1

So I've been scratching my head around this problem for a few days now.

This is a quick schema of our infrastructure :

  1. Our Primary Domain Controller is running in an hypervisor, in our datacenter. There are two stacks of firewalls (Fortigate FG200D and pfSense) before running into our MPLS network.
  2. The new domain controller is running on a baremetal install, in one of our sites, connected to the MPLS and behind also two layers of firewalls (Fortigate FG100D and pfSense).

Both servers are running Windows 2012 R2 and they are both up to date. The existing domain controller will be called DC-AD and the new will be RNS.

I have also disabled both Windows Firewalls and made a allow all rule in our firewalls between the two DC (at least, DC (DC-AD) and i-would-like-to-be-DC (RNS) ).

Here are the results of a nmap scan :

  • From RNS towards DC-AD :

enter image description here

  • From DC-A towards RNS :

enter image description here

I have tried everything I can think of or anything that I could find on the internet, but most of the problems are from blocked ports in the firewall.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
Matthieu ANTOINE
  • 11
  • 1
  • 2
  • Those scans do not show all of the required ports. Instead of NMap, use PortQueryUI and provide the text results. – Greg Askew Apr 21 '16 at 15:40
  • 1
    what does the log at %systemroot%\debug\dcpromo.log say – Mass Nerder Apr 21 '16 at 16:27
  • Here's the [log](http://pastebin.com/eS88yX0X) . As for the PortQuery , here is the [result](http://pastebin.com/VjVvBPY3) . Indeed some ports are filtered. I'll have to see this tomorrow but it seems weird because all ports are opened in the firewalls. Thanks! – Matthieu ANTOINE Apr 21 '16 at 16:49

2 Answers2

1

These aren't all required AD ports.

  • TCP and UDP 389
  • TCP 636
  • TCP 3268
  • TCP 3269
  • TCP and UDP 88
  • TCP and UDP 53
  • TCP and UDP 445
  • TCP 25
  • TCP 135
  • TCP Dynamic
  • TCP 5722
  • UDP 123
  • TCP and UDP 464
  • UDP Dynamic
  • UDP 138
  • TCP 9389

I got that list here; there's a table explaining what AD uses each port for.

A different article I found suggested these ports just for dcpromo:

  • TCP 3269
  • TCP 3268
  • TCP 389
  • UDP 389
  • TCP 636
  • UDP 636
  • UDP 500
  • UDP 4500
  • TCP 135
  • Random TCP 1024 - 65535, 49152 - 65535²
Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
0

Ok so after running PortQueryUI I found several ports to be filtered, despite the fact that I had allow all rules between those two hosts.

I went ahead and tcpdump-d everything, and found that one firewall had a malformed rule, which caused some ports to be filtered.

After fixing this rule, the dcpromo went along fine.

Thanks a lot to everyone who helped me !

Matthieu ANTOINE
  • 11
  • 1
  • 2