Differences

This shows you the differences between two versions of the page.

--- mswindows:ad [2025/05/14 17:05] – alberto
+++ mswindows:ad [2025/08/18 21:27] (current) – [Firewall] alberto
@@ Line 15: / Line 15: @@
 Décomissioner un Domain Controler :
-ntdsutil.exe -> metadata cleanup -> remove selected server <ServerName>
+ntdsutil.exe -> metadata cleanup -> remove selected server <DCServerName>
+====== Firewall ======
+Inter-DC traffic:
+  * permit tcp <src> <dst> eq 53,88,135,137,139,389,445,464,636,3268-3269,5722,9389,49152-65535
+  * permit udp <src> <dst> eq 53,88,123,137-138,389,445,464,49152-65535
+Arguably that list at this point is excessive:
+  *     NetBIOS shouldn't be required any more, so that's tcp 137,139 and udp 137-138 that could be dropped
+  *     SMB should be TCP-only so that's udp 445 to potentially drop
+  *     DFS-R just works off RPC now instead of having a dedicated port, so that's tcp 5722 to potentially drop
+Everything else in the list is essential though
+  *     53: DNS
+  *     88: Kerberos
+  *     123: NTP
+  *     135 + 49152-65535: RPC
+  *     389,636: LDAP & LDAPS
+  *     445: SMB
+  *     464: Kerberos password change
+  *     3268,3269: Global Catalog LDAP & LDAPS
+  *     9389: AD Web Services