Communication Ports between DCs in different domains of the same forest.

Posted on 2011-05-06
Last Modified: 2012-05-11

I am building a new forest with one root domain and 5 child domains, all 2008 R2.  Because of the security requirements every domain will be on a different network separated by the firewall.  I need to come up with ports that will need to be opened between domain controllers in different domains.

This article outlines communication ports between DCs.

The thing that concerns me is the dynamic port range of 49152 to 65535.  I know that security group is going to really not want to open that large of a port range.  I know that you can restrict that range to the smaller number.  I have done that previously for our smaller test domain.  However I am not sure if I want for our main production forest.

1.      Are all those ports listed in the article also apply to communication between domain controllers of different domains in the same forest.  Particularly that dynamic port range.

2.      Do I need to open any firewall ports between different child domains, or will it be enough to open ports between root domain and each child domain?

3.      Would it be good idea to setup IPSec Transport mode between domain controllers of different domains.  That way I will only have to open ports for 1 protocol, as oppose to all those many ports including large port range.  Are there any drawbacks to this method?

4.      Are there really any drawbacks to limiting the dynamic port range to let say 20 ports, or 50 ports, or 100 ports.

Question by:Alexey91
    LVL 37

    Accepted Solution

    1. The Dynamic port range is for RPC access. For the most part, RPC is necessary for Domain Replication. Replication doesn't occur between domains, and it isn't necessary to open RPC for communication over a trust. The following ports are required for communication over a domain trust:
    389 For LDAP (Or 663 for LDAPS)
    445 for SMB
    88 for Kerberos
    and 135 for netlogon

    2. You only need to open ports for communication between domains that have direct trusts. Parent/child trusts are transitive and will go from child to root to child by default.

    3. IPSec is a great thing to use for communication through firewalls. I haven't configured it before, and it's a little tricky to work with, but there aren't really any drawbacks to using it besides the added complexity.

    4. The drawbacks to limiting the port range is that you can eventually run out of ports for RPC communication. It's possible to drop the range to a point where heavy RPC traffic cause use up all the available ports, at which point replication will start failing.
    LVL 57

    Assisted Solution

    by:Mike Kline
    +1 to all of acbrown's comments.

    Especially #3,  test IPSEC first in a lab make sure you understand how it works.  Also is it only going to be IPSEC for DC to DC communication or also between admin workstations and DC (have seen that too)

    I'm personally not a huge fan of doing this because then down the road someone forgets the registry entry on a DC and issues arise etc and I personally don't see it as a huge security risk.



    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Join & Write a Comment

    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now