What ports are needed to connect to a domain controller

I have a domain controller behind a firewall and I want to join machines in a DMZ to it. I found this article https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx but for group policy it just says "UDP Dynamic"

Do I really need to open EVERY UDP port to it through DMZ? Any way I can limit that range or no?

Environment notes:
DC and clients are Server 2012R2.
Firewall between DC and DMZ is pfSense
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeIT ManagerCommented:
Why would you want all your workstations in the DMZ?

You can't change the ports AD uses.
Will SzymkowskiSenior Solution ArchitectCommented:
The link below outlines all of the ports required for Active Directory communication.

However, i would highly NOT RECOMMEND putting a DC in a DMZ. I would not even put a RODC in a DMZ. This posses a security risk. If you are trying to do some sort of Federation/Authentication they implementing something like ADFS (federated services) would be more suitable, if this is what you are trying to achieve.

I just wanted to be upfront with you.

Cliff GaliherCommented:
You can't do what you want. But joining a server in a DMZ to an domain behind the DMZ firewall would pretty much make th DMZ useless anyways. Not much (or any) benefit to such a configuration, so no changes to the product have been made to enable such a scenario.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

homelabguyAuthor Commented:
@Shadowless127 No workstations in the DMZ. By "client" I meant other Server 2012 machines that will be exposed to other locations. The DMZ is what is accessible to other physical locations in a cluster of site-to-site VPN links. So a Windows File Server or IIS server would go in the DMZ. Clients are in the LAN. "DMZ" is really a poor name for servers shared with other locations. There is still another firewall between "DMZ" and the internet.

Mostly I want to know if in that link I posted "UDP Dynamic" for Group Policy is a certain range of UDP ports or all UDP ports.
Cliff GaliherCommented:
As the word "dynamic" implies, the UDP port changes often and regularly. There is a range, albeit a very large one, making attempts to restrict traffic with a firewall effectively open. For 2012 servers, the it's a little over 25,000 port in the range RPC will select. You can limit RPC somewhat, but it significantly compromises security and performance so I never recommend it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Peter HutchisonSenior Network Systems SpecialistCommented:
If accessing a Domain over the internet, I would recommend implementing a VPN solution for clients accessing your network. Then the network and DC would be secure and limited to just your users.
Will SzymkowskiSenior Solution ArchitectCommented:
The link in my first post shows exactly what ports are required. Group Policy is in fact UDP Dynamic.

It also stated the Default Dynamic Port Range. as well.

Reference from my first link.
Default dynamic port range

In a domain that consists of Windows Server® 2003–based domain controllers, the default dynamic port range is 1025 through 5000. Windows Server 2008 R2 and Windows Server 2008, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic port range for connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 R2 and Windows Server 2008 server and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535.

homelabguyAuthor Commented:
Thanks for the info!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.