Communication Ports between DCs in different domains of the same forest.


I am building a new forest with one root domain and 5 child domains, all 2008 R2.  Because of the security requirements every domain will be on a different network separated by the firewall.  I need to come up with ports that will need to be opened between domain controllers in different domains.

This article outlines communication ports between DCs.

The thing that concerns me is the dynamic port range of 49152 to 65535.  I know that security group is going to really not want to open that large of a port range.  I know that you can restrict that range to the smaller number.  I have done that previously for our smaller test domain.  However I am not sure if I want for our main production forest.

1.      Are all those ports listed in the article also apply to communication between domain controllers of different domains in the same forest.  Particularly that dynamic port range.

2.      Do I need to open any firewall ports between different child domains, or will it be enough to open ports between root domain and each child domain?

3.      Would it be good idea to setup IPSec Transport mode between domain controllers of different domains.  That way I will only have to open ports for 1 protocol, as oppose to all those many ports including large port range.  Are there any drawbacks to this method?

4.      Are there really any drawbacks to limiting the dynamic port range to let say 20 ports, or 50 ports, or 100 ports.

Who is Participating?
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
1. The Dynamic port range is for RPC access. For the most part, RPC is necessary for Domain Replication. Replication doesn't occur between domains, and it isn't necessary to open RPC for communication over a trust. The following ports are required for communication over a domain trust:
389 For LDAP (Or 663 for LDAPS)
445 for SMB
88 for Kerberos
and 135 for netlogon

2. You only need to open ports for communication between domains that have direct trusts. Parent/child trusts are transitive and will go from child to root to child by default.

3. IPSec is a great thing to use for communication through firewalls. I haven't configured it before, and it's a little tricky to work with, but there aren't really any drawbacks to using it besides the added complexity.

4. The drawbacks to limiting the port range is that you can eventually run out of ports for RPC communication. It's possible to drop the range to a point where heavy RPC traffic cause use up all the available ports, at which point replication will start failing.
Mike KlineConnect With a Mentor Commented:
+1 to all of acbrown's comments.

Especially #3,  test IPSEC first in a lab make sure you understand how it works.  Also is it only going to be IPSEC for DC to DC communication or also between admin workstations and DC (have seen that too)

I'm personally not a huge fan of doing this because then down the road someone forgets the registry entry on a DC and issues arise etc and I personally don't see it as a huge security risk.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.