In most situations you are going to have VPN or private network to allow DC to DC traffic to work across the internet, in fact you would need either a VPN or private link as NAT would not allow it to work period. In the rare cases you would need to allow the communication between non-natting internal firewalls on different networks. This is what you’d need to allow
ICMP 8 ICMP 0 TCP/UDP 389 TCP 636 TCP 3268 TCP 3269 TCP/UDP 88 TCP/UDP 53 TCP/UDP 445 TCP 25 TCP/UDP 135 TCP/UDP 49152 - 65535 TCP 5722 TCP/UDP 464 TCP 9389 TCP 139 UDP 123 UDP 137 UDP 138
I know there is a lot of ports required. Especially the large range of ephemeral ports. This is because Windows uses a port mapper to map these ephemeral ports. You can download the handy port query tool from Microsoft for finding out which ports are in use:
PortQryUI – GUI – Version
or google it of course. Thanks to Ace Fekay for his post:
2 thoughts on “Domain Controller to Domain Controller through Non-NATing Firewall”
Hi, just wondering if you can point me in the right direction please ? There seem to be a lot of lists around stating what ports need to be ‘open’ on a firewall for client-to-server (DC) traffic but I can’t see a clear explanation of which ports are needed outgoing from server-to-client, i.e. where the server initiates the connection to the client. With firewalls direction is everything (return traffic is allowed anyway) so I’m a bit non-plussed as to why Microsoft don’t state this clearly for firewall administrators.
(From googling it ‘seems’ to be tcp/udp 53 and >49152)
Thanks for your time.
You shouldn’t need any ports open server to client. What services would you imagine are running on the client that the server is going to require initiating a connection to?