The following are the required ports for AD the articles supporting are
following.
Windows Server 2003 and Windows 2000 Server
For a mixed-mode domain that uses either Windows NT domain controllers or
legacy clients, trust relationships between Windows Server 2003-based domain
controllers and Windows 2000 Server-based domain controllers may necessitate
that all the ports for Windows NT that are listed in the previous table be
opened in addition to the following ports.
Note The two domain controllers are both in the same forest, or the two
domain controllers are both in a separate forest. Also, the trusts in the
forest are Windows 2003 trusts or later version trusts. Client Port(s)Server
PortService
1024-65535/TCP135/TCPRPC
1024-65535/TCP1024-65535/TCPLSA RPC Services (*)
1024-65535/TCP/UDP389/TCP/UDPLDAP
1024-65535/TCP636/TCPLDAP SSL
1024-65535/TCP3268/TCPLDAP GC
1024-65535/TCP3269/TCPLDAP GC SSL
53,1024-65535/TCP/UDP53/TCP/UDPDNS
1024-65535/TCP/UDP88/TCP/UDPKerberos
1024-65535/TCP445/TCPSMB
(*) To define RPC server ports that are used by the LSA RPC services, see
the "Domain controllers and Active Directory" section in the following
Microsoft Knowledge Base article:
To answer your question review the following microsoft kb articles.
http://support.microsoft.com/kb/179442/
http://support.microsoft.com/kb/154596/en-us
http://support.microsoft.com/kb/224196/
The key is limiting all dynamically assigned ports such as RPC to a specific
port. While you can limit the services down and rid yourself of certain
ports the more you limit the more functionality you loose.
recipient(s) and may contain confidential and privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
messages.
From: "dubaisans dubai" <dubaisans@gmail.com>
To: focus-ms@securityfocus.com
Subject: win2k3 active directory - firewall ports
Date: Fri, 20 Jul 2007 11:54:04 +0530
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([205.206.231.26]) by
bay0-mc11-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 20
Jul 2007 12:08:30 -0700
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via
smtpd (for bay0-oim-f.bay0.hotmail.com [65.54.244.200]) with ESMTP; Fri, 20
Jul 2007 12:07:07 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
4E5DD1438D2; Fri, 20 Jul 2007 10:48:26 -0600 (MDT)
Received: (qmail 2167 invoked from network); 20 Jul 2007 06:45:52 -0000
i want to put win2k3 active directory server behind the corporate
firewall. we are using windows xp clients and also group policy
what ports need to be allowed on firewall ? is there any fine tuning
that can be done on AD to make it more firewall friendly?
i have some DC is remote locations . what ports need to be allowed between
DCs?
