Jump to content


stravze

Established Members
 View Profile  See their activity

  • Posts

    1

  • Joined

  • Last visited

 Content Type 

Everything posted by stravze

  1. stravze
    Hello all, Was wondering if you could help me, Here is some information about our infrastructure, so you understand why i'm asking this question I'm trying to setup two Primary SCCM 2007 Site Servers in a hierarchy (Primary1 to Primary2) Each SCCM is located in different domains (both 2008R2 root domain forests) We have created two way transitive trusts between Domain1 and Domain2 We also have firewalls between both domains firewall1 and firewall2 So to allow Dynamic RPC traffic through the firewalls we have restricted RPC to use 49152 and 49153 (see MS KB) http://support.microsoft.com/kb/224196 We have setup ACL's between Firewall1 and Firewall2 for the following: Domain1_AD_Controllers and Domain2_AD_Controllers - Active_directory Primary1 and Domain2_AD_Controllers - Active_directory Primary2 and Domain1_AD_Controllers - Active_directory and same on the reverse aswell active_directory tcp-udp group-object dns = 53 group-object ldap = 389 + 636 group-object kerberos = 88 + 464 group-object global_catalog = 3268 + 3269 group-object netbios = 137 + 138 + 139 group-object dc_rpc_static = 49152 + 49153 group-object ms_dfsr = 5722 group-object rpc_endpoint = 135 group-object smb = 445 group-object ntp = 123 Here is my question: When trying to setup hierarchy, you have to add the other SCCM Site Server into the local Group SMS_SiteToSiteConnection_XXX and do the same on the other SCCM Site Server e.g. SMS_SiteToSiteConnection_111 - Primary2 SMS_SiteToSiteConnection_222 - Priamry1 When querying the other active directory from the Site Server, the site server will connect to the domain controllers in the other domain directly to resolve computer names etc. Primary1 and Domain2_AD_Controllers or Primary2 and Domain1_AD_Controllers Now although at an Active Directory Level RPC is restricted to 49152 and 49153, why doesn't SCCM use these ports and uses the next available ports e.g. 49154 49155 Can we force SCCM to use the restricted ports because there is no point in opening RPC for 49152 to 65000 Hope this make sense, if not please asked away regards stravze
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.