Differences

This shows you the differences between two versions of the page.

--- mswindows:ad [2025/08/18 21:23] – alberto
+++ mswindows:ad [2025/09/15 13:27] (current) – alberto
@@ Line 1: / Line 1: @@
-====== active directory ======
+====== Active Directory ======
   * Un Domain Controler est une machine qui a un OS Server qui est dans le domaine Active Directory et qui possède l'Active Directory.
@@ Line 18: / Line 18: @@
 ====== Firewall ======
 Inter-DC traffic:
-permit tcp <src> <dst> eq 53,88,135,137,139,389,445,464,636,3268-3269,5722,9389,49152-65535
+  * permit tcp <src> <dst> eq 53,88,135,137,139,389,445,464,636,3268-3269,5722,9389,49152-65535
-permit udp <src> <dst> eq 53,88,123,137-138,389,445,464,49152-65535
+  * permit udp <src> <dst> eq 53,88,123,137-138,389,445,464,49152-65535
 Arguably that list at this point is excessive:
-    NetBIOS shouldn't be required any more, so that's tcp 137,139 and udp 137-138 that could be dropped
+  *     NetBIOS shouldn't be required any more, so that's tcp 137,139 and udp 137-138 that could be dropped
-    SMB should be TCP-only so that's udp 445 to potentially drop
+  *     SMB should be TCP-only so that's udp 445 to potentially drop
-    DFS-R just works off RPC now instead of having a dedicated port, so that's tcp 5722 to potentially drop
+  *     DFS-R just works off RPC now instead of having a dedicated port, so that's tcp 5722 to potentially drop
 Everything else in the list is essential though
-: DNS
+  *     53: DNS
-: Kerberos
+  *     88: Kerberos
-: NTP
+  *     123: NTP
-+ 49152-65535: RPC
+  *     135 + 49152-65535: RPC
-,636: LDAP & LDAPS
+  *     389,636: LDAP & LDAPS
-: SMB
+  *     445: SMB
-: Kerberos password change
+  *     464: Kerberos password change
-,3269: Global Catalog LDAP & LDAPS
+  *     3268,3269: Global Catalog LDAP & LDAPS
-: AD Web Services
+  *     9389: AD Web Services