Hi
I have 2 networks :
- 172.33.0.x : My internal network
- 192.168.1.x : My DMZ network
I have a DC in the internal network for my domain, and a RODC in the DMZ for the same domain. A firewall exists between these two networks, allowing only the ports/traffic I specify.
When I add a computer in the DMZ, and try to add it to the domain, it still tries to access my DC on the internal network, rather than the RODC in the DMZ. I've done the change as specified here (http://support.microsoft.com/kb/977510?wa=wsignin1.0, i.e. allowing the RODC to be discoverable. I am allowing the following ports between my RODC and DC :
| Service | Source | Destination |
| Ephemeral ports | 49152:65535 | 49152:65535 |
| FRsRPC | 1:65535 | 53248 |
| Kerberos | 1:65535 | 88 |
| LDAP | 1:65535 | 389 |
| SMB | 1:65535 | 445 |
| NTP | 1:65535 | 123 |
| RPCC Endpoint | 1:65535 | 135 |
I have two Sites setup... DMZ and Internal. The RODC is part of the DMZ Site, and the DC is part of the Internal site.
If I run a nltest /dsgetdc:mydomain.local on a computer in the DMZ, the RODC is returned.