Exchange 2013 Communication to ALL DC/GC's

Hello, we are implementing a new Exchange 2013 deployment and our environment is such that we have 2 hubs (one main hub and one for disaster recovery) and 50 branch locations. Each branch location has 2 domain controllers (for redundancy and all have global catalog). I have noticed that the CAS role servers for Exchange 2013 have been making LDAP and GC queries to all of the domain controllers everywhere but our firewalls are blocking the traffic. Everything seems to work fine so far but I was wondering if it is recommended or necessary to allow LDAP and GC ports from the Exchange CAS's to every DC/GC in our organization. The CAS's do currently have full communication with some of our DC/GC's including the FSMO role holders.

Thank you in advance for your time!

July 24th, 2015 10:06am

Microsoft official support policy is Exchange server must be able to communicate with ALL DCs in ALL sites on ALL ports (don't ask me why). I.e. if you block any DC on any port, you're not supported ... officially.

If you can make it, go ahead.

Otherwise, if your Exchange server is able to communicate with all DCs on local AD site and all DCs holding FSMO role, nothing to worry about. Everything will work perfectly.


  • Edited by Li Zhen 16 hours 54 minutes ago
  • Marked as answer by Scott_42 16 hours 1 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2015 10:36am

That is odd... I mean, I have no problem allowing the communication but wouldn't they consider all ports for all DC's a little bit of a security risk? I know for sure that all of our Exchange servers have full communication with all DC's relative to their sites plus FSMO so I guess that's why I've had no issues. I suppose I'll get a small script ready to run on all of our firewalls. :-)

Thanks for the info!

July 24th, 2015 11:31am

Microsoft official support policy is Exchange server must be able to communicate with ALL DCs in ALL sites on ALL ports (don't ask me why). I.e. if you block any DC on any port, you're not supported ... officially.

If you can make it, go ahead.

Otherwise, if your Exchange server is able to communicate with all DCs on local AD site and all DCs holding FSMO role, nothing to worry about. Everything will work perfectly.


  • Edited by Li Zhen Friday, July 24, 2015 2:35 PM
  • Marked as answer by Scott_42 Friday, July 24, 2015 3:28 PM
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2015 2:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics