W2K3 firewall blocking domain trust need help with ports

Posted on 2008-10-16
Last Modified: 2010-04-21
I've read all the postings here for help and all of the microsoft KBs and other forums.  My situation is I have a 2000 Domain and a new 2003 domain.  Different forests each running it's own DNS.  Both Domains are on the same network.  I have setup the dns forward lookup zones on each and verified each is working according to other posts here.  What I have a problem with is when I disable the windows firewall on the 2003 server everything works fine, no problems and fast, when I turn the firewall on, the trust disconnects and I get RPC server unavailable errors.  I have setup exceptions in the firewall according to MS recommendations and other suggestions from here.  None work.  Has anyone found the "magic" ports to open?  I would prefer to leave the firewall on.
Question by:Codeonesysadmin
  • 3
  • 2

Expert Comment

ID: 22736612
In many environments the WIndows 2003 firewall is disabled.  This is usually because they have a good quality firewall in place at the perimter.
If you choose to keep it enabled, yes you need to allow thorugh the ports for Active Directory authentication.
 TCP ports: 135,139,445

UDP ports: 135,137,138,445
You should not need RPC, port 88, but keep it in mind in case there are issues.
LVL 38

Expert Comment

ID: 22741940
Just wanted to make sure you saw these articles:
one thing this doesn't mention is ICMP: (for Ping and tracert)

I always liked this article for key microsoft ports:

Author Comment

ID: 22743390
Thanks guys for the support.  ChiefIT, I had used all 3 of those documents already in my previous attempts.  Particularly the first 2.  I have done precisely what they explain and to no avail.  SStone, all those ports are already open in my configuration.  We are being forced for now to leave the firewall off.  It's not a huge risk as we are behind a WatchGuard firewall and things seem pretty secure.  I was just hoping that someone may have run into this issue with the 2k3 firewall and domain trusts.  I'll leave the question for a few more days while I do other research and await any further responces.  Thanks again for the help!
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 38

Accepted Solution

ChiefIT earned 250 total points
ID: 22747192
         3268:tcp:*:enabled:Global Catalog LDAP
         53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
         53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)

Let's see what we are missing:
+++++Remote Procedure Call
Application protocol Protocol Port
+++++++Maybe Mail:
System Service Name SMTPSVC

Application protocol Protocol Port
+++++System Service Name CertSvc

Application protocol Protocol Port
Randomly allocated high TCP ports

It looks like you are missing the port 135 for RPC service and CA service as exceptions. Sometimes random port can be defined in registry to be a fixed port number for this very reason. I hope this helps.  


Author Comment

ID: 22832387
Thanks for the help.  In the end, we turned off the firewall.  I tried setting the RPC random port to a specific, but that too didn't work for us.  As everything works great with the firewall off and we do have a secure network with hardware, I guess the risk just isn't there.  Anyway, Thanks for the great info!

Author Closing Comment

ID: 31506991
Thanks for the specifics and documents to support the question!

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fine grained password polices 3 42
Is AD Certificate Services necessary to migrate 7 48
MDM vs GPO 16 34
Powershell: Check if WinRM is listening 3 19
Resolve DNS query failed errors for Exchange
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now