cannot join an AD DC on a LAN from DMZ

[rickeyw]

Good morning Everyone,
I couldn't find a similar one to the topic I am starting so I apologize if a repetition occur.
I am trying to join an MS Win 10 from my DMZ to an AD- server (MS Server 2016) into my LAN.
I did a research, and the port listed into the attachment are the ones that supposed to be opened but I think, I still miss something because I am still not able to join the domain.
Can you, please give a hand with this issue ?
Best,
rickey

[hbc]

Sorry, but I do not have this NSA zoom software that can scale up picture from nothing to readable by adding useful pixels  ;D

I guess these ports are open: https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

[rickeyw]

Sorry for this @hbc  ;D
The limitation of 256 KB for file does it. If you are on Windows, you can right click on it, and "Edit", and when "Paint" opens it, "Resize", "Pixels", and anything bigger than 1500 into "Horizontal" will make it back pretty.
Basically, I used the attached one.
In the link you sent me I need to open the "Server" ones ?
Best,
rick

[hbc]

Yes, you need the server ports. The main problem are those RPC ports which are dynamic. Thus you have to open a pretty wide range of ports.

Usually clients connect to RPC mapper (135) and get as return the dynamic high port which they should connect to. Nightmare for every firewall. For linux firewall exist RPC connection tracking modules which monitor the returned port from RPC mapper and allow connections to it. Did not see sth similar for pf.

I restrict the RPC range from 49152-50152 and hope that 1000 ports are enough for my clients  :)

[rickeyw]

Thank you very much @hbc !
Let me do as advised, and I will revert to you tomorrow.
Best,
rick