Ports required within Active Directory (2016 DC's)


I have configured Windows active directory  (2016)as follows:

3 domain controllers, Windows 2016 operating system in 3 different physical locations, communicating with each other via VPN tunnels.
Windows member servers who join the domain are either Windows 2008 , Windows 2012, or Windows 2016 server operating system.

There are on Windows 7 / 8/ 10 client operating systems joined to the domain, only Windows server operating systems currently (although it is possible that this can change, but not likely).

This is a secure environment, and none of the servers can access the internet.

The environment needs to be as secure as possible. Therefore port communication needs to be locked down.

Can someone assist and tell me the the following:

1. Incoming / outgoing ports required by the Domain Controllers so the can communicate with each other?

2. Incoming / outgoing ports required by the member servers and domain controllers  so they communicate with each other ? (Member servers do not require  communication between each other, only to DC's)

Firewall rules (which exist for all servers) are defined by incoming ports allowed and outgoing ports allowed. Each server in this environment needs to be defined this way.

Thanks in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dustin SaundersDirector of OperationsCommented:
This is pretty common, do this fairly often to create trusts.  For W2K8+ the ports required are:

Client Port(s)				Server 	Port		Service
49152 -65535/UDP			123/UDP				W32Time
49152 -65535/TCP			135/TCP	RPC 		Endpoint Mapper
49152 -65535/TCP			464/TCP/UDP			Kerberos password change
49152 -65535/TCP			49152-65535/TCP		RPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP		389/TCP/UDP			LDAP
49152 -65535/TCP			636/TCP	LDAP 		SSL
49152 -65535/TCP			3268/TCP			LDAP GC
49152 -65535/TCP			3269/TCP			LDAP GC SSL
53, 49152 -65535/TCP/UDP	53/TCP/UDP			DNS
49152 -65535/TCP			49152 -65535/TCP	FRS RPC (*)
49152 -65535/TCP/UDP		88/TCP/UDP			Kerberos
49152 -65535/TCP/UDP		445/TCP				SMB (**)
49152 -65535/TCP			49152-65535/TCP		DFSR RPC (*)

Open in new window


Generally I do UDP { 53, 88, 123, 389 } and TCP { 53, 88, 135, 389, 445, 636, 3268, 3269, 49152:65535 }

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mbudmanAuthor Commented:
Hello Dustin,

Thanks for the information. I was wondering if you could help clarify as I need to break this information down and configure in the following

1)  Ports required for communication between domain controllers only

2) For communication between Domain controller and clients:
    a. outgoing ports required on domain controller to incoming ports required on client
    b. outgoing ports from client to incoming ports on the domain controller

This is where I find the documentation from Microsoft confusing.

What I have gathered so for, so Domain Controller to Domain Controller (DC<->DC):
TCP 53,135, 139,  445
UDP 53,  135,138, 445

For Client incoming ports (from DC):
TCP 53, 88, 135, 389, 445, 464, 636, 3268, 3269, 49152-65535
Would you be able to assist in helping me better understand this stuff?

Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Dustin Saunders (https:#a42469148)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.