How to configure a firewall for domains and trusts Page 1 of 4

Article ID: 179442 - Last Review: February 26, 2009 - Revision: 13.1
How to configure a firewall for domains and trusts
This article was previously published under Q179442

This article describes how to configure a firewall for domains and trusts.

To establish a domain trust or a security channel across a firewall, the following

ports must be opened. Be aware that there may be hosts functioning with both
client and server roles on both sides of the firewall. Therefore, ports rules may have
to be mirrored.

Windows NT
In this environment, one side of the trust is a Windows NT 4.0 trust, or the trust
was created by using the NetBIOS names.
Client Port(s) Server Port Service

137/UDP 137/UDP NetBIOS Name

138/UDP 138/UDP NetBIOS Netlogon and Browsing

1024-65535/TCP 139/TCP NetBIOS Session

1024-65535/TCP 42/TCP WINS Replication

Windows Server 2003 and Windows 2000 Server

For a mixed-mode domain that uses either Windows NT domain controllers or
legacy clients, trust relationships between Windows Server 2003-based domain
controllers and Windows 2000 Server-based domain controllers may necessitate
that all the ports for Windows NT that are listed in the previous table be opened in
addition to the following ports.

Note The two domain controllers are both in the same forest, or the two domain
controllers are both in a separate forest. Also, the trusts in the forest are Windows
Server 2003 trusts or later version trusts.
Client Port(s) Server Port Service

1024-65535/TCP 135/TCP RPC

1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)

1024-65535/TCP/UDP 389/TCP/UDP LDAP

1024-65535/TCP 636/TCP LDAP SSL

1024-65535/TCP 3268/TCP LDAP GC

1024-65535/TCP 3269/TCP LDAP GC SSL

53,1024-65535/TCP/UDP 53/TCP/UDP DNS

1024-65535/TCP/UDP 88/TCP/UDP Kerberos

http://support.microsoft.com/kb/179442 11/28/2009
How to configure a firewall for domains and trusts Page 2 of 4

1024-65535/TCP 445/TCP SMB

(*) To define RPC server ports that are used by the LSA RPC services, see the
"Domain controllers and Active Directory" section in the following Microsoft
Knowledge Base article:
832017 (http://support.microsoft.com/kb/832017/ ) Service overview and
network port requirements for the Windows Server system

Windows Server 2008/Windows Server 2008 R2

In a mixed-mode domain that consists of Windows Server 2003 domain controllers,
Windows 2000 Server-based domain controllers, or legacy clients, the default
dynamic port range is 1025 through 5000. Windows Server 2008 and Windows
Server 2008 R2, in compliance with Internet Assigned Numbers Authority (IANA)
recommendations, has increased the dynamic client port range for outgoing
connections. The new default start port is 49152, and the default end port is 65535.
Therefore, you must increase the RPC port range in your firewalls.
Client Port(s) Server Port Service

49152 -65535/UDP 123/UDP W32Time

49152 -65535/TCP 135/TCP RPC-EPMAP

49152 -65535/TCP 138/UDP Netbios

49152 -65535/TCP 49152 -65535/TCP RPC

49152 -65535/TCP/UDP 389/TCP/UDP LDAP

49152 -65535/TCP 636/TCP LDAP SSL

49152 -65535/TCP 3268/TCP LDAP GC

49152 -65535/TCP 3269/TCP LDAP GC SSL

53, 49152 -65535/TCP/UDP 53/TCP/UDP DNS

49152 -65535/TCP 135, 49152 -65535/TCP RPC DNS

49152 -65535/TCP/UDP 88/TCP/UDP Kerberos

49152 -65535/TCP/UDP 445/NP-TCP/NP-UDP SAM/LSA

For more information about the change in the dynamic port range in Windows
Server 2008, click the following article number to view the article in the Microsoft
Knowledge Base:
929851 (http://support.microsoft.com/kb/929851/ ) The default dynamic port
range for TCP/IP has changed in Windows Vista and in Windows Server 2008

For more information about this change, visit the Ask the Directory Services Team
blog and read the following article:
Dynamic Client Ports in Windows Server 2008 and Windows Vista
(http://blogs.technet.com/askds/archive/2007/08/24/dynamic-client-ports-in-windows-se
rver-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx)

Active Directory
For Active Directory to function correctly through a firewall, the Internet Control
Message Protocol (ICMP) protocol must be allowed through the firewall from the
clients to the domain controllers so that the clients can receive Group Policy
information.

http://support.microsoft.com/kb/179442 11/28/2009
How to configure a firewall for domains and trusts Page 3 of 4

ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a
legitimate protocol that Active Directory uses for Group Policy detection and for
Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to
verify that a server IP is resolved by the DNS service before a connection is made.

If you want to minimize ICMP traffic, you can use the following sample firewall rule:

<any> ICMP ‐> DC IP addr = allow

Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port
number. This is because ICMP is directly hosted by the IP layer.

By default, Windows Server 2003 and Windows 2000 Server DNS servers use
ephemeral client-side ports when they query other DNS servers. However, this
behavior may be modified with a specific registry setting that is described in the
following article in the Microsoft Knowledge Base:
260186 (http://support.microsoft.com/kb/260186/ ) The SendPort DNS registry
key does not work as expected

For more information about Active Directory and firewall configuration, view the
"Active Directory in Networks Segmented by Firewalls" Microsoft White Paper. To do
this, visit the following Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-
43f0-4caf-9767-a9166368434e&displaylang=en (http://www.microsoft.com/down
loads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en)

Alternatively, you can establish a trust through the Point-to-Point Tunneling

Protocol (PPTP) compulsory tunnel, and this will limit the number of ports that the
firewall will need to open. For PPTP, the following ports must be enabled.
Client Ports Server Port Protocol

1024-65535/TCP 1723/TCP PPTP

In addition, you would have to enable IP PROTOCOL 47 (GRE).

Note When you add permissions to a resource on a trusting domain for users in a
trusted domain, there are some differences between the Windows 2000 and
Windows NT 4.0 behavior. If the computer cannotdisplay a list of the remote
domain's users:

z Windows NT 4.0 tries to resolve manually-typed names by contacting the

PDC for the remote user's domain (UDP 138). If that communication fails, a
Windows NT 4.0-based computer contacts its own PDC, and then asks for
resolution of the name.
z Windows 2000 and Windows Server 2003 also try to contact the remote
user's PDC for resolution over UDP 138, but they do not rely on using their
own PDC. Make sure that all Windows 2000-based member servers and
Windows Server 2003-based member servers that will be granting access to
resources have UDP 138 connectivity to the remote PDC.

http://support.microsoft.com/kb/179442 11/28/2009
How to configure a firewall for domains and trusts Page 4 of 4

APPLIES TO

z Windows Server 2008 Datacenter

z Windows Server 2008 Enterprise
z Windows Server 2008 Standard
z Windows Server 2008 R2 Datacenter
z Windows Server 2008 R2 Enterprise
z Windows Server 2008 R2 Standard
z Microsoft Windows Server 2003, Standard Edition (32-bit x86)
z Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
z Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
z Microsoft Windows 2000 Server
z Microsoft Windows 2000 Advanced Server
z Microsoft Windows 2000 Professional Edition
z Microsoft Windows NT Server 4.0 Standard Edition
z Windows Server 2008 Datacenter without Hyper-V
z Windows Server 2008 Enterprise without Hyper-V
z Windows Server 2008 for Itanium-Based Systems
z Windows Server 2008 Foundation
z Windows Server 2008 R2 Datacenter without Hyper-V
z Windows Server 2008 R2 Enterprise without Hyper-V
z Windows Server 2008 R2 Standard without Hyper-V
z Windows Web Server 2008 R2

Keywords: kbenv kbhowto kbnetwork KB179442

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Microsoft Support ©2009 Microsoft

http://support.microsoft.com/kb/179442 11/28/2009