I thought to clean up and re-publish my blog on AD ports requirements. Yes, they are extensive, to the dismay of the network group in your organization. But it is what it is, and it is what we need to follow to make AD work.
RPC server not available? Replication errors in the Event viewer? Sound familiar?
If so, you’ve been succumbed to the fact and realization there are possibly necessary ports being blocked causing these familiar AD communications errors. Whether between locations with firewall/VPN tunnel port blocks, Windows Firewall (which is usually not the culprit because they will auto-configure for the role of the machine and it’s current network location), or even security software or antivirus apps with some sort of “network traffic protection” feature enabled that is causing the problem.
Simply speaking, if there are replication or other AD communication problems, and you have an antivirus software installed on the endpoints or installed on all of your DCs, disable it, or better yet, uninstall it. Uninstalling it is the best bet, so you know there are no traces of other subcomponents that are active that may still be causing the block. If after uninstalling it, and you find replication now works, well there you have it. At that point, you’ll need to contact your antivirus vendor to ask them the best way to configure it to allow AD communications and replication.
If it’s not your antivirus or security app, and disabling the Windows firewall doesn’t do the trick, then it’s obvious it’s an outside factor – your edge/perimeter firewalls.
Also to point out, when testing for port blocks, tools such as telnet is not a good tool to test AD/DC to DC connectivity, nor is any sort of standard port scan, such as using nmap, or a simple ping, resolving with nslookup (although resolving required records is a pre-requisite), or other tools. The only reliable test is using Microsoft’s PortQry, which tests specific AD ports and the ephemeral ports, and the required responses from the services on the required AD ports it specifically scans for.
AD through a NAT? Nope. Period.
Oh, and don’t expect to get this to work through a NAT. NATs cannot translate the encrypted RPC traffic therefore bonking LDAP communications.
Description of Support boundaries for Active Directory over NAT
http://support.microsoft.com/kb/978772
How to configure RPC dynamic port allocation to work with firewalls”
AD communications won’t work through a NAT port translation, such as you cannot use DCOM through a NAT firewall that performs address translation (e.g. where a client connects to virtual address 198.252.145.1, which the firewall maps transparently to the server’s actual internal IP address of, say, 192.100.81.101). This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it will not work.”
Quoted from: http://support.microsoft.com/kb/154596/en-us
Windows 2000 NAT Does Not Translate Netlogon Traffic (this applies to all DCs)
Quoted: “Windows 2000 NAT does not support Netlogon and translate Kerberos. If you have clients that are located behind a Windows 2000-based NAT server and need access to domain resources, consider creating a Routing and Remote Access virtual private network (VPN) tunnel for Netlogon traffic, or upgrade the clients to Windows 2000.”
Quoted from: http://support.microsoft.com/kb/263293
*
Ok, let’s find out if the ports are being blocked
Now you’re thinking that your network infrastructure engineers know what they’re doing and opened up the necessary ports, so you’re thinking, this can’t be the reason? or is it? Well, let’s find out. We can use PortQry to test it. And no, you don’t want to use ping, nslookup, nmap or any other port scanner, because they’re not designed to query the necessary AD ports to see if they are responding or not.
So let’s run PortQry:
First, download it:
PortQryUI – GUI – Version 2.0 8/2/2004
http://www.microsoft.com/download/en/details.aspx?id=24009
Then run the “Domains & Trusts” option between DCs, or between DCs and any machine (other servers you want to promote, or even from a client machine), or from the bridgeheads in each site to the other bridgehead in the other site., pretty much anywhere that you want to test if there are any blocked AD ports.
The point is, you’ll want to run it in any scenario where a DC must communicate to another DC or to a client.
If you get any errors with “NOTLISTENING,” 0x00000001, and 0x00000002, that means there is a port block. Take note on which ports they are.
You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.
PortQry References
Knock Knock Is That Port Open?
By Mark Morowczynski [MSFT] 18 Apr 2011, Quick tutorial about PortQry GUI version.
http://blogs.technet.com/b/markmoro/archive/2011/04/18/knock-knock-is-that-port-open.aspx
“At times you may see errors such as The RPC server is unavailable or There are no more endpoints available from the endpoint mapper …”
http://blogs.technet.com/b/askds/archive/2009/01/22/using-portqry-for-troubleshooting.aspx
How to use Portqry to troubleshoot Active Directory connectivity issues
http://support.microsoft.com/kb/816103
If you want to use the command line only version:
Download details: PortQry Command Line Only Port Scanner Version 2.0
http://www.microsoft.com/downloads/en/details.aspx?familyid=89811747-c74b-4638-a2d5-ac828bdc6983&displaylang=en
Understanding portqry and the command’s output: New features and functionality in PortQry version 2.0
http://support.microsoft.com/kb/832919
Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099
Portqry Remarks
http://technet.microsoft.com/en-us/library/cc759580(WS.10).aspx
*
DC to DC and DC to client communications Require Numerous ports
There’s no secret to this. That’s the simplest I can put it.
And, the list of ports required is long, to the dismay of network infrastructure engineering teams that must bequest ports to allow AD to communicate, replicate, etc., these ports must be opened. There really isn’t much that can be done otherwise.
Here’s the list with an explanation of each port:
|
Protocol and Port
|
AD and AD DS Usage | Type of traffic |
| TCP 25 | Replication | SMTP |
| TCP 42 | If using WINS in a domain trust scenario offering NetBIOS resolution | WINS |
| TCP 135 | Replication | RPC, EPM |
| TCP 137 | NetBIOS Name resolution | NetBIOS Name resolution |
| TCP 139 | User and Computer Authentication, Replication | DFSN, NetBIOS Session Service, NetLogon |
| TCP and UDP 389 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP |
| TCP 636 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP SSL |
| TCP 3268 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC |
| TCP 3269 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC SSL |
| TCP and UDP 88 | User and Computer Authentication, Forest Level Trusts | Kerberos |
| TCP and UDP 53 | User and Computer Authentication, Name Resolution, Trusts | DNS |
| TCP and UDP 445 | Replication, User and Computer Authentication, Group Policy, Trusts | SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc |
| TCP 9389 | AD DS Web Services | SOAP |
| TCP 5722 | File Replication | RPC, DFSR (SYSVOL) |
| TCP and UDP 464 | Replication, User and Computer Authentication, Trusts | Kerberos change/set password |
| UDP 123 | Windows Time, Trusts | Windows Time |
| UDP 137 | User and Computer Authentication | NetLogon, NetBIOS Name Resolution |
| UDP 138 | DFS, Group Policy, NetBIOS Netlogon, Browsing | DFSN, NetLogon, NetBIOS Datagram Service |
| UDP 67 and UDP 2535 | DHCP (Note: DHCP is not a core AD DS service but these ports may be necessary for other functions besides DHCP, such as WDS) | DHCP, MADCAP, PXE |
And We Must Never Forget the Ephemeral Ports!!
And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well.
See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved, the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux, Unix and other operating systems, as well. See below in the references section to find out more on what ‘ephemeral’ means.
The following chart shows what the ephemeral ports are depending on the OS version, and what they are used for.
| Window 2003, Windows XP, and Windows 2000 | TCP & UDP | 1024-5000 | Ephemeral Dynamic Service Response Ports |
| Windows 2008/Vista and newer | TCP & UDP 49152-65535 | Ephemeral Dynamic Service Response Ports | |
| TCP Dynamic Ephemeral | Replication, User and Computer Authentication, Group Policy, Trusts | RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS | |
| UDP Dynamic Ephemeral | Group Policy | DCOM, RPC, EPM |
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
| TCP & UDP 1024 – 65535 | NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications | RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB |
See, wasn’t that simple?
The Short list without port explanations:
| Protocol | Port |
| TCP | 25 |
| TCP | 42 |
| TCP | 135 |
| TCP | 137 |
| TCP | 139 |
| TCP and UDP | 389 |
| TCP | 636 |
| TCP | 3268 |
| TCP | 3269 |
| TCP and UDP | 88 |
| TCP and UDP | 53 |
| TCP and UDP | 445 |
| TCP | 9389 |
| TCP | 5722 |
| TCP and UDP | 464 |
| UDP | 123 |
| UDP | 137 |
| UDP | 138 |
| UDP | 67 |
| UDP | 2535 |
| TCP & UDP | 1024-5000 |
| TCP & UDP | 49152-65535 |
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDC:
The following Ephemeral ports must be opened (yes, it’s pretty much the whole range):
| TCP & UDP | 1024-65535 |
*
Restricting Ports Across a Firewall
You also have the ability to restrict DC to DC replication traffic, and DC to client communications, to a specific ports. Keep in mind, it also depends on what ports and services you’ll want to restrict. When choosing this option, you must specify the correct ports for the correct service.
It depends on what ports and services you want to restrict?
1. Method 1
This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.
This is applicable for restriction AD replication to a specific port range.
Procedure: Modify registry to select a static port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196
2. Method 2
This is for configuring the port range(s) in the Windows Firewall.
Netsh – use the following examples to set a starting port range, and number of ports after it to use
netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/929851
3. Modify the registry
This is for Windows services communications. It also affects AD communications.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
How to configure RPC dynamic port allocation to work with firewalls
http://support.microsoft.com/kb/154596/en-us
Here are some related links to restricting AD replication ports.
Reference thread:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/
RODC Firewall Port Requirements
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx
RODC – “Read only Domain Controllers” have their own port requirements
|
Traffic
|
Type of Traffic |
| UDP 53 DNS | DNS |
| TCP 53 DNS | DNS |
| TCP 135 | RPC, EPM |
| TCP Static 53248 | FRsRpc |
| TCP 389 | LDAP |
| TCP and UDP Dynamic 1025 – 5000 |
Windows 2000, Windows 2003, Windows XP Ephemeral Ports |
| TCP and UDP Dynamic 49152 – 65535 | Windows 2008, Windows Vista and all newer operating systems Ephemeral Ports |
Designing RODCs in the Perimeter Network
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx
Restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196
Good discussion on RODC and firewall ports required:
http://forums.techarena.in/active-directory/1303925.htm
Further info on how RODC authentication works will help understand the ports:
Understanding “Read Only Domain Controller” authentication
http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx
References
How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442
Active Directory and Active Directory Domain Services Port Requirements, Updated: June 18, 2009 (includes updated new ephemeral ports for Windows Vista/2008 and newer). This also discusses RODC port requirements. You must also make sure the ephemeral ports are opened. They are:
TCP & UDP 1025-5000
TCP & UDP 49152-65535
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
Windows 2008, 2008 R2, Vista and Windows 7 Ephemeral Port range has changed from the ports used by Windows 2003 Windows XP, and Windows 2000. Default ephemeral (Random service dynamic response ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).
Quoted from KB929851 (link posted below): “To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”
Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports) have changed.
http://support.microsoft.com/?kbid=929851
Active Directory and Firewall Ports – I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls. …
http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx
Active Directory Replication over Firewalls, Jan 31, 2006. (includes older pre-Windows Vista/2008 ephemeral ports)
http://technet.microsoft.com/en-us/library/bb727063.aspx
How Domains and Forests Work
Also shows a list of ports needed.
http://technet.microsoft.com/en-us/library/cc783351(v=ws.10).aspx
Paul Bergson’s Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html
Exchange DS Access ports
Configuring an Intranet Firewall for Exchange 2003, April 14, 2006.
Protocol ports required for the intranet firewall and ports required for Active Directory and Kerberos communications
http://technet.microsoft.com/en-us/library/bb125069.aspx
Additional Reading
Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …
http://support.microsoft.com/kb/224196
How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …
http://support.microsoft.com/kb/319553
Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
This KB indicates Checkpoint firewalls having an issue with AD communications.
http://support.microsoft.com/?kbid=899148
Checkpoint Firewall and AD, DNS and RPC Communications and Replication traffic
Checkpoint firewalls have a known issue if you are running version R55 or older. You will need to make a registry entry to allows traffic to flow between the 2 sites via the vpn. The preferred solution is to upgrade the Checkpoint firewall.
More info:
Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
(This link relates to and helps resolve the Checkpoint issue)
http://support.microsoft.com/?kbid=899148
![Microsoft Active Directory Certificate Services [AD CS] Installation](https://hamidsadeghpour.net/wp-content/uploads/2019/03/CA-Srv-768x432.jpg)
![Windows Admin Center [ Meeting ] – 2019/03/20– Izmir/Turkey](https://hamidsadeghpour.net/wp-content/uploads/2019/03/20190321_200812-768x576.jpg)
