Geeks With Blogs
Virtualisation Technology Architecture and Industry Comments from the Front-Lines

I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls.  Here are my findings and all is working so, hope this helps someone else.

 

 

  TCP UDP ICMP
RDP Remote Desktop 3389    
DNS DNS Download 53    
DNS Queries   53  
WINS Replication WINS 42    
WINS   42  
ICMP echo-request     8
info-request     15
mast request     17
timestamp     13
NetBIOS Services Name Resolution Service  137 137  
Datagram  Services (Browsing)   138  
Session Service (net use) 139    
SMB Input 445    
Output   445  
Remote Storm   1025    
NTP NTP 123    
NTP   123  
Content Replication Content_Repl 507    
Kerberos Kerberos-Secure   750  
Kerberos_v5 88 + 464    
Kerberos_v5   88 + 464  
LDAP LDAP 389    
LDAP   389  
LDAP over SSL/TLS 636 636  
Global Catalog 3268    
Global Catalog over SSL/TSL 3269    
Replication Active Directory RPCSS Dynamic    
FRS RPCSS Dynamic    
Microsoft CIFS Microsoft-CIFS (DS)  445    
Microsoft-CIFS (DS)   445  
RPC – Cert Services (+) RPC 135    
SNMP SNMP Agent   161  
SNMP Trap 162    
ASP.Net State Service   42424    
Link State Algorithm Routing   691    
TCP – High Ports  (Cert Services) > 1023 1024 - 65535    
Posted on Wednesday, May 9, 2007 2:34 AM | Back to top


Comments on this post: Active Directory and Firewall Ports

# re: Active Directory and Firewall Ports
Requesting Gravatar...
This is excellent; I've been looking for something like this as well. Thanks for making it available.
Left by Aumie on May 25, 2007 11:48 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
I really do hope that this is the definitive guide as I have never found anything that is definitive, not even on the MS support site.
Left by nsg on May 31, 2007 12:29 PM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Good work! Thank you!
Left by Jack Nielsen on Jul 16, 2007 5:30 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Sweet, thanks!

I've used this, combined with Microsoft's info on how to restrict RPC services to a limited port list (5000-5100 in this case), and with the power of MS Excel (quick incrementing of port #'s) have created this that can be cut/paste into a command prompt window... I may have missed some, and you may want services open to more that just your subnet (or 3389 RDP not open to all ips) so use at your own risk ;-)

commands start here:
------------------------
netsh firewall add portopening tcp 3389 139_tcp_AD_PORTS enable
netsh firewall add portopening tcp 139 139_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 445 445_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 137 137_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 138 138_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 53 53_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 53 53_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 42 42_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 42 42_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 137 137_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 1025 1025_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 123 123_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 123 123_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 507 507_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 750 750_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 88 88_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 88 88_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 464 464_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 464 464_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 389 389_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 636 636_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 445 445_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 161 161_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 162 162_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 42424 42424_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 5000 5000_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 5001 5001_tcp_AD_PORTS enable subnet

.... ports omitted due to post size limitations (tcp 5002-5099) ...

netsh firewall add portopening tcp 5100 5100_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 5000 5000_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 5001 5001_udp_AD_PORTS enable subnet

.... more ports omitted due to post size limitations (udp 5002-5099) ...

netsh firewall add portopening udp 5100 5100_udp_AD_PORTS enable subnet
Left by drew on Feb 25, 2009 4:20 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Very handy. Thanks!
Left by Jordy Guillon on May 22, 2009 5:08 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
thanks a lot very usful
Left by hamid rezaie on Jul 09, 2009 6:08 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
This helped me out a great deal, thanks a lot!
Left by Dan on Jul 24, 2009 8:27 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Thanks mate - worked like a charm ^.^

It's always good to see a list of errors suddenly disapear. lol.
Left by Adam on Oct 10, 2009 10:59 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
That's great, I never thought about Active Directory like that before.
Left by Business Directory on Oct 12, 2009 3:41 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Wow, I never knew that Active Directory . That's pretty interesting…
Left by traslochi intercontinentali on Nov 23, 2009 11:47 PM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Very good information on all tech peoples
Left by Ganesan K on Nov 24, 2009 9:10 PM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Thanks a lot
Left by mvblack on Dec 08, 2009 12:15 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Try Microsofts official web page for info...
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
Left by oz2 on Feb 11, 2010 11:14 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Does anyone know what firewall ports have to be opened between a
client device and a server that is part of a Windows Active Directory
Domain.


In my example the client is NOT in the same domain as the server.


The Windows 2003 server that is part of the domain does not have the NetBIOS over TCP/IP service installed in its networking configuration. However the client "might" have this service as it might be a Windows 2000 server, or Windows 2003 server with the NetBIOS service installed.


Therefore do I need to open ports:
135 (RPC)
137, 138, 139 (NetBIOS)
1024-65535 (which I can limit to 5000-6000) RPC dynamic ports
53 (DNS)
389/636 (LDAP/Secure LDAP)
3268 (Global Catalog)


OR do I just need:
135 (RPC)
1024-65535 (which I can limit to 5000-6000) RPC dynamic ports


I have read all sorts of pages on the internet that discuss client to
server comms but they all assume the client is in the same domain as
the server. In my case they are not.
Personally I don't see why the client, who is not in the domain,
needs to be able to communicate over the DNS and Global Catalog and
LDAP ports because it is NOT the one authenticating the user, it is
the server, so obviously the server needs those ports opened up to its
domain controllers. Also it doesn't need the NetBIOS ports as the Windows 2003 server does not have the NetBIOS over TCP/IP service installed (regardless of whether the client has it or not)


Many thanks
Left by Surfboy1971 on Apr 08, 2010 8:24 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Terima kasih :)
Left by Firdaus on Apr 15, 2010 2:21 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
i need all ports activ directory for on firewall
Left by mohamad on Aug 20, 2010 2:30 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
port number
Left by emad on Jan 08, 2011 12:04 PM

# lovely
Requesting Gravatar...
l like this article~~
cool~~
thanks for your sharing!!!
I am sure that all visitors will find that very useful
Left by Tory Burch Shoes on sale on Mar 15, 2011 2:41 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Thanks for the useful information.
Left by Tory burch outlet on Mar 17, 2011 12:22 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Thanks so much for providing individuals with such a spectacular possiblity to read critical reviews from this web site. It is always very useful and also full of amusement for me personally and my office acquaintances to visit your web site no less than three times weekly to read the fresh guidance you have got. Of course, we are usually amazed for the surprising things served by you. Selected 3 tips in this post are clearly the finest we’ve had.
Left by newtoryburchoutlet on Apr 21, 2011 1:23 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Bless you Pal. This was very helpful when I was working on a firewall.
Left by Bizkit Barrel on Apr 29, 2011 1:18 PM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
hi please find this
Left by monty on Nov 13, 2011 3:23 AM

# re: Active Directory and Firewall Ports
Requesting Gravatar...
Oh, man. I had a weekend. We went down to, uh, Tijuana, Mexico, ya know. And there was this guy there and he was all, "Hey, you gotta come and check out one of these shows." And, you know, it's a woman fuckin' a horse. And you get there and you're thinking "Oh, a woman fuckin' a horse." And you get there, and it is not as a great as you thought it would be. It's kinda gross. I mean, it was really givin' it to her. To be honest, we all just felt bad for her. Kinda felt bad for the horse.
Left by Mario on Jan 17, 2012 5:14 PM

Your comment:
 (will show your gravatar)


Copyright © Jason Miles | Powered by: GeeksWithBlogs.net | Join free