[ Home | Contents | Search | Post | Reply | Next | Previous | Up ]
From: Bob Product: General Date: 14 Oct 2006 Time: 11:29:47 -0400 Comments: To establish a domain trust or a security channel across a firewall, the following ports must be opened. Windows NT Client Port(s) Server Port Service 1024-65535/TCP 135/TCP RPC * 137/UDP 137/UDP NetBIOS Name 138/UDP 138/UDP NetBIOS Netlogon and Browsing 1024-65535/TCP 139/TCP NetBIOS Session 1024-65535/TCP 42/TCP WINS Replication Windows Server 2003 and Windows 2000 Server For a mixed-mode domain with either Windows NT domain controllers or legacy clients or trust relationship between two Windows Server 2003-based or Windows 2000 Server-based domain controllers that are not in the same forest, all of the preceding ports for Windows NT may need to be opened in addition to the following ports: Client Port(s) Server Port Service 1024-65535/TCP 135/TCP RPC * 1024-65535/TCP/UDP 389/TCP/UDP LDAP 1024-65535/TCP 636/TCP LDAP SSL 1024-65535/TCP 3268/TCP LDAP GC 1024-65535/TCP 3269/TCP LDAP GC SSL 53,1024-65535/TCP/UDP 53/TCP/UDP DNS 1024-65535/TCP/UDP 88/TCP/UDP Kerberos 1024-65535/TCP 445/TCP SMB For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information. ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection.