2008AD複製有防火牆要開什麼埠

像教授發表於2017-11-26
DC之間要做Replication, 假如DC間的通訊有防火牆隔著,需要開什麼埠呢,TechNet有個Wiki說得很清楚,以下是一些摘錄,和大家分享下。



Introduction

Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service architecture:

  • Initially promoting a server to a domain controller.

  • Replicating traffic between domain controllers.

Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple Mail Transfer Protocol [SMTP] can be used in certain situations—schema, configuration, and global catalog replication, but not domain naming context—limiting its usefulness.) Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. There are three possible approaches:

  • Open the firewall wide to permit RPC`s native dynamic behavior.

  • Limit RPC`s use of TCP ports and open the firewall just a little bit.

  • Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for that.

Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and more pros than cons at the bottom. So although this document describes how to do all three, most of its focus is on the IPSec approach because of its benefits over the other two.

Top of page


Full Dynamic RPC

Pros

Cons

No special server configuration

Turns the firewall into “Swiss cheese”

Random incoming high-port connections

Insecure firewall configuration

Although configuring your environment to work this way is certainly possible, there are plenty of reasons not to do it—most importantly—it results in an insecure network. It does, however, require the least amount of configuration work.

To enable replication over dynamic RPC, configure your firewall to permit the following.

Service

Port/protocol

RPC endpoint mapper

135/tcp, 135/udp

Network basic input/output system (NetBIOS) name service

137/tcp, 137/udp

NetBIOS datagram service

138/udp

NetBIOS session service

139/tcp

RPC dynamic assignment

1024-65535/tcp

Server message block (SMB) over IP (Microsoft-DS)

445/tcp, 445/udp

Lightweight Directory Access Protocol (LDAP)

389/tcp

LDAP ping

389/udp

LDAP over SSL

636/tcp

Global catalog LDAP

3268/tcp

Global catalog LDAP over SSL

3269/tcp

Kerberos

88/tcp, 88/udp

Domain Name Service (DNS)

53/tcp1, 53/udp

1

TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.

For a reference of Windows port requirements, see:

832017 Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017 

It is that “RPC dynamic assignment” rule that makes this scenario insecure. Sometimes referred to as “TCP high ports,” the rule needs to permit inbound traffic on any port above 1024. If your firewall permits this, there is very little reason even to have a firewall.

If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%system32driversetc. Look inside the files for information on how to use them.




本文轉自 VirtualTom 51CTO部落格,原文連結:http://blog.51cto.com/virtualtom/592255,如需轉載請自行聯絡原作者


相關文章