Another option would be to run PortQryUI (https://www.microsoft.com/en-us/download/details.aspx?id=24009). The "Domain and Trusts" service query option runs through many of the common ports, although it doesn’t include all of them used in replication. Otherwise, the options MBS and Brian suggested will help.
-Aakash Shah -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, May 13, 2015 2:55 PM To: [email protected] Subject: RE: [NTSysADM] Firewall settings for DCs You can also use firewall tracing. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Wednesday, May 13, 2015 4:58 PM To: [email protected] Subject: RE: [NTSysADM] Firewall settings for DCs Have you collected a network trace? If there's a port being blocked, that should be pretty apparent there. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Wednesday, May 13, 2015 1:13 PM To: [email protected] Subject: [NTSysADM] Firewall settings for DCs I am having a hard time finding a list of what the settings for a Win2012 R2 DC should be. Here's my problem - running a "dcdiag /a" is reporting problems not finding the network path to a DC in a remote site. I know the remote DC is there; I can ping it; etc. So something in the firewall is blocking it, but it's unclear to me as to which rule specifically. The DC shows it's connected to a domain, with the Windows firewall on. I imagine that it must be an outbound rule blocking me, but I see all "Active Directory (TCP and UDP out)" enabled; all "Core Networking" enabled; all "File and Printer Sharing" entries with a green check mark (Echo, NB, SMB). Shouldn't that be enough? I shouldn't need any of the "Network Discovery" rules enabled, should I? (correct me if I am wrong, but if I can't do a "\\<remote-DC>\C$", then the dcdiag diag will also fail?) What am I missing here? There are no hardware firewalls between me and the remote DC, and the remote DC has all firewalls turned off (for testing).
