Hi, You also need to open ICMP (it is usually mentioned in KB articles). If you don't open ICMP, client (and DCs on other sides of the firewall) will run into problems with group policy updating / replication.
Miha -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Hammond Sent: Saturday, July 21, 2007 5:18 PM To: [EMAIL PROTECTED]; [email protected] Subject: RE: win2k3 active directory - firewall ports The following are the required ports for AD the articles supporting are following. Windows Server 2003 and Windows 2000 Server For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports. Note The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows 2003 trusts or later version trusts. Client Port(s)Server PortService 1024-65535/TCP135/TCPRPC 1024-65535/TCP1024-65535/TCPLSA RPC Services (*) 1024-65535/TCP/UDP389/TCP/UDPLDAP 1024-65535/TCP636/TCPLDAP SSL 1024-65535/TCP3268/TCPLDAP GC 1024-65535/TCP3269/TCPLDAP GC SSL 53,1024-65535/TCP/UDP53/TCP/UDPDNS 1024-65535/TCP/UDP88/TCP/UDPKerberos 1024-65535/TCP445/TCPSMB (*) To define RPC server ports that are used by the LSA RPC services, see the "Domain controllers and Active Directory" section in the following Microsoft Knowledge Base article: To answer your question review the following microsoft kb articles. http://support.microsoft.com/kb/179442/ http://support.microsoft.com/kb/154596/en-us http://support.microsoft.com/kb/224196/ The key is limiting all dynamically assigned ports such as RPC to a specific port. While you can limit the services down and rid yourself of certain ports the more you limit the more functionality you loose. recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original messages. From: "dubaisans dubai" <[EMAIL PROTECTED]> To: [email protected] Subject: win2k3 active directory - firewall ports Date: Fri, 20 Jul 2007 11:54:04 +0530 MIME-Version: 1.0 Received: from outgoing.securityfocus.com ([205.206.231.26]) by bay0-mc11-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 20 Jul 2007 12:08:30 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for bay0-oim-f.bay0.hotmail.com [65.54.244.200]) with ESMTP; Fri, 20 Jul 2007 12:07:07 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 4E5DD1438D2; Fri, 20 Jul 2007 10:48:26 -0600 (MDT) Received: (qmail 2167 invoked from network); 20 Jul 2007 06:45:52 -0000 >i want to put win2k3 active directory server behind the corporate >firewall. we are using windows xp clients and also group policy > >what ports need to be allowed on firewall ? is there any fine tuning >that can be done on AD to make it more firewall friendly? > >i have some DC is remote locations . what ports need to be allowed between >DCs?
