You can ignore UDP 389 and UDP 88 messages. Microsoft Certified Technology Specialist: UDP  49152 - 65535 http://www.pbbergs.com/windows/articles/FirewallReplication.html, -- The preferred solution is to upgrade the Checkpoint firewall. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Microsoft Certified Systems Administrator: I'd strongly suggest first clarifying what is meant by "clients" in this scenario: couold be single-purpose member servers relaying authentication requests from users and their workstations, or client workstations logging on and using all sorts Keep in mind, it also depends on what ports and services you’ll want to restrict. Procedure:  Modify registry to select a static port. What All Ports Are Rrequired By Domain Controllers And Client Computers? where a client connects to virtual address 198.252.145.1, which the firewall maps transparently to the server’s actual internal IP address of, say, 192.100.81.101). …http://support.microsoft.com/kb/224196, How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …http://support.microsoft.com/kb/319553, Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computersThis KB indicates Checkpoint firewalls having an issue with AD communications.http://support.microsoft.com/?kbid=899148. MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Windows 2008, 2008 R2, Vista and Windows 7 Ephemeral Port range has changed from the ports used by Windows 2003 Windows XP, and Windows 2000. TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. Windows Server 2008 Applications Infrastructure, Configuration, Microsoft Certified Technology Specialist: These are the dynamically assigned service response ports, and are required. This also discusses RODC port requirements. Simply speaking, if there are replication or other AD communication problems, and you have an antivirus software installed on the endpoints or installed on all of  your DCs, disable it, or better yet, uninstall it. This posting is provided AS IS with no warranties, and confers no rights. This What’s the Difference?? Whether between locations with firewall/VPN tunnel port blocks, Windows Firewall (which is usually not the culprit because they will auto-configure for the role of the machine and it’s current network location), or even security software or antivirus apps with some sort of “network traffic protection” feature enabled that is causing the problem. The new default start port is 49152, and the default end port is 65535. Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. It also affects AD communications. Not when Microsoft Office 365 suffers outage, Troubleshoot Exchange 2019 with Microsoft Remote Connectivity Analyzer. Microsoft Certified IT Professional: Server Administrator NATs cannot translate the encrypted RPC traffic therefore bonking LDAP communications. Default ephemeral (Random service dynamic response ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Review the firewall rules. It depends on what ports and services you want to restrict? TCP Port 3268 and 3269 for Global Catalog from client to domain controller. You *might* find that Sean Metcalf's site on AD Security is a better resource, and protects you from following inaccurate advice that gets you in trouble with your security organisation: (includes older pre-Windows Vista/2008 ephemeral ports) http://technet.microsoft.com/en-us/library/bb727063.aspx, How Domains and Forests WorkAlso shows a list of ports needed.http://technet.microsoft.com/en-us/library/cc783351(v=ws.10).aspx, Paul Bergson’s Blog on AD Replication and Firewall Portshttp://www.pbbergs.com/windows/articles/FirewallReplication.html, Configuring an Intranet Firewall for Exchange 2003, April 14, 2006. And no, you don’t want to use ping, nslookup, nmap or any other port scanner, because they’re not designed to query the necessary AD ports to see if they are responding or not. Once the session has dissolved, the ports are put back into the pool for reuse. These ports are required by both client computers and Domain Controllers. Active Directory communication takes place using several ports. It's in the links Sandesh posted. Complete List of Ports Used By Domain Controllers, Active Directory Autositecoverage – mikileak.info, The DC Locator Process, The Logon Process, Controlling Which DC Responds in an AD Site, and SRV Records, DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest | Ace Fekay - Terminal-Services NET Germany vendere GmbH, DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest, What Is Security Translation In Active Directory – coreask.top, AD Integrated do not require Zone transfers, Configure Windows Forest Time Service Hierarchy, DC or DNS is down, why can't I logon to the other DC, DC to client communications firewall ports, DNS Dynamic Registration in a non-AD environment, Exchange 2000 on a Windows 2000 domain controller, Netlogon logging to find subnets not Site associated. Regards, Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php. Linkedin: Administrator, http://msmvps.com/blogs/rexiology/archive/2006/04/05/89389.aspx, http://technet.microsoft.com/en-us/library/bb727063.aspx, http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html, http://www.delawarecountycomputerconsulting.com/technicalblogs.php, http://www.pbbergs.com/windows/articles/FirewallReplication.html, http://blogs.dirteam.com/blogs/paulbergson. In Windows 2000 and Windows XP, the Internet Control Message Protocol (ICMP) must be allowed through the firewall from the clients to the domain controllers so that the Active Directory Group Policy client can function correctly through a firewall. }); Home » Networking » What All Ports Are Rrequired By Domain Controllers And Client Computers? Microsoft Certified IT Professional: Enterprise HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc, How to configure RPC dynamic port allocation to work with firewalls  http://support.microsoft.com/kb/154596/en-us, Reference thread:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/, RODC Firewall Port Requirementshttp://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx, Active Directory Replication over Firewalls http://technet.microsoft.com/en-us/library/bb727063.aspx, Designing RODCs in the Perimeter Networkhttp://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx, Restricting Active Directory replication traffic and client RPC traffic to a specific porthttp://support.microsoft.com/kb/224196, Good discussion on RODC and firewall ports required:http://forums.techarena.in/active-directory/1303925.htm, Further info on how RODC authentication works will help understand the ports:Understanding “Read Only Domain Controller” authentication http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx, How to configure a firewall for domains and trustshttp://support.microsoft.com/kb/179442, Active Directory and Active Directory Domain Services Port Requirements, Updated: June 18, 2009 (includes updated new ephemeral ports for Windows Vista/2008 and newer). Netsh – use the following examples to set a starting port range, and number of ports after it to use, netsh int ipv4 set dynamicport tcp start=10000 num=1000netsh int ipv4 set dynamicport udp start=10000 num=1000, The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008http://support.microsoft.com/kb/929851, This is for Windows services communications.