To establish a domain trust or a security channel across a firewall, the following ports must be opened. Be aware that there may be hosts functioning with both client and server roles on both sides of the firewall. Therefore, ports rules may have to be mirrored.

Windows NT

In this environment, one side of the trust is a Windows NT 4.0 trust, or the trust was created by using the NetBIOS names.

Client Port(s) Server Port Service
137/UDP 137/UDP NetBIOS Name
138/UDP 138/UDP NetBIOS Netlogon and Browsing
1024-65535/TCP 139/TCP NetBIOS Session
1024-65535/TCP 42/TCP WINS Replication

For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports.
Windows Server 2003 and Windows 2000 Server

Note The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows Server 2003 trusts or later version trusts.

Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB

Windows Server 2008/Windows Server 2008 R2

In a mixed-mode domain that consists of Windows Server 2003 domain controllers, Windows 2000 Server-based domain controllers, or legacy clients, the default dynamic port range is 1025 through 5000. Windows Server 2008 and Windows Server 2008 R2, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, has increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the default end port is 65535. Therefore, you must increase the RPC port range in your firewalls.

Client Port(s) Server Port Service
49152 -65535/UDP 123/UDP W32Time
49152 -65535/TCP 135/TCP RPC-EPMAP
49152 -65535/TCP 138/UDP Netbios
49152 -65535/TCP 49152 -65535/TCP RPC
49152 -65535/TCP/UDP 389/TCP/UDP LDAP
49152 -65535/TCP 636/TCP LDAP SSL
49152 -65535/TCP 3268/TCP LDAP GC
49152 -65535/TCP 3269/TCP LDAP GC SSL
53, 49152 -65535/TCP/UDP 53/TCP/UDP DNS
49152 -65535/TCP 135, 49152 -65535/TCP RPC DNS
49152 -65535/TCP/UDP 88/TCP/UDP Kerberos
49152 -65535/TCP/UDP 445/NP-TCP/NP-UDP SAM/LSA

Active Directory

For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information.

ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made.

If you want to minimize ICMP traffic, you can use the following sample firewall rule:

<any> ICMP -> DC IP addr = allow

Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.

Alternatively, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel, and this will limit the number of ports that the firewall will need to open. For PPTP, the following ports must be enabled.

Client Ports Server Port Protocol
1024-65535/TCP 1723/TCP PPTP

In addition, you would have to enable IP PROTOCOL 47 (GRE).

Note When you add permissions to a resource on a trusting domain for users in a trusted domain, there are some differences between the Windows 2000 and Windows NT 4.0 behavior. If the computer cannotdisplay a list of the remote domain’s users:

  • Windows NT 4.0 tries to resolve manually-typed names by contacting the PDC for the remote user’s domain (UDP 138). If that communication fails, a Windows NT 4.0-based computer contacts its own PDC, and then asks for resolution of the name.
  • Windows 2000 and Windows Server 2003 also try to contact the remote user’s PDC for resolution over UDP 138, but they do not rely on using their own PDC. Make sure that all Windows 2000-based member servers and Windows Server 2003-based member servers that will be granting access to resources have UDP 138 connectivity to the remote PDC.

Post By Gishore J Kallarackal (2,121 Posts)

Gishore J Kallarackal is the founder of techgurulive. The purpose of this site is to share information about free resources that techies can use for reference. You can follow me on the social web, subscribe to the RSS Feed or sign up for the email newsletter for your daily dose of tech tips & tutorials. You can content me via @twitter or e-mail.

Website: → Techgurulive