Domain Controller to Domain Controller through Non-NATing Firewall

Introduction

In most situations you are going to have VPN or private network to allow DC to DC traffic to work across the internet, in fact you would need either a VPN or private link as NAT would not allow it to work period. In the rare cases you would need to allow the communication between non-natting internal firewalls on different networks. This is what you’d need to allow

Required Ports

 ICMP 8
 ICMP 0
 TCP/UDP 389
 TCP 636
 TCP 3268
 TCP 3269
 TCP/UDP 88
 TCP/UDP 53
 TCP/UDP 445
 TCP 25
 TCP/UDP 135
 TCP/UDP 49152 - 65535
 TCP 5722
 TCP/UDP 464
 TCP 9389
 TCP 139
 UDP 123
 UDP 137
 UDP 138

I know there is a lot of ports required. Especially the large range of ephemeral ports. This is because Windows uses a port mapper to map these ephemeral ports. You can download the handy port query tool from Microsoft for finding out which ports are in use:

PortQryUI – GUI – Version
http://www.microsoft.com/download/en/details.aspx?id=24009

or google it of course. Thanks to Ace Fekay for his post:

http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/