Professional Documents
Culture Documents
Article ID: 179442 - Last Review: February 26, 2009 - Revision: 13.1
How to configure a firewall for domains and trusts
This article was previously published under Q179442
This article describes how to configure a firewall for domains and trusts.
Windows NT
In this environment, one side of the trust is a Windows NT 4.0 trust, or the trust
was created by using the NetBIOS names.
Client Port(s) Server Port Service
Note The two domain controllers are both in the same forest, or the two domain
controllers are both in a separate forest. Also, the trusts in the forest are Windows
Server 2003 trusts or later version trusts.
Client Port(s) Server Port Service
http://support.microsoft.com/kb/179442 11/28/2009
How to configure a firewall for domains and trusts Page 2 of 4
For more information about this change, visit the Ask the Directory Services Team
blog and read the following article:
Dynamic Client Ports in Windows Server 2008 and Windows Vista
(http://blogs.technet.com/askds/archive/2007/08/24/dynamic-client-ports-in-windows-se
rver-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx)
Active Directory
For Active Directory to function correctly through a firewall, the Internet Control
Message Protocol (ICMP) protocol must be allowed through the firewall from the
clients to the domain controllers so that the clients can receive Group Policy
information.
http://support.microsoft.com/kb/179442 11/28/2009
How to configure a firewall for domains and trusts Page 3 of 4
ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a
legitimate protocol that Active Directory uses for Group Policy detection and for
Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to
verify that a server IP is resolved by the DNS service before a connection is made.
If you want to minimize ICMP traffic, you can use the following sample firewall rule:
<any> ICMP ‐> DC IP addr = allow
Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port
number. This is because ICMP is directly hosted by the IP layer.
By default, Windows Server 2003 and Windows 2000 Server DNS servers use
ephemeral client-side ports when they query other DNS servers. However, this
behavior may be modified with a specific registry setting that is described in the
following article in the Microsoft Knowledge Base:
260186 (http://support.microsoft.com/kb/260186/ ) The SendPort DNS registry
key does not work as expected
For more information about Active Directory and firewall configuration, view the
"Active Directory in Networks Segmented by Firewalls" Microsoft White Paper. To do
this, visit the following Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-
43f0-4caf-9767-a9166368434e&displaylang=en (http://www.microsoft.com/down
loads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en)
Note When you add permissions to a resource on a trusting domain for users in a
trusted domain, there are some differences between the Windows 2000 and
Windows NT 4.0 behavior. If the computer cannotdisplay a list of the remote
domain's users:
http://support.microsoft.com/kb/179442 11/28/2009
How to configure a firewall for domains and trusts Page 4 of 4
APPLIES TO
http://support.microsoft.com/kb/179442 11/28/2009