Confirm that network ports are not blocked by a firewall or third-party application listening on the required ports.

The endpoint mapper (listening on port 135) tells the client which randomly assigned port a service, such as FRS, AD replication, MAPI, is listening on.

Application protocol

Protocol

Ports

Global Catalog Server

TCP

3269

Global Catalog Server

TCP

3268

LDAP Server

TCP

389

LDAP Server

UDP

389

LDAP SSL

TCP

636

LDAP SSL

UDP

636

IPsec ISAKMP

UDP

500

NAT-T

UDP

4500

RPC

TCP

135

RPC randomly allocated high TCP ports¹

TCP

1024 - 5000
49152 - 65535*

Note: This is the range in Windows Server 2008 and later.

Portqry can be used to identify if a port is blocked from a Dc when targeting another DC. The tool can be downloaded at PortQry Command Line Port Scanner Version 2.0. Syntax example:

portqry -n <problem_server> -e 135 
portqry -n <problem_server> -r 1024-5000

A graphical version of portqry, which is known as Portqryui can be found at PortQryUI - User Interface for the PortQry Command Line Port Scanner.

If the Dynamic Port range has ports being blocked, use the following links to configure a port range that is manageable.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×