Help and Support

How to configure a firewall for domains and trusts

View products that this article applies to.
Article ID:179442
Last Review:July 31, 2007
Revision:12.1
This article was previously published under Q179442
On This Page

SUMMARY

This article describes how to configure a firewall for domains and trusts.

Back to the top

MORE INFORMATION

To establish a domain trust or a security channel across a firewall, the following ports must be opened. Be aware that there may be hosts functioning with both client and server roles on both sides of the firewall. Therefore, ports rules may have to be mirrored.

Back to the top

Windows NT

In this environment, one side of the trust is a Windows NT 4.0 trust, or the trust was created by using the NetBIOS names.
Client Port(s)Server PortService
137/UDP137/UDPNetBIOS Name
138/UDP138/UDPNetBIOS Netlogon and Browsing
1024-65535/TCP139/TCPNetBIOS Session
1024-65535/TCP42/TCPWINS Replication

Back to the top

Windows Server 2003 and Windows 2000 Server

For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports.

Note The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows 2003 trusts or later version trusts.
Client Port(s)Server PortService
1024-65535/TCP135/TCPRPC
1024-65535/TCP1024-65535/TCPLSA RPC Services (*)
1024-65535/TCP/UDP389/TCP/UDPLDAP
1024-65535/TCP636/TCPLDAP SSL
1024-65535/TCP3268/TCPLDAP GC
1024-65535/TCP3269/TCPLDAP GC SSL
53,1024-65535/TCP/UDP53/TCP/UDPDNS
1024-65535/TCP/UDP88/TCP/UDPKerberos
1024-65535/TCP445/TCPSMB
(*) To define RPC server ports that are used by the LSA RPC services, see the "Domain controllers and Active Directory" section in the following Microsoft Knowledge Base article:
832017 (http://support.microsoft.com/kb/832017/) Service overview and network port requirements for the Windows Server system
For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information.

ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made.

If you want to minimize ICMP traffic, you can use the following sample firewall rule: 
<any> ICMP -> DC IP addr = allow

Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.

By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be modified with a specific registry setting that is described in the following article in the Microsoft Knowledge Base:
260186 (http://support.microsoft.com/kb/260186/) The SendPort DNS registry key does not work as expected

For more information about Active Directory and firewall configuration, view the "Active Directory in Networks Segmented by Firewalls" Microsoft White Paper. To do this, visit the following Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en)
Alternatively, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel, and this will limit the number of ports that the firewall will need to open. For PPTP, the following ports must be enabled.
Client PortsServer PortProtocol
1024-65535/TCP1723/TCPPPTP
In addition, you would have to enable IP PROTOCOL 47 (GRE).

Note When you add permissions to a resource on a trusting domain for users in a trusted domain, there are some differences between the Windows 2000 and Windows NT 4.0 behavior. If the computer cannotdisplay a list of the remote domain's users:
Windows NT 4.0 tries to resolve manually-typed names by contacting the PDC for the remote user's domain (UDP 138). If that communication fails, a Windows NT 4.0-based computer contacts its own PDC, and then asks for resolution of the name.
Windows 2000 and Windows Server 2003 also try to contact the remote user's PDC for resolution over UDP 138, but they do not rely on using their own PDC. Make sure that all Windows 2000-based member servers and Windows Server 2003-based member servers that will be granting access to resources have UDP 138 connectivity to the remote PDC.

Back to the top

APPLIES TO
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows NT Server 4.0 Standard Edition

Back to the top

Keywords: 
kbenv kbhowto kbnetwork KB179442

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.