Description

We are integrating with multiple AD domains and after doing a review of the product documentation, we had the following questions:

1. One of the AD domains we are integrating with, if the NetBIOS domain name is different from the DNS domain name, does it affect the connector functionality in any way? The documentation was referenced but it appeared to provide no indication around whether or not this would affect provisioning.
2. The AD domain being referenced above needs to be accessed through a firewall. What are the firewall requirements for the ADS connector to connect and provision to a domain across the firewall? Is it just 389 and 636 - Does it use more than just LDAPS calls?

Solution

Answers:

1. Having the NETBIOS name being different is ok as long as the name can be resolved and reached from the Provisioning/Connector Servers. The sAMAccountName of a computer object is the NETBIOS name and the dnsHostName is the name registered in DNS. So the values retrieved from the DC for sAMAccountName and dnsHostName need to be resolveable and reachable.
2. You will want to have ports 389/636 available as well as the Global Catalog ports 3268/3269. In addition you also need to unblock 139/445.
   Port 139 (netbios-ssn) is the Netbios Session Service and is used for the resource sharing on Windows that is used to connect file shares for example. Port 445 is used by Windows for SMB (Server Message Block) over TCP and is used among other things for file sharing. These ports are needed for:
   1. Getting and setting Terminal Services.
   2. Creating home directory on remote machine.
   3. Getting Domain controller and global catalog information.

Also if this is an Exchange Server you will need the CAM/CAFT ports to be available(by default they would be 4104/4105 (UDP/TCP).