Introduction

In most situations you are going to have VPN or private network to allow DC to DC traffic to work across the internet, in fact you would need either a VPN or private link as NAT would not allow it to work period. In the rare cases you would need to allow the communication between non-natting internal firewalls on different networks. This is what you’d need to allow

Required Ports

 ICMP 8
 ICMP 0
 TCP/UDP 389
 TCP 636
 TCP 3268
 TCP 3269
 TCP/UDP 88
 TCP/UDP 53
 TCP/UDP 445
 TCP 25
 TCP/UDP 135
 TCP/UDP 49152 - 65535
 TCP 5722
 TCP/UDP 464
 TCP 9389
 TCP 139
 UDP 123
 UDP 137
 UDP 138

I know there is a lot of ports required. Especially the large range of ephemeral ports. This is because Windows uses a port mapper to map these ephemeral ports. You can download the handy port query tool from Microsoft for finding out which ports are in use:

PortQryUI – GUI – Version
http://www.microsoft.com/download/en/details.aspx?id=24009

or google it of course. Thanks to Ace Fekay for his post:

http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

 

Domain Controller to Domain Controller through Non-NATing Firewall
Tagged on:             

2 thoughts on “Domain Controller to Domain Controller through Non-NATing Firewall

  • 8th September 2020 at 17:13
    Permalink

    Hi, just wondering if you can point me in the right direction please ? There seem to be a lot of lists around stating what ports need to be ‘open’ on a firewall for client-to-server (DC) traffic but I can’t see a clear explanation of which ports are needed outgoing from server-to-client, i.e. where the server initiates the connection to the client. With firewalls direction is everything (return traffic is allowed anyway) so I’m a bit non-plussed as to why Microsoft don’t state this clearly for firewall administrators.
    (From googling it ‘seems’ to be tcp/udp 53 and >49152)
    Thanks for your time.
    Chris.

    Reply
    • 8th September 2020 at 18:05
      Permalink

      You shouldn’t need any ports open server to client. What services would you imagine are running on the client that the server is going to require initiating a connection to?

      Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.