Question : Computers in DMZ can't join domain

I expect this to be a very difficult question and very hard to identify the problem. Therefore, I am

offering 500 points for the answer(s). You will probably have to have some knowledge in Cisco PIX

Firewalls.

Here is a quick diagram of my network:
http://imgzone.info/uploads/1182_.gif
Names & IP addresses have been changed to protect the innocent

I have a DMZ set up in my network between a Cisco 515-E Firewall. Computers in the DMZ are unable to join

or authenticate to the domain server (Windows 2000 Server) located on the other side of the firewall. I

have the necessary ports open in the firewall as per this document:

http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

For the sake of troubleshooting, I went ahead and opened everything up as you can see from these lines in my firewall config:
name 10.10.20.2 WEBSVR
access-list acl_out permit tcp host WEBSVR host 10.10.20.100
access-list acl_out permit udp host WEBSVR host 10.10.20.100
access-list acl_out permit icmp host WEBSVR any

(By the way, the WEB SERVER is in the DMZ)

I run a port scan on the DOMAIN CONTROLLER to the WEB SERVER and get these ports:
21 ftp
25 smtp
53 domain
80 http
81
135 epmap
139 netbios-ssn
443 https
445 microsoft-ds
...and a bunch of random ports over 1000

A port scan on the WEB SERVER to the DOMAIN CONTROLLER shows these open ports:
53 domain
80 http
88 kerberos
135 epmap
139 netbios-ssn
389 ldap
445 microsoft-ds
464 kpaswd
593
636 ldap
...and a bunch of random ports over 1000

Here are the network settings for WEB SERVER:
IP address: 10.10.20.2
Subnet Mask: 255.255.255.0
Gateway: 10.10.20.1
DNS: 10.10.20.2

I believe the problem is either with DNS or the firewall settings. Let me know if you need any more information.

Answer : Computers in DMZ can't join domain

Upplepop

Apologies, I was having a brainstorm, ignore what I said about yout NAT setup.

I suspect you have a more fundamental problem - when the webserver performs a DNS lookup for the DC, what address will be returned by the query? The internal address of the DC. But, as you correctly state, that address is not routable from the DMZ.

To resolve this, I would create a second host record for the DC which resolves to the NAT address - for this to work without affecting your existing network, you MUST enable netmask ordering on the DNS service on the DC. When the DNS lookup packet is NAT'ed, the source address is preserved, so the DNS server will reply with the address of the DC that is in the same subnet as the webserver.

For the paranoid, I would suggest creating a completely separate domain in the DMZ, which has a one way trust to the internal domain to facilitate your administration of the DMZ resources. If the web server was compromised, this would prevent any attacker from accessing internal domain resources. This is a common setup for enterprise DMZ's, but tor the SME, it's probably only an option for the paranoid.

HTH

Random Solutions

Help setting up an HP4M stand alone printer via cat5 + 3com router..

How to setup iSCSI switches for better performance.

Routing between 2 networks on a procurve 2824 switch

active directory - how to best connect existing networks & future plans

Cannot rename <filename> It is being used by another person or program

Java API - Retrieving transmission queue name

internal send to domain alias refused

windows xp with a 2wire dsl 1701hg router need to connect CNC milling machine to network with a certain ip address for file server?

Create mail with shared resource image as EMBED_OBJECT

Bandwidth Requirements for VOIP and Data