Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
User Creation behind Firewall
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
User Creation behind Firewall - 7.Apr.2003 6:38:00 PM
|
|
|
mrjhat10
Posts: 14
Joined: 7.Apr.2003
From: Indiana
Status: offline
|
Hello All,
I have an exchange 2000 server that I just moved to my DMZ port. My other DC's are on the Internal network. I have opened up the all the appropriate ports I know of, that pertain to Active Directory synchronization.
My AD sync is ok, and my servers seem to still sync, with no AD errors. However, when I go through the user account creation process, I get the following message after I specify that I want to create an Exchange mailbox for a User.
----------
MS Active Directory - Exhcnage Extension
The specified domain either does not exist or could not be contacted
Facility: Win32
ID no: c007054b
Microsoft Active Directory - Exchange Extension
-----------
If I create the user account, and then perform exchange tasks, the account creation hangs up on "Updating Attributes".
If I open up all ports to/from my DMZ, the user account creation works fine.
Does anyone know which ports I must open to make this work? I have done some port tracking, but cannot come up with anything consistent.
|
|
|
|
|
RE: User Creation behind Firewall - 7.Apr.2003 7:00:00 PM
|
|
|
atguilmette
Posts: 401
Joined: 4.Mar.2003
From: Southfield, MI
Status: offline
|
It's quite a list of ports: You should check out the whitepaper "Microsoft Exchange 2000 Server Front-End and Back-End Topology" because it has all of the ports that Exchange uses. Even though you're not talking about OWA in this scenario, I've found that this list of ports is prettymuch everything that's needed for Exchange / DC communication.
In addition to 389 and 3268 for LDAP/Global Catalog, you need 53 (DNS), 88 (Kerberos), 135 (NetBIOS), 137 (NetBIOS), and 445 (Netlogon/SMB). To top it all off, you need random RPC ports above 1024. The whitepaper has a few additional ports as well details on configuring Exchange RPC services to use a single port (making it easier for you to configure your firewall). You can download the whitepaper from http://www.microsoft.com/serviceproviders/deployment/exchange.asp (warning, site seems *very* sluggish). That should get you pointed in the right direction, at least, for the ports necessary to do what you want to do.
Aaron
|
|
|
|
|
RE: User Creation behind Firewall - 7.Apr.2003 7:19:00 PM
|
|
|
mrjhat10
Posts: 14
Joined: 7.Apr.2003
From: Indiana
Status: offline
|
Thanks for the info.
I cannot seem to find the document you referred to, Exchange Front-End Back-End topology. The link appears dead. Do you have a copy of it you could email me?
I have many ports open. I followed a document:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
and used the Limited RPC example to just open the necessary ports. I specified a static port for the RPC replies, and the AD sync appears ok.
Thanks again,
Josh
|
|
|
|
|
RE: User Creation behind Firewall - 8.Apr.2003 4:14:00 PM
|
|
|
atguilmette
Posts: 401
Joined: 4.Mar.2003
From: Southfield, MI
Status: offline
|
The site is sluggish; sometimes, I've found if you begin loading the site, stop, and then refresh, it comes up. Very frustrating. You can also try google and search for the title of the document.
|
|
|
|
|
RE: User Creation behind Firewall - 8.Apr.2003 9:18:00 PM
|
|
|
mrjhat10
Posts: 14
Joined: 7.Apr.2003
From: Indiana
Status: offline
|
THANKS! For the Document.
I am reading it now. To let you in on something else about my problem, I did a little testing today.
If I open the firewall to IP any any for a minute or 2, and create a user, it will work. Then, user creation works for quite a while, and starts failing again.
I wonder if, when I open my FW, it is allowing the GC contact, and that lasts for a certain amount of time.
Just a thought.
Thanks again,
Josh
|
|
|
|
|
RE: User Creation behind Firewall - 8.Apr.2003 9:54:00 PM
|
|
|
mrjhat10
Posts: 14
Joined: 7.Apr.2003
From: Indiana
Status: offline
|
I think I may have it solved. The original document I used from Microsoft Solution provider support about synchronizing AD over a firewall, listed TCP port 389. In the Exchange Front-End / Back-end document, they list TCP AND UDP 389.
I was testing in bulk because I do not have a decent packet analyzer on this network. I opened up the ports with separate rules, and the one that logged a hit was opening ports 1-500, so I am pretty sure I found it.
My AD is in sync now, so I have to wait an hour or 2 before I test again.
Thanks a lot!
Josh
|
|
|
|
|
RE: User Creation behind Firewall - 9.Apr.2003 2:05:00 PM
|
|
|
atguilmette
Posts: 401
Joined: 4.Mar.2003
From: Southfield, MI
Status: offline
|
Glad to hear it helped. If you can get to it on the Exchange homepage (I think), there's actually a link to download ALL of the E2K whitepapers MS has put together. It's about 18mb, but well worth the DL.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
