List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] use of IP ports during change password

Prev Next

You are not authorized to post a reply.

Author

Messages

r.mackenzie@xxxx.yyy

09/29/2005 11:00 AM
Folks, We're attempting to restrict significantly open ports on our Windows 2003 domain controllers, even to the local LAN. We're getting utterly confused by a situation where users need to use Outlook forms to change their AD password - they are not logged on to the domain. Some clients (let us restrict this to XP but it also applies to Windows 2000) use port 135 to find a fixed directory services port and successfully change password. Other clients, which appear to us to be configured in the same manner, never attempt to use the directory services port but instead ramble through ports 137 or 139 and port 445. We don't want to open these ports to indiscriminate LAN access but we're totally stumped for an answer as to what steers the mechanism on these clients in terms of the route to password change. Clearly the clients are not configured in exactly the same fashion (they are built and managed by different groups) but we cannot spot what it is. Has anyone met a situation along these lines and found the solution to forcing the use of whatever mechanism that uses AD directory services? Regards, Roger Mackenzie (Glasgow University) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

listmail

Posts:490

09/29/2005 1:16 AM
I don't have a list of ports for you but this KB details the different programmatic methods that are available at all to do it. http://support.microsoft.com/kb/q264480/ -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Roger Mackenzie Sent: Thursday, September 29, 2005 7:00 AM To: 'ActiveDir@xxxxxxxxxxxxxxxxxx' Subject: [ActiveDir] use of IP ports during change password Folks, We're attempting to restrict significantly open ports on our Windows 2003 domain controllers, even to the local LAN. We're getting utterly confused by a situation where users need to use Outlook forms to change their AD password - they are not logged on to the domain. Some clients (let us restrict this to XP but it also applies to Windows 2000) use port 135 to find a fixed directory services port and successfully change password. Other clients, which appear to us to be configured in the same manner, never attempt to use the directory services port but instead ramble through ports 137 or 139 and port 445. We don't want to open these ports to indiscriminate LAN access but we're totally stumped for an answer as to what steers the mechanism on these clients in terms of the route to password change. Clearly the clients are not configured in exactly the same fashion (they are built and managed by different groups) but we cannot spot what it is. Has anyone met a situation along these lines and found the solution to forcing the use of whatever mechanism that uses AD directory services? Regards, Roger Mackenzie (Glasgow University) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

r.mackenzie@xxxx.yyy

09/30/2005 2:08 AM
Thanks, Joe. We've refined what is happening by network tracing. For the record the behaviour at a client can be 'random' with success or failure to change the password observed on the same client machine on different occasions. The behaviour varies in that the client may initially use DNS to locate the domain (PDC emulator) and then reliably asks the RPC endpoint mapper for the Directory Services port. On the other hand it may try to use NetBIOS to locate the domain, which fails, and then it uses DNS but it then never asks the endpoint mapper on the PDC Emulator for anything. This must be down to name resolution order and I'm going to poke around and see if we can force DNS name resolution to solve the current problem. Cheers, Roger -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe Sent: 29 September 2005 14:14 To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] use of IP ports during change password I don't have a list of ports for you but this KB details the different programmatic methods that are available at all to do it. http://support.microsoft.com/kb/q264480/ -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Roger Mackenzie Sent: Thursday, September 29, 2005 7:00 AM To: 'ActiveDir@xxxxxxxxxxxxxxxxxx' Subject: [ActiveDir] use of IP ports during change password Folks, We're attempting to restrict significantly open ports on our Windows 2003 domain controllers, even to the local LAN. We're getting utterly confused by a situation where users need to use Outlook forms to change their AD password - they are not logged on to the domain. Some clients (let us restrict this to XP but it also applies to Windows 2000) use port 135 to find a fixed directory services port and successfully change password. Other clients, which appear to us to be configured in the same manner, never attempt to use the directory services port but instead ramble through ports 137 or 139 and port 445. We don't want to open these ports to indiscriminate LAN access but we're totally stumped for an answer as to what steers the mechanism on these clients in terms of the route to password change. Clearly the clients are not configured in exactly the same fashion (they are built and managed by different groups) but we cannot spot what it is. Has anyone met a situation along these lines and found the solution to forcing the use of whatever mechanism that uses AD directory services? Regards, Roger Mackenzie (Glasgow University) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] use of IP ports during change password

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads