Required firewall ports for importing Active Directory profiles with MOSS
In very secure environments, your Active Directories may not be completely available to your MOSS machine, especially if you have AD trusts involved. I had a particular case where MOSS was installed in a Win2k3 forest that trusts a very secure Win2k forest "one way". What I mean by very secure is that MOSS only had ports opened to its DC and that DC had the ports opened for the trust to the 2nd forest (and to a single DC).
Then came the issue with importing profiles from both forests in the MOSS SSP. At first, we thought that only the LDAP ports would be required but we then found out that there are 2 types of imports : Active Directory and LDAP. The LDAP one requires using an LDAP MembershipProvider. While you can use the ActiveDirectoryMembership, that would mean using Forms Based Authentication and we weren't planning to use that.
So if you use Windows Integrated authentication, you need to use the Active Directory profile import. Luckily, we didn't have a firewall to the "host" forest so no issues there. The fun started when we tried to import from the Win2k domain and finding an exact response of which ports were required for that feature only proved to be challenging and we couldn't simply open all ports. Here's the ones we needed to open:
- 389 (UDP / TCP) for LDAP
- 135 (TCP) for RPC
- 139 (TCP) for communication, then the DCOM port (TCP) that is returned by the 139 request.
- 88 (TCP) for kerberos authentication
- *445 (TCP) (Directory services) might be required but I didn't see it in the network monitoring logs
Note that we didn't have 88 opened at first and the import process was going at a pace of 4-6 profiles per minutes ... it was going through ... just painfully slow. When we opened it, it was going at a pace of 1000+/min.
Note also that, when you edit a connection and you want to specify a domain controller, a drop-down must appear with a list of DC. If the list of DC doesn't show, it's because 139 and the DCOM port aren't opened. We also found a bug if you go back to re-edit the connection, the "auto-discover" radio button is ALWAYS selected by default. You need to change it back to "specify a domain controller" or else, if you do a modification, it will activate the auto-discovery.
Last, if you do not want to import accounts that are disabled, enter this in the "user filter" : (&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.1135220.127.116.113:=2))) .