Windows Server 2003 firewall

Microsoft Windows Server 2003
Windows Security
I have just installed a new server with Windows 2003 R2 and added the users to the Domain with Active Directory. I have made file and print sharing an exception in the firewall settings, but when I turn the firewall on, the users no longer have access to the server - they are disconnected. Help!

Answer Wiki

Thanks. We'll let you know when a new response is added.

This is a known issue of the firewall on a 2003 server. Before I go into how to fix the issue you should re-consider using a hardware firewall and disabling the windows one!

The know issue is per microsoft kb 51381. I don’t know if you have all the symptoms and don’t know it yet or just some. You can be selective about applying patches but really read the bolded parts below.:

Configure the Active Directory (AD) Replication & File Replication Service (FRS) to use specific TCP/IP ports for replication (see References below for relevant Knowledgebase articles) and configure the firewall to allow incoming connections to the required programs and ports.

1. Configure AD and FRS to use a specific port

a. select two TCP port numbers to be used (e.g. 53211 and 53212) that are not being used by anything on any of the Domain Controllers. You can use any number between 49152 and 65535. The command netstat -a -o -n will list all of the ports currently open, but can not list ports that might be used by applications or services that are not currently running (see Knowledgebase article 832017 for ports used by Window Server). See References below for the URL for the definitive source for port number information.

b. on all Domain Controllers in the Forest, add the following two registry values with regedit (or use a .reg file – see References below)
i. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\TCP/IP Port
– DWORD containing the selected TCP port number for AD replication (e.g. 53211 – cfdb (hex))
ii. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\RPC TCP/IP Port Assignment
– DWORD containing the selected TCP port number for FRS (e.g. 53212 – cfdc (hex))

2. Configure the Windows Server 2003 SP1 Windows Firewall for use on a Domain Controller. You can add the required settings to the Default Domain Controller Group Policy Object (GPO), or create a new GPO and link it to the Domain Controllers container. The Group Policy Management Console is the recommended tool for this.

Note: After promotion to being a Domain Controller the computer will restart; after this first restart, the computer will use the Windows Firewall’s Domain Profile. After the first replication completes successfully and the computer is restarted, the Domain Controller will use the Windows Firewall’s Standard Profile. So, to avoid problems, make the Domain and Standard profiles for Domain Controllers identical.

In the following, only items specifically related to correct functioning of a Domain Controller are listed; unlisted items can be set to any value desired. For example, it may be useful to have the Allow Remote Desktop exception set to Enabled so the Domain Controller can be administered remotely, which is common in large installations where Domain Controllers are remotely located.

a. Windows Firewall: Protect all network connections – Enabled
b. Windows Firewall: Allow remote administration exception – Enabled (enables port 135 and 445 which are both required for Domain Controllers)
b. Windows Firewall: Allow file and printer sharing exception: – Enabled
c. Windows Firewall: Define port exceptions: – Enabled (in the list of port exceptions below, the * indicates incoming requests from any IP address will be accepted. Other values are possible – see the text on the Setting tab in Group Policy Editor for details. For example, localsubnet may be applicable in some circumstances). The strings below are exactly what needs to be in the list of port exceptions.
3268:tcp:*:enabled:Global Catalog LDAP
53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)

For more information read the KB article here.

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: