Question : Domain controller behind firewall

Ok...please forgive me, but I'm not a network person...I'm a microsoft person, hehe. I manage systems and let the network people manage the network. But I have question:

I have a domain controller (windows 2003) that is behind a cisco firewall. I have a couple clients that are on a different subnet (they have static IPs) which need to access the DC to authenticate and use shared resources. What ports do I need to tell our network people to open to allow for this? Does this pose any kind of huge security risK?...yes, i know poking holes in a firewall is a security risk, but I really need these computers on our AD infastructure. The clients are ultimately behind another firewall (we are all a part of a university network, but my specific network is blocked off from the rest of the university for extra security). Currently, we only have the one server (its a small network), but I may be implementing a SUS server that would be behind the firewall as well that these clients would need to access.

Answer : Domain controller behind firewall

When looking at http://support.microsoft.com/?id=832017#5 ports you might want to open are ( give your guys eith numbers or names, they should know the number=name scheme ;-)
DNS    
DHCP
Kerbos ( 88 )
NTP (123 )
RPC ( 135 )
NetBios (137 + 138 + 139 )  *NB ! All these ports MUST be open to file share or print share
SMB ( 445)

And if you want SUS on the same server to work then
80 ( http)
ANd I think there is another, but I've got to go so I'll look it up 2 morrow ;-)


When you open those ports up, be sure to instruct your network guys to open them up ONLY to the server. This is easy to do, and you dont want trafic to any other IP appart from to your server to be able to pass through the ports that you are opening. Make sure they understand you want them to open these ports to the server. This will seriously limit the risk exposure.