Question : Member server on the DMZ

I need to place an IIS web server on the DMZ, but it is required to be a member of the AD domain in the intranet. Searching around I find conflicting information as of what is the absolute minimum ports required on the firewall. MS kb article http://support.microsoft.com/kb/179442/ provides this list:

Client Port(s)            Server Port      Service
1024-65535/TCP             135/TCP       RPC
1024-65535/TCP/UDP       389/TCP/UDP       LDAP
1024-65535/TCP             636/TCP       LDAP SSL
1024-65535/TCP             3268/TCP       LDAP GC
1024-65535/TCP             3269/TCP       LDAP GC SSL
53,1024-65535/TCP/UDP       53/TCP/UDP       DNS
1024-65535/TCP/UDP       88/TCP/UDP       Kerberos
1024-65535/TCP             445/TCP       SMB
ICMP

Also I opened a static port (50000/tcp) for RPC services using this article: http://www.isaserver.org/articles/2004perimeterdomain.html.

First of all a couple questions about these: are all of these _required_? For example ICMP I believe is mainly used for sensing media speed and pinging the gw, but if I disable slow link detection and block ICMP, what breaks? What about SMB/CIFS, SSL flavors of LDAP, are these required by default for basic operation and if so, what?

All servers are running W2003 SP1, AD is in native 2003 mode.

Answer : Member server on the DMZ

Well, if your joing it to the Domain and neeed authentication, your going to need Kerberos for sure. The ports you say you have open now are for sure needed. Heres a list that I use which is almost eaxctly like yours but 445 is in mine thats for AD Directory Service. Beyond that I'm really not sure what the prob might be.

DMZ -> Intranet

UDP/TCP 53 : Domain Name System
UDP/TCP 88 : Kerberos Authentication
TCP 123 : Network Time Protocol
Kerberos authentication require that you synchronize the time of your Exchange server and domain controllers.
TCP 135 : DEC Endpoint Resolution
also known as RPC Endpoint Mapper
UDP/TCP 389 : Lightweight Directory Access
TCP 445 : Microsoft Directory Service
TCP 3268 : LDAP to global catalog servers
AD logon and directory replication port
you need to allow a high port for Active Directory logon and directory replication. Default, this high port is dynamically chosen when the server starts, but you need to statically map it :

Use TCPView : http://www.sysinternals.com/Utilities/TcpView.html
This tool will tell you exactly what ports are open to your computer and what ports are being hit on. You'll need to open up your firewall temporarily however to get the info you need.

Random Solutions

HOW TO TELL WHO IS LOGGED INTO A COMPUTER USING ACTIVE DIRECTORY

Trafic through dual WAN modem (bandwith)?

Playing music and videos from my laptop wirelessly to my hd tv or stero

WDS, Router/Gateway/Wireless and configuration of hardware

Eclipse build path debug source not found

Would a Firebox Edge X55e-W work for this example?

PC Hangs when browsing a network folder

need help on setting up a small business network

Cisco Router 1711 (Port-forwarding/NAT) Question

Remotely remove a TCP/IP printer