Ports to be opened for DC - Clients communication

Hi,

I have a firewall between my Domain Controllers and my clients and I would like to know which ports should I open and the traffic (inbound/outbound) that I should allow so that the AD works correctly.

Thanks a lot for your help.

Oussama

October 31st, 2011 7:31pm

Thanks Mr X for your answer but this article does not tell me if it is incoming or outgoing traffic...
Free Windows Admin Tool Kit Click here and download it now
October 31st, 2011 7:41pm

hi

Check this link

http://srvcore.wordpress.com/2010/02/06/active-directory-windows-2008-and-2008-r2-useful-documentation/

 

October 31st, 2011 7:43pm

Hi,

firewall between my Domain Controllers and my clients and I would like to know which ports should I open and the traffic
port requirement for Client computers and Domain Controllers communicating with each other.

Active Directory communication takes place using several ports. These ports are required by both client computers and Domain Controllers. As an example, when a client computer tries to find a domain controller it always sends a DNS Query over Port 53 to find the name of the domain controller in the domain.

The following is the list of services and their ports used for Active Directory communication:

    UDP Port 88 for Kerberos authentication
    UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
    TCP and UDP Port 445 for File Replication Service
    TCP and UDP Port 464 for Kerberos Password Change
    TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly.

Reference: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html

Refer below for AD DS and replication ports requirement:

http://support.microsoft.com/kb/832017

Regards,
Abhijit Waikar.
 -------------------------------
MCSA|MCSA:Messaging|MCTS|MCITP:SA
My Blog: http://abhijitw.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.

Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 6:08am

Besides being inbound and outbound, we can't forget the ephemeral response ports:

UDP   1024 - 5000
TCP    1024 - 5000
UDP  49152 - 65535
TCP  49152 - 65535

It's in the links Sandesh posted. These are the dynamically assigned service response ports, and are required.

 

Forgot to mention, if NT4 is involved, then we have to open the emepheral ranges to:

UDP & TCP 1024 - 65535

 

November 1st, 2011 6:56am

Check out my blog, it has tips on reducing the high ports range needed as well as standard ports:
http://www.pbbergs.com/windows/articles/FirewallReplication.html

--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com    Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson

Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 2:51pm

Sorry for hijacking this thread ....

Do you know these ports should be opened unidirectional from client computer to DC or all these ports are opened bidirectional ?

I've opened a separate thread here. Unfortunately, I didn't get any reply!

April 29th, 2014 4:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics