How to configure Windows Server 2003 SP1 firewall for a Domain Controller
Bruce Sanderson MVP
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
A Windows Server 2003 SP1 Domain Controller does not function correctly when the Windows Firewall is enabled. The computer may fail to act as a Domain Controller or replication of some Active Directory objects (e.g. GPOs) may not get replicated.
Symptoms might include:
1. client computers can not establish secure connections with the Domain Controller
2. users can not logon at client computers with domain user accounts
3. users can not access domain resources (e.g. file or printer shares) on domain member computers
4. a computer that is promoted to be a Domain Controller fails to function as a Domain Controller
5. in the File Replication Service Event Log, Event ID 13508 "The File Replication Service is having trouble enabling replication from …" appears without a subsequent Event ID 13509 "The File Replication Service has enabled replication from …" or 13516 "The File Replication Service is no longer preventing the computer … from becoming a domain controller."
6. on a computer that is promoted to be a Domain Controller, the SYSVOL and NETLOGON shares are not present
7. on a computer that is promoted to be a Domain Controller, the %systemroot%\SYSVOL\domain\Policies folder does not get populated from another Domain Controller
The Windows Server 2003 SP1 Firewall, either on this computer or the other Domain Controller(s), is preventing client access to the Active Directory or preventing Active Directory replication.
Configure the Active Directory (AD) Replication & File Replication Service (FRS) to use specific TCP/IP ports for replication (see References below for relevant Knowledgebase articles) and configure the firewall to allow incoming connections to the required programs and ports.
1. Configure AD and FRS to use a specific port
a. select two TCP port numbers to be used (e.g. 53211 and 53212) that are not being used by anything on any of the Domain Controllers. You can use any number between 49152 and 65535. The command netstat -a -o -n will list all of the ports currently open, but can not list ports that might be used by applications or services that are not currently running (see Knowledgebase article 832017 for ports used by Window Server). See References below for the URL for the definitive source for port number information.
b. on all Domain Controllers in the Forest, add the following two registry values with regedit (or use a .reg file - see References below)
i. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\TCP/IP Port
- DWORD containing the selected TCP port number for AD replication (e.g. 53211 - cfdb (hex))
ii. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\RPC TCP/IP Port Assignment
- DWORD containing the selected TCP port number for FRS (e.g. 53212 - cfdc (hex))
2. Configure the Windows Server 2003 SP1 Windows Firewall for use on a Domain Controller. You can add the required settings to the Default Domain Controller Group Policy Object (GPO), or create a new GPO and link it to the Domain Controllers container. The Group Policy Management Console is the recommended tool for this (see ).
Note: After promotion to being a Domain Controller the computer will restart; after this first restart, the computer will use the Windows Firewall's Domain Profile. After the first replication completes successfully and the computer is restarted, the Domain Controller will use the Windows Firewall's Standard Profile. So, to avoid problems, make the Domain and Standard profiles for Domain Controllers identical.
In the following, only items specifically related to correct functioning of a Domain Controller are listed; unlisted items can be set to any value desired. For example, it may be useful to have the Allow Remote Desktop exception set to Enabled so the Domain Controller can be administered remotely, which is common in large installations where Domain Controllers are remotely located.
a. Windows Firewall: Protect all network connections - Enabled
b. Windows Firewall: Allow remote administration exception - Enabled (enables port 135 and 445 which are both required for Domain Controllers)
b. Windows Firewall: Allow file and printer sharing exception: - Enabled
c. Windows Firewall: Define port exceptions: - Enabled (in the list of port exceptions below, the * indicates incoming requests from any IP address will be accepted. Other values are possible - see the text on the Setting tab in Group Policy Editor for details. For example, localsubnet may be applicable in some circumstances). The strings below are exactly what needs to be in the list of port exceptions.
3268:tcp:*:enabled:Global Catalog LDAP
53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)
As explained in KB article 832017, Active Directory replication and the File Replication Service, by default, use a randomly selected port to use for Remote Procedure Calls (RPC). Incoming connections on such a random port number will be blocked by the firewall. The simplest solution to this issue is to configure these functions to use a specific port as described in KB articles 224196 and 319553.
Documents the services and ports (UDP and TCP) used for various purposes by Windows Server
Restricting Active Directory replication traffic to a specific port
How to restrict FRS replication traffic to a specific static port
Definitive source for assigned port numbers. Includes this statement:
The Dynamic and/or Private Ports are those from 49152 through 65535
Article ID: 555381 - Last Review: 11/09/2006 21:03:58 - Revision: 1.0
Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- kbpubmvp kbpubtypecca kbhowto KB555381