How to configure a firewall for Active Directory domains and trusts

Applies to: Windows Server 2008 StandardWindows Server 2008 R2 StandardMicrosoft Windows Server 2003 Standard Edition (32-bit x86) More

Summary


This article describes how to configure a firewall for Active Directory domains and trusts.
 

 

More Information


Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC Endpoint Mapper
1024-65535/TCP 1024-65535/TCP RPC for LSA, SAM, Netlogon (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB
1024-65535/TCP 1024-65535/TCP FRS RPC (*)
NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Windows Server 2003 when trusts to domains are configured that support only NETBIOS-based communication. Examples are Windows NT-based operating systems or third-party Domain Controllers that are based on Samba.

(*) For information about how to define RPC server ports that are used by the LSA RPC services, see the following Microsoft Knowledge Base articles: 

Windows Server 2008 and later versions

Windows Server 2008 newer versions of Windows Server have increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the default end port is 65535. Therefore, you must increase the RPC port range in your firewalls. This change was made to comply with Internet Assigned Numbers Authority (IANA) recommendations. This differs from a mixed-mode domain that consists of Windows Server 2003 domain controllers, Windows 2000 Server-based domain controllers, or legacy clients, where the default dynamic port range is 1025 through 5000.

For more information about the dynamic port range change in Windows Server 2008, Windows Server 2012 and Windows Server 2012 R2, see the following resources: 
Client Port(s) Server Port Service
49152 -65535/UDP 123/UDP W32Time
49152 -65535/TCP 135/TCP RPC Endpoint Mapper
49152 -65535/TCP 464/TCP/UDP Kerberos password change
49152 -65535/TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP 389/TCP/UDP LDAP
49152 -65535/TCP 636/TCP LDAP SSL
49152 -65535/TCP 3268/TCP LDAP GC
49152 -65535/TCP 3269/TCP LDAP GC SSL
53, 49152 -65535/TCP/UDP 53/TCP/UDP DNS
49152 -65535/TCP 49152 -65535/TCP FRS RPC (*)
49152 -65535/TCP/UDP 88/TCP/UDP Kerberos
49152 -65535/TCP/UDP 445/TCP SMB (**)
49152 -65535/TCP 49152-65535/TCP DFSR RPC (*)
NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Server 2003 when trusts to domains are configured that support only NETBIOS-based communication. Examples are Windows NT-based operating systems or third-party Domain Controllers that are based on Samba.

(*) For information about how to define RPC server ports that are used by the LSA RPC services, see the following Microsoft Knowledge Base articles:(**) For the operation of the trust this port is not required, it is used for trust creation only.
 

Active Directory

In Windows 2000 and Windows XP, the Internet Control Message Protocol (ICMP) must be allowed through the firewall from the clients to the domain controllers so that the Active Directory Group Policy client can function correctly through a firewall. ICMP is used to determine whether the link is a slow link or a fast link.

In Windows Server 2008 and later versions, the Network Location Awareness Service provides the bandwidth estimate based on traffic with other stations on the network. There is no traffic generated for the estimate.

The Windows Redirector also uses ICMP Ping messages to verify that a server IP is resolved by the DNS service before a connection is made, and when a server is located by using DFS.

If you want to minimize ICMP traffic, you can use the following sample firewall rule:
<any> ICMP -> DC IP addr = allow 

Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.

By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be changed by a specific registry setting. For more information, see Microsoft Knowledge Base article 260186: SendPort DNS registry key does not work as expected

For more information about Active Directory and firewall configuration, see the Active Directory in Networks Segmented by Firewalls Microsoft white paper. 
Or, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel. This limits the number of ports that the firewall has to open. For PPTP, the following ports must be enabled.  
Client Ports Server Port Protocol
1024-65535/TCP 1723/TCP PPTP

In addition, you would have to enable IP PROTOCOL 47 (GRE).

    Reference


    832017: Service overview and network port requirements for the Windows Server system is a valuable resource outlining the required network ports, protocols, and services that are used by Microsoft client and server operating systems, server-based programs, and their subcomponents in the Microsoft Windows Server system. Administrators and support professionals may use this Microsoft Knowledge Base article as a roadmap to determine which ports and protocols Microsoft operating systems and programs require for network connectivity in a segmented network.

    You should not use the port information in KB article 832017 to configure Windows Firewall. For information about how to configure Windows Firewall, see the following Microsoft website:
     

    Networking and Access Technologies: Windows Firewall