What firewall ports need to be open for Active Directory?

I want to run DFS replication between a couple of servers. It's my understanding that the servers need to be part of a domain for this. Being able to give people a username and password that works on all servers would be useful too, so I can lock up the admin password.

All machines will be running Windows 2008R2 and they will all be running Windows Firewall, so I need to be able to allow the other machines to connect to this server, but lock out everyone else.

So my question is: what ports do I need to allow the machines to connect to the Domain Controller over?


According to this blog post from an MVP.

  • TCP 135 : MS-RPC
  • TCP 1025 & 1026 : AD Login & replication
  • TCP 389 : LDAP
  • TCP & UDP 53 : DNS
  • TCP 445 : SMB , Microsoft-ds
  • TCP 139 : SMB
  • UDP 137 & 138 : NetBIOS related
  • UDP 88 : Kerberos v5