Do I need to open port 137 and 138 from members server to the trusted PDC emulator ?

Le
Eric
Hello,

We have several trusted domain in our company. Some of them are still
using Windows NT domain.
Every domain is trusted with the same Active Directory domain.

The trusts relationship are working correctly but we have a problem
with a specific trusted domain.

Indeed, when we are connected to a server member of this specific NT
domain, we cannot display users of our AD trusted domain.
We have an error "Cannot display objects from this location because of
the following error : The specified domain either does not exist or
could not be contacted"

And then if we open port 137/UDP and 138/UDP from the specific server
member of NT and the PDC EMULATOR of our AD domain, then it working.

I dont understand why in this specific situation I need to open those
ports as they are not needed for my other trusted NT domain.

Moreover this means I have to open those ports for every member server
to our PDC emulator which is not very clean in term of security.

Do you have any idea of the problem here ?
Is it a bad WINS configuration ? A computer browser specific
configuration ?

Thank you !

--
Eric
Vidéos High-Tech et Jeu Vidéo
Téléchargements
Vos réponses
Gagnez chaque mois un abonnement Premium avec GNT : Inscrivez-vous !
Trier par : date / pertinence
Dusko Savatovic
Le #20667151
In line ...

"Eric" news:
Hello,

We have several trusted domain in our company. Some of them are still
using Windows NT domain.



Windows NT uses NeBIOS as a primary (only) name resolution during
authentication process (LM, NTLM, NTLMv2).
Ports 137 and 138 are related to NetBIOS services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

Every domain is trusted with the same Active Directory domain.

The trusts relationship are working correctly but we have a problem with a
specific trusted domain.

Indeed, when we are connected to a server member of this specific NT
domain, we cannot display users of our AD trusted domain.
We have an error "Cannot display objects from this location because of the
following error : The specified domain either does not exist or could not
be contacted"

And then if we open port 137/UDP and 138/UDP from the specific server
member of NT and the PDC EMULATOR of our AD domain, then it working.

I dont understand why in this specific situation I need to open those
ports as they are not needed for my other trusted NT domain.



They are needed for NT domains.


Moreover this means I have to open those ports for every member server to
our PDC emulator which is not very clean in term of security.



You can set up your firewall so that it only allows traffic from/to approved
IP ranges.


Do you have any idea of the problem here ?
Is it a bad WINS configuration ? A computer browser specific configuration
?



This is by design on Windows NT domains.


Thank you !

--
Eric



Good luck and regards.
DuskoS
Ace Fekay [MCT]
Le #20668321
"Dusko Savatovic" news:ON%
In line ...

"Eric" news:
Hello,

We have several trusted domain in our company. Some of them are still
using Windows NT domain.



Windows NT uses NeBIOS as a primary (only) name resolution during
authentication process (LM, NTLM, NTLMv2).
Ports 137 and 138 are related to NetBIOS services:
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)

Every domain is trusted with the same Active Directory domain.

The trusts relationship are working correctly but we have a problem with
a specific trusted domain.

Indeed, when we are connected to a server member of this specific NT
domain, we cannot display users of our AD trusted domain.
We have an error "Cannot display objects from this location because of
the following error : The specified domain either does not exist or could
not be contacted"

And then if we open port 137/UDP and 138/UDP from the specific server
member of NT and the PDC EMULATOR of our AD domain, then it working.

I dont understand why in this specific situation I need to open those
ports as they are not needed for my other trusted NT domain.



They are needed for NT domains.


Moreover this means I have to open those ports for every member server to
our PDC emulator which is not very clean in term of security.



You can set up your firewall so that it only allows traffic from/to
approved IP ranges.


Do you have any idea of the problem here ?
Is it a bad WINS configuration ? A computer browser specific
configuration ?



This is by design on Windows NT domains.


Thank you !

--
Eric



Good luck and regards.
DuskoS






Dusko,

This was also multi-posted in the
microsoft.public.windows.server.active_directory newsgroup with multiple
responses.

Ace
Publicité
Poster une réponse
Anonyme