I had kind of a weird setup today where I wanted to enable Windows Firewall on a Windows 2003 R2 SP2 computer that would act as an Active Directory Domain Controller.
I didn't see one resource on the Internet that listed what would be required to do this, so I thought I'd list them here and see if anyone has anything to add/sees something that isn't necessary.
Ports to Open with "subnet" scope:
- 42 | TCP | WINS (if you use it)
- 53 | TCP | DNS
- 53 | UDP | DNS
- 88 | TCP | Kerberos
- 88 | UDP | Kerberos
- 123 | UDP | NTP
- 135 | TCP | RPC
- 135 | UDP | RPC
- 137 | UDP | NetBIOS
- 138 | UDP | NetBIOS
- 139 | TCP | NetBIOS
- 389 | TCP | LDAP
- 389 | UDP | LDAP
- 445 | TCP | SMB
- 445 | UDP | SMB
- 636 | TCP | LDAPS
- 3268 | TCP | GC LDAP
- 3269 | TCP | GC LDAP
Ports to Open with "Any" Scope (for DHCP)
- 67 | UDP | DHCP
- 2535 | UDP | DHCP
ALSO You need to restrict RPC to use fixed ports instead of everything > 1024. For that, you need to add two registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: <-- pick a port like 1600 and put it here
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: <-- pick another port like 1650 and put it here
...don't forget to add entries in the firewall to allow those in (TCP, Subnet scope).
After doing all that, I was able to add a client computer to the AD domain (behind Windows Firewall) and log in successfully.
If desired, you can restrict the RPC port ranges in a couple of ways:
I have done this with these ports. It's been awhile and I'm not sure I joined to the domain or rather if this allows the machine to communicate with the DC after joining while in the same subnet.
TCP ports:
135 139 389 445 1026
UDP ports:
53 88 123 389
From the Microsoft KB:
For Active Directory: http://support.microsoft.com/kb/179442
For Limiting the ports used by RPC: http://technet.microsoft.com/en-us/library/bb727063.aspx