domain controller firewall ports


Often sought on the Internet, rarely complete, here is for a domain controller firewall ports to open so your Windows domain-controller is able to contact the other domain controllers it is depending on for proper replication

  • UDP/123 for time synchronization, as in a domain by default the W32Time of a domain controller synchronizes with other domain controllers or the PDCE FSMO role of the top domain of the forest
  • TCP/464 and UDP/464 for joining and regularly changing passwords
  • TCP/445 for SMB communication (forget about 137, 138, they are unnecessary since Windows 2000!)
  • TCP/88 and UDP/88 for Kerberos communication (although you can force Kerberos to use TCP if you wish)
  • TCP and UDP/53 for DNS resolution
  • TCP/389 and UDP/389 for LDAP
  • TCP/636 if you are using LDAPS
  • TCP/3268 as global catalog
  • TCP/3269 as global catalog over SSL/TLS
  • TCP/135 for the RPC endpoint mapper
  • a range of ports, by default, 49152-65535 for RPC dynamic ports; you can (and should) limit them so the RPC ports use a narrower range of ports. The number of ports depend on the workload of the machine. Thousand ports is more than OK in most scenarios.
  • TCP/5722 on Windows 2008(R2) if you use DFS-R to replicate SYSVOL. Due to a bug under that specific version you cannot change that port. On other versions, it is part of the dynamic port range or is set to a specific port if you use the appropriate dfsrdiag starticrpc /port:nnnnn /member:<nameoftheserver>
  • the NetLogon and NTDS ports which are part of the dynamic port range unless you use

As a bonus for this post, here is a nice poster for you to dream about that:
IIn addition to domain controller firewall ports, you may need a list of member server firewall ports, as in that case there are less ports to open.