Hi everyone,
How are you all? I hope you can help on this... Little frustrated....
Currently, I have a web server in DMZ with ip 172.x.x.x scheme. And our domain (AD) is in the LAN (with ip scheme 10.x.x.x). For some reason, someone need to access to domain servers in the LAN from the server in DMZ.
Based on the DMZ access to LAN rule...we need to manually configure and open the ports to allow the access from dmz to the LAN.
Before doing anything...the web server in the DMZ does not join the domain yet.... SO I did the research and do the following:
On the Firewall, I opened up the following ports so that the web servers can talk to our DCs in the LAN:
UDP port 88 - for kerberos
TCP and UDP port 135 for dc to dc operations
TCP 139 and UDP 138 for replication service between DCs
UDP 389 to handle normal queries from the client to the DCs
TCP and UDP 445 for replication service
TCP and UDP 464 for kerberos password change
TCP 3268 and 3269 for Global Catalog from the client to the DCs.
TCP and UDP port 53 for dns
On the web server, of course, I add the DC DNS server IPs there so it knows which dns it can talk to.
######################
Afterwards, I joined the domain, and great! From the server I can ping any LAN server name without any problem, including the DCs. The tracert shows as expected too.
HOwever, when I tried to logon.... it says it cannot find any logon server....
What else do I miss? By the way, the web server have the windows firewall disable.
I hope you can help me on this....
Thank you very much in advance.
Takusan