What firewall ports need to be open for Active Directory?

security windows-server-2008 active-directory windows-firewall

I want to run DFS replication between a couple of servers. It's my understanding that the servers need to be part of a domain for this. Being able to give people a username and password that works on all servers would be useful too, so I can lock up the admin password.

All machines will be running Windows 2008R2 and they will all be running Windows Firewall, so I need to be able to allow the other machines to connect to this server, but lock out everyone else.

So my question is: what ports do I need to allow the machines to connect to the Domain Controller over?


According to this blog post from an MVP.

  • TCP 135 : MS-RPC
  • TCP 1025 & 1026 : AD Login & replication
  • TCP 389 : LDAP
  • TCP & UDP 53 : DNS
  • TCP 445 : SMB , Microsoft-ds
  • TCP 139 : SMB
  • UDP 137 & 138 : NetBIOS related
  • UDP 88 : Kerberos v5

Related

pam_unix generates a lot of open/close sessions for my domain user
DNAT from localhost (127.0.0.1)
Setting up SSL on my server
Production monitoring for EC2 instances
Adding inetOrgPerson to account/posixAccount LDAP entries
postfix mail server setup for 8000 users using active directory [closed]
Upgrade curl to latest on CentOS 6.3
Should I have one MySQL instance for all our apps, or one instance for each?
disabling postfix "Undelivered Mail Returned to Sender"
Debian 8: can't get ClamAV to listen on TCP 3310
What is the logic behind VirtualHost / NameVirtualHost
Setup "open files" limit in Linux per user. Cannot setup more than 1024