Hi,
I have a firewall between my Domain Controllers and my clients and I would like to know which ports should I open and the traffic (inbound/outbound) that I should allow so that the AD works correctly.
Thanks a lot for your help.
Oussama
Technology Tips and News
Hi,
I have a firewall between my Domain Controllers and my clients and I would like to know which ports should I open and the traffic (inbound/outbound) that I should allow so that the AD works correctly.
Thanks a lot for your help.
Oussama
hi
Check this link
Hi,
firewall between my Domain Controllers and my clients and I would like to know which ports should I open and the traffic
port requirement for Client computers and Domain Controllers communicating with each other.
Active Directory communication takes place using several ports. These ports are required by both client computers and Domain Controllers. As an example, when a client computer tries to find a domain controller it always sends a DNS Query over Port 53 to find the name of the domain controller in the domain.
The following is the list of services and their ports used for Active Directory communication:
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly.
Refer below for AD DS and replication ports requirement:
http://support.microsoft.com/kb/832017
Regards,
Abhijit Waikar.
-------------------------------
MCSA|MCSA:Messaging|MCTS|MCITP:SA
My Blog: http://abhijitw.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
Besides being inbound and outbound, we can't forget the ephemeral response ports:
UDP 1024 - 5000
TCP 1024 - 5000
UDP 49152 - 65535
TCP 49152 - 65535
It's in the links Sandesh posted. These are the dynamically assigned service response ports, and are required.
Forgot to mention, if NT4 is involved, then we have to open the emepheral ranges to:
UDP & TCP 1024 - 65535
Check out my blog, it has tips on reducing the high ports range needed as well as standard ports:
http://www.pbbergs.com/windows/articles/FirewallReplication.html
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
Sorry for hijacking this thread ....
Do you know these ports should be opened unidirectional from client computer to DC or all these ports are opened bidirectional ?
I've opened a separate thread here. Unfortunately, I didn't get any reply!