Q: This is a question for the Microsoft administrators.
I him with a problem with my current setup. , I am not so proficient in Microsoft server administration, so please do me.
I with a firewall server, and trying to create and control the remote workstations 2k Server with Active Directory access. I have a separate DNS server that the SRV records that refer to the 2k server contains. Now, with this setup, I added machines to the domain, and I am able to log into the folder, with some minor problems.
First, the length of time it takes a long logged, perhaps 10 -15 minutes. In the end, the user is logged in and run “set” at the command prompt shows that it is registered to the 2k server. However, the group policy Ive used, do not show up, and put a machine on the same side of the server, then the group policy show up.
If I run a packet sniffer on the firewall, I see that Kerberos authentication is not completed, because it has a number of KRB error. In addition, the LSA (Loca Authenitcation Security) does not seem to work. This is probably why the group policy is not working.
Im just curious if anyone out there that has previous experience in setting up Active Directory and had similar problems. Even if you never problems like this (I have a very unique setup here is inevitable), I would appreciate the help.
Thanks in advance!
Home Recording Studio Guide – Learn to Record, Mix and Master
Re:See M$ Article (http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp)
Virtual Private Server (vps) with Web Interface, for MetaTrader Forex
Re:woodie – thanks, the doc would be helpful. i am still stuck in the mud with this situation.
saltin – i wish i could abandon this setup, but it is out of my control as the "higher-ups" of my department are not allowing some stuff to exist on our network.
to sum up, i'm having extremely long login times, and i am not sure what this is a function of, the DNS or the active directory configuration itself. after login, the workstation is logged into the domain, but the group policies are not applied.
thank you all!
Learn How To Use Microsoft Excel Quickly and Easily
Re:It's a very risky situation you've set up there. You might as well have no firewall at all, with those ports open.
If all these remote clients are located in a central area, you should really install a DC there.
If not, you should consider a VPN.
Harmony Audio Recordings.
Re:I'll have to dig up the doc on Monday.
The 1026 is a special deal. When the client passes the RPC request on 135, the server responds and randomly assigns a high port (starting at 1026) for the session. There's a reg poke on the DC, that limits what ports can be used for the RPC sessions, so that you can configure your firewall to match. Basically, you tune down the number of open ports, based on your expected volume of logins.
Genealogist in Ireland to Research your Irish Ancestors Family History
Re:Originally posted by: guy
Running a full authentication to an AD through a firewall requires about a dozen ports open, and some special configuration on the server (for RPC).
Off the top of my head, you need to have: 53 (dns), 88 (kerberos), 135 (rpc), 1026(configurable for RPC), 389 (LDAP), and some others. If you need the detail, MS does have something in their knowledge base, or LMK and I'll try and dig up the doc.
guy:
Have you done something like this before?
I already have these ports open. off the top of my head also, 53, 88, 135, 389, 445, 464, 3268, 3269… i'm not sure about 1026 though, maybe that could be it?
The speed issue is still my biggest concern, and I havent figured out how to speed up the login process.
Any help would be beneficial! THANKS!
Setting Up A Web Server.
Re:Running a full authentication to an AD through a firewall requires about a dozen ports open, and some special configuration on the server (for RPC).
Off the top of my head, you need to have: 53 (dns), 88 (kerberos), 135 (rpc), 1026(configurable for RPC), 389 (LDAP), and some others. If you need the detail, MS does have something in their knowledge base, or LMK and I'll try and dig up the doc.
0 Comments.