Often sought on the Internet, rarely complete, here is for a domain controller firewall ports to open so your Windows domain-controller is able to contact the other domain controllers it is depending on for proper replication
- UDP/123 for time synchronization, as in a domain by default the W32Time of a domain controller synchronizes with other domain controllers or the PDCE FSMO role of the top domain of the forest
- TCP/464 and UDP/464 for joining and regularly changing passwords
- TCP/445 for SMB communication (forget about 137, 138, they are unnecessary since Windows 2000!)
- TCP/88 and UDP/88 for Kerberos communication (although you can force Kerberos to use TCP if you wish)
- TCP and UDP/53 for DNS resolution
- TCP/389 and UDP/389 for LDAP
- TCP/636 if you are using LDAPS
- TCP/3268 as global catalog
- TCP/3269 as global catalog over SSL/TLS
- TCP/135 for the RPC endpoint mapper
- a range of ports, by default, 49152-65535 for RPC dynamic ports; you can (and should) limit them so the RPC ports use a narrower range of ports. The number of ports depend on the workload of the machine. Thousand ports is more than OK in most scenarios.
- TCP/5722 on Windows 2008(R2) if you use DFS-R to replicate SYSVOL. Due to a bug under that specific version you cannot change that port. On other versions, it is part of the dynamic port range or is set to a specific port if you use the appropriate dfsrdiag starticrpc /port:nnnnn /member:<nameoftheserver>
- the NetLogon and NTDS ports which are part of the dynamic port range unless you use
As a bonus for this post, here is a nice poster for you to dream about that:
IIn addition to domain controller firewall ports, you may need a list of member server firewall ports, as in that case there are less ports to open.
Hi Dimitry,
I am setting up an Additional DC in my Azure network. What are the ports that I need to open for inbound/outbound in-order to promote a member server as an Additional DC.
Thanks.
If you are setting up an Virtual Machine in Azure to host the AD Domain Services role, they are the same ones as mentioned in the article.
Thank you Dimitry, this was really helpful.
The dcpormo process went on successfully when i have added port exclusions as above.
Open port inbound or outbound or both?
In the article, the listed items are the rules for the inbound ports.