User Tools

Site Tools


Active Directory over Firewalls

Ports to open

Client Port(s) / Source Server Ports / Destination Service
53,1024-65535/TCP/UDP 53 TCP/UDP DNS
1024-65535/TCP/UDP 88 TCP/UDP Kerberos
1024-65535/UDP 123 UDP Network Time Protocol (NTP)
1024-65535/TCP 135 TCP RPC
1024-65535/TCP/UDP 389 TCP/UDP LDAP
1024-65535/TCP/UDP 445 TCP/UDP SMB
1024-65535/TC 636 TCP LDAP SSL
1024-65535/TCP 1024-65535 TCP LSA RPC Services (*)
1024-65535/TCP 3268 TCP LDAP GC
1024-65535/TCP 3269 TCP LDAP GC SSL

:!: To have a reasonable configuration of the firewall (not as swiss cheese), you have the limit the port range of RPC (see following enties)


Limiting RPC port range

The example shows a limitation to ports 5000-5100.

Microsoft proposes to enable at least 300 ports for RPC

Details about changing the port range of RPC can be found at the Microsoft Knowledge Base: article 154596 and article 179442.

Be careful changing the registry, wrong settings can make the system unboootable!

Step by step

  1. Start the registry editor: cmd ⇒ “Regedt32.exe”
  2. Create a new key under “HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc” with the name “Internet”
  3. Add a new Multi-String Value “Ports” with a port range (e.g. 5000-5100)
  4. Add a new String Value “PortsInternetAvailable” with value Y
  5. Add a new String Value “UseInternetPorts” with value Y
  6. Reboot the server

This change must be performed on both systems that connect to each other

That's what the registry should look like

Port range limiting in regedit


nltest.exe allows to verify the connection between a client and the DC. It is available at any Microsoft product CD in the file \Support\Tools\

nltest.exe /dclist:[domainname]
nltest.exe /sc_verify:[domainname]
nltest.exe /sc_query:[domainname]
/srv/ · Last modified: 2009/08/15 18:56 (external edit)