Comprehensive data protection for all workloads
Post Reply
mcz
Veeam Legend
Posts: 945
Liked: 221 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Needed ports for Windows AD Objects

Post by mcz »

Hi everybody,

I am currently working on the firewall settings and yesterday I tried to create the rules I need for an active directory object restore. My configuration was looking like this:

domain controller wi01:
firewall currently switched off (I know it's bad)

veeam-Server
outbound traffic is allowed

So I tried to restore a group policy which I have deleted before and I wasn't able to do the restore. I run wireshark on the domain controller and found out that during restore the dc establishes some TCP-connections to the veeam-server (maybe also some UPD-connections but I didn't look too close on it). If I take a look at the official documentation https://helpcenter.veeam.com/docs/backu ... ?ver=95#ad, I cannot see a section where you should allow traffic from DC's to the veeam-server.

So I created a rule to allow all the traffic from DC's to the veeam server and now it's working, but of course it would be nice to only allow the needed ports and protocols.
Maybe I didn't clearly understand the documentation so it would be nice to get a clarification here - thank you!
MichaelCade
Veeam Software
Posts: 315
Liked: 74 times
Joined: Mar 23, 2015 11:55 am
Full Name: Michael Cade
Location: Cambridge, United Kingdom
Contact:

Re: Needed ports for Windows AD Objects

Post by MichaelCade »

Hope this helps this is from our Best Practices guide that can be found here http://bp.veeam.expert

Image

This is specific for Application Aware processing.
Regards,

Michael Cade
Global Technologist
Veeam Software
Email: Michael.Cade@Veeam.com
Twitter: @MichaelCade1
mcz
Veeam Legend
Posts: 945
Liked: 221 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Needed ports for Windows AD Objects

Post by mcz »

Hi Michael,

thanks for your reply but I need information about AD Object restore and not application aware processing. Or is exactly the same portrange needed?
MichaelCade
Veeam Software
Posts: 315
Liked: 74 times
Joined: Mar 23, 2015 11:55 am
Full Name: Michael Cade
Location: Cambridge, United Kingdom
Contact:

Re: Needed ports for Windows AD Objects

Post by MichaelCade »

AD restores use:
TCP 135
TCP UDP 389
TCP 636,3268,3269
TCP 49152-65535
Regards,

Michael Cade
Global Technologist
Veeam Software
Email: Michael.Cade@Veeam.com
Twitter: @MichaelCade1
mcz
Veeam Legend
Posts: 945
Liked: 221 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Needed ports for Windows AD Objects

Post by mcz »

OK thank you, it's working fine now. I think we should mention that connections of tcp-ports 49152-65535 will be established from the DC's to the veeam backup server.

Why was I not able to find the information in the online documentation?
MichaelCade
Veeam Software
Posts: 315
Liked: 74 times
Joined: Mar 23, 2015 11:55 am
Full Name: Michael Cade
Location: Cambridge, United Kingdom
Contact:

Re: Needed ports for Windows AD Objects

Post by MichaelCade »

The above information is available in the Best Practice guide I have linked above. You will also find the same information here in the user guide. https://helpcenter.veeam.com/docs/backu ... tml?ver=95
Regards,

Michael Cade
Global Technologist
Veeam Software
Email: Michael.Cade@Veeam.com
Twitter: @MichaelCade1
mcz
Veeam Legend
Posts: 945
Liked: 221 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Needed ports for Windows AD Objects

Post by mcz »

ok thanks!
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Needed ports for Windows AD Objects

Post by foggy »

mcz wrote:I run wireshark on the domain controller and found out that during restore the dc establishes some TCP-connections to the veeam-server (maybe also some UPD-connections but I didn't look too close on it).
Basically, inbound connection to VEAD server should not be required - we've just tested group policy restore with completely blocked inbound traffic on it and it succeeded. If you could open a case and provide logs for the failed restore operation, so we could look for the actual method requiring this connection, it would be much appreciated.
mcz
Veeam Legend
Posts: 945
Liked: 221 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Needed ports for Windows AD Objects

Post by mcz » 1 person likes this post

Hmm... foggy, you are right! I disabled my firewall rule again and AD Object restore worked fine. I guess I used the wrong credentials the last time (if you just click restore veeam probably uses the credential of the current logged in user and not the domain admin credentials). So it's working as expected and we don't have to start an investigation.

Thanks!
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Semrush [Bot] and 68 guests