Needed ports for Windows AD Objects

Post by **mcz** » Aug 04, 2017 8:36 am this post

Hi everybody,

I am currently working on the firewall settings and yesterday I tried to create the rules I need for an active directory object restore. My configuration was looking like this:

domain controller wi01:
firewall currently switched off (I know it's bad)

veeam-Server
outbound traffic is allowed

So I tried to restore a group policy which I have deleted before and I wasn't able to do the restore. I run wireshark on the domain controller and found out that during restore the dc establishes some TCP-connections to the veeam-server (maybe also some UPD-connections but I didn't look too close on it). If I take a look at the official documentation https://helpcenter.veeam.com/docs/backu ... ?ver=95#ad, I cannot see a section where you should allow traffic from DC's to the veeam-server.

So I created a rule to allow all the traffic from DC's to the veeam server and now it's working, but of course it would be nice to only allow the needed ports and protocols.
Maybe I didn't clearly understand the documentation so it would be nice to get a clarification here - thank you!

YouTube · Post by **MichaelCade** » Aug 04, 2017 5:04 pm this post

Hope this helps this is from our Best Practices guide that can be found here http://bp.veeam.expert

This is specific for Application Aware processing.

Post by **mcz** » Aug 07, 2017 7:21 am this post

Hi Michael,

thanks for your reply but I need information about AD Object restore and not application aware processing. Or is exactly the same portrange needed?

YouTube · Post by **MichaelCade** » Aug 07, 2017 8:23 am this post

AD restores use:
TCP 135
TCP UDP 389
TCP 636,3268,3269
TCP 49152-65535

Post by **mcz** » Aug 07, 2017 1:54 pm this post

OK thank you, it's working fine now. I think we should mention that connections of tcp-ports 49152-65535 will be established from the DC's to the veeam backup server.

Why was I not able to find the information in the online documentation?

YouTube · Post by **MichaelCade** » Aug 07, 2017 1:57 pm this post

The above information is available in the Best Practice guide I have linked above. You will also find the same information here in the user guide. https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Post by **mcz** » Aug 07, 2017 2:04 pm this post

ok thanks!

Post by **foggy** » Aug 09, 2017 1:38 pm this post

mcz wrote:I run wireshark on the domain controller and found out that during restore the dc establishes some TCP-connections to the veeam-server (maybe also some UPD-connections but I didn't look too close on it).

Basically, inbound connection to VEAD server should not be required - we've just tested group policy restore with completely blocked inbound traffic on it and it succeeded. If you could open a case and provide logs for the failed restore operation, so we could look for the actual method requiring this connection, it would be much appreciated.

Aug 09, 2017 2:28 pm

Hmm... foggy, you are right! I disabled my firewall rule again and AD Object restore worked fine. I guess I used the wrong credentials the last time (if you just click restore veeam probably uses the credential of the current logged in user and not the domain admin credentials). So it's working as expected and we don't have to start an investigation.

Thanks!

R&D Forums

Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Re: Needed ports for Windows AD Objects

Who is online