Category: Active Directory


Below is the Firewall ports requirements

 

Kerberos

464

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

         

Destination: DC

         

Service: Kerberos (network port tcp/464)

LDAP

389

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

         

Destination: DC

         

Service: LDAP (network port tcp/389)

LDAP

636

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

         

Destination: DC

         

Service: LDAP (network port tcp/636)

DCOM/RPC

1024-65500

Certificate Enrollment Web Services

CA

Allow

Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us

HTTPS

443

All clients requesting certs

Certificate Enrollment Web Services

Allow

Source: Windows 7 client

         

Destination:

         

Service: https (network port tcp/443)

         

Certificate Enrollment Web Services

Bottom of Form

RPC

135

All clients requesting certs

Certificate Enrollment Web Services

Allow

Source: Windows 7 client

         

Destination: CA

         

Service: RPC

         

Done in Both Directions

Bottom of Form

 

This was taken and modified from the PKI Blog

Why would you want to do that ??

Well lets say your Primary Domain Controller (PDC) fails, then you move the FSMO roles to another server, and THEN you forget to set the NTP for the new DC.

Well luckily we have a way to automate that and its using the GPO and its WMI filtering capabilities

To do this we need to start by creating the filter

so in the Group Policy Management Console, Expand WMI Filters

image

Then Create NEW then add

Select * from Win32_ComputerSystem where DomainRole = 5

this will query the DCs for whomever is the holder of the PDC role

image

These are all the roles you can query

Value
Meaning
0 Standalone Workstation
1 Member Workstation
2 Standalone Server
3 Member Server
4 Backup Domain Controller
5 Primary Domain Controller

image

Click save

image

Create a GPO and Link it to the Domain Controllers Container in AD and make sure you select your WMI Filter you created earlier

image

Then Configure the setting as below

image

Once you are done, you should never think or worry about forgetting this option EVER again Smile

Well you get this error as a result of the computer machine account password being changed

image 

to fix this you can either disjoin and rejoin the computer from the domain

or use the following

netdom resetpwd /server:your dc /ud: Domain\Administrator (or any user with admin privildeges” /pd:Password (The password for the admin account in the /ud)