and open the firewall just a little bit.
Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for that.
Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and more pros than cons at the bottom. So although this document describes how to do all three, most of its focus is on the IPSec approach because of its benefits over the other two.
Top of page
Full Dynamic RPC
Pros
Cons
No special server configuration
Turns the firewall into "Swiss cheese"
Random incoming high-port connections
Insecure firewall configuration
Although configuring your environment to work this way is certainly possible, there are plenty of reasons not to do it—most importantly—it results in an insecure network. It does, however, require the least amount of configuration work.
To enable replication over dynamic RPC, configure your firewall to permit the following.
Service
Port/protocol
RPC endpoint mapper
135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service
137/tcp, 137/udp
NetBIOS datagram service
138/udp
NetBIOS session service
139/tcp
RPC dynamic assignment
1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS)
445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP)
389/tcp
LDAP ping
389/udp
LDAP over SSL
636/tcp
Global catalog LDAP
3268/tcp
Global catalog LDAP over SSL
3269/tcp
Kerberos
88/tcp, 88/udp
Domain Name Service (DNS)
53/tcp1, 53/udp
1
TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.
For a reference of Windows port requirements, see:
832017 Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017
It is that "RPC dynamic assignment" rule that makes this scenario insecure. Sometimes referred to as "TCP high ports," the rule needs to permit inbound traffic on any port above 1024. If your firewall permits this, there is very little reason even to have a firewall.
If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the files for information on how to use them.
详细参考:
http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx
Introduction
Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service architecture:
Initially promoting a server to a domain controller.
Replicating traffic between domain controllers.
Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple Mail Transfer Protocol [SMTP] can be used in certain situations—schema, configuration, and global catalog replication, but not domain naming context—limiting its usefulness.) Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. There are three possible approaches:
Open the firewall wide to permit RPC's native dynamic behavior.
Limit RPC's use of TCP ports and open the firewall just a little bit.
Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for that.
Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and more pros than cons at the bottom. So although this document describes how to do all three, most of its focus is on the IPSec approach because of its benefits over the other two.
Top of page
Full Dynamic RPC
Pros
Cons
No special server configuration
Turns the firewall into "Swiss cheese"
Random incoming high-port connections
Insecure firewall configuration
Although configuring your environment to work this way is certainly possible, there are plenty of reasons not to do it—most importantly—it results in an insecure network. It does, however, require the least amount of configuration work.
To enable replication over dynamic RPC, configure your firewall to permit the following.
Service
Port/protocol
RPC endpoint mapper
135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service
137/tcp, 137/udp
NetBIOS datagram service
138/udp
NetBIOS session service
139/tcp
RPC dynamic assignment
1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS)
445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP)
389/tcp
LDAP ping
389/udp
LDAP over SSL
636/tcp
Global catalog LDAP
3268/tcp
Global catalog LDAP over SSL
3269/tcp
Kerberos
88/tcp, 88/udp
Domain Name Service (DNS)
53/tcp1, 53/udp
1
TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.
For a reference of Windows port requirements, see:
832017 Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017
It is that "RPC dynamic assignment" rule that makes this scenario insecure. Sometimes referred to as "TCP high ports," the rule needs to permit inbound traffic on any port above 1024. If your firewall permits this, there is very little reason even to have a firewall.
If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the files for information on how to use them.
详细参考:
http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx
相关文章推荐
- WIndows Server 2008 AD 防火墙端口
- windows server 2008安装FileZilla Server并防火墙端口开启设置
- 修改 sql server 2008R2的端口,配置防火墙允许远程访问SQL Server 2008 R2
- AD Exchange Lync 服务器需要想客户端开放的防火墙端口
- FileZilla Server 防火墙端口开启设置 windows 2008 win
- win7/8/8.1/2008/2012&r2 防火墙端口配置,出入站规则等
- Windows 2008 r2 防火墙设置端口例外的方法
- AD数据复制需要的端口
- windows 2008、2012防火墙添加入站规则教程(端口例外)
- 如何在 Windows Server 2008 上打开 SQL Server 防火墙端口
- Windows 2008 防火墙开放端口
- Windows Server 2008 防火墙开放 Oracle 的1521端口 .
- win7/win 2008 server防火墙里开启端口的图文教程
- 配置Windows 2008 R2 防火墙允许远程访问SQL Server 2008 R2 更改端口 连接字符串 IP+逗号+端口号
- 连接路由器上面的服务,必须先查看服务是在什么端口上面监听的 ,然后让防火墙开放端口,客户端才可以访问。
- Windows 2008 防火墙开放端口
- windows 2008 server下设置防火墙的例外端口及程序
- 如何在 Windows Server 2008 上打开 SQL Server 防火墙端口
- DC的网络连接端口与防火墙设置[为企业部署Windows Server 2008系列十]
- 在Windows 2008中为SQL Server开放防火墙端口