question

RaduToaderSorin-9993 avatar image
0 Votes"
RaduToaderSorin-9993 asked DSPatrick commented

RODC ports question

Hello --

I need some help here, our organization is planning to deploy a RODC in AWS VPC that will be replicated from our on-premises Domain Controller.
The problem is that the Security team do not allow protocols like RPC 135 and LDAP 389 and they suggested to use a different protocol than RPC 135, not sure witch one and use LDAPS 639 instead of 389. Is that possible even possible to join the RODC to the domain controller with those ports blocked ?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

traffic will flow from AWS RODC through public internet

This isn't going to work. It is not a good idea to expose AD domain controller on public network. If you need to support domain clients on Internet, then take a look at Direct Access technology, which provides an automatic and seamless VPN experience to domain clients on Internet.

--please don't forget to upvote and Accept as answer if the reply is helpful--


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes we will use a site to site VPN as I can't seems to be finding any answers to not use those ports.

0 Votes 0 ·
DSPatrick avatar image DSPatrick RaduToaderSorin-9993 ·

Sounds good, you're welcome.

--please don't forget to upvote and Accept as answer if the reply is helpful--


0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered RaduToaderSorin-9993 edited

You'll find the ports required listed here.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

--please don't forget to upvote and Accept as answer if the reply is helpful--


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks. I'm aware however of the ports required, my question is if we can replace RPC135 with RPC over HTTPS and LDAP 389 with LDAPS 639 for the connection between Writable DC and Read only domain controller.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered RaduToaderSorin-9993 commented

can replace RPC135 with RPC over HTTPS and LDAP 389 with LDAPS 639

You couldn't do that but it really shouldn't be a problem since the connection would need to be a virtual private connection. Just ensure the connection is secure.

--please don't forget to upvote and Accept as answer if the reply is helpful--









· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yeah that is the problem that traffic will flow from AWS RODC through public internet and reach the DC. That's why we have been asked if we can block those ports from the RODC and still replicate with the other DC.

0 Votes 0 ·