Firewall ports for RODCs in a DMZ - A DEFINITIVE LIST RRS feed

  • Question

  • Hi

    I have been looking for a definitive list of ports required on a firewall between writable DCs and RODCs.

    From two sources I have slightly conflicting information, but have compiled the two lists as follows: (sources are the MS document from April 2008 entitled "Active Directory Domain Services in the Perimeter Network (Windows Server 2008)" and http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx)

    Here is the list:


    DC --> RODC
    TCP 135               EPM
    TCP Static 53248   FrsRpc         1
    TCP 389               LDAP

    RODC --> DC
    TCP 49152-65535             LSASS                                    2
    TCP 57344                       DRSUAPI, LsaRpc, NetLgonR     3
    TCP Static 53248              FrsRpc                                    1
    TCP 135                          EPM
    TCP 389                          LDAP
    TCP 3268                        GC, LDAP
    TCP 445                          DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
    TCP 53                            DNS
    TCP 88                            Kerberos
    UDP 123                          NTP
    UDP 389                          C-LDAP
    UDP 53                           DNS
    TCP 5722                        DFS-R
    TCP and UDP 464             Kerberos Change/Set Password

    From the key above, I have the following questions:

    1. Are these needed? - we use DFS-R only, so I guess any NTFRS rules are not required
    2. Is this dynamic range needed? - one source says yes, the other no
    3. As this is within the dynaic range, it is a static-set port?

    On a wider issue, if the dynamic ports are required and we wish to lock these down to one port, as the dynamic ports are those initiated FROM the RODCs, can I make the changes to define the dynamic ports ONLY on the RODCs, or do I need to do it on all DCs within the forest?


    Tuesday, June 28, 2011 4:09 PM


All replies

  • You won't need all the normal ports in that list, such as even GC access, but you do need to allow access from the RODC to the RWDC. Of course you'll need to allow other ports for users/apps to have access back to HQ or other sites, such as if you're using Exchange/Outlook, etc, which will then involve GC port,TCP 3268 and the emepheral port ranges. Here's more:

    Designing RODCs in the Perimeter Network (firewall ports, too)

    Restricting Active Directory replication traffic and client RPC traffic to a specific port

    Good discussion on RODC firewall ports:

    Port            Type of traffic
    TCP 135      RPC, EPM
    TCP static    53248 FRsRpc
    TCP 389      LDAP



    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 28, 2011 8:37 PM
  • Hi Ace,

    Thanks for the reply, but it doesn't really answer my questions to be honest. The first article you link is actually in my question as one of the sources of my confusion. The other articles are ones I have read, with the second one telling me about a process I know about.

    My questions are:

    1a. Given that one list (the article we both refer to) refers to a dynamic port range FROM the RODCs TO the WDCs while the other document I refer to does not, is it actually needed?

    1b. If yes, can I use the process in link 2 (Ace's reply) ONLY on the RODCs given that the traffic will originate from them, or do I need to apply this change to all WDCs in the entire forest also?

    2a. Are the NTFRS ports needed given we use entriely DFS-R?

    2b. If yes, given it is written as "TCP Static 53248 - FrsRpc" and the port is within the 2008 dynamic range, does this mean it always uses this port or the article assumes the process in link 2 (Ace's reply) has been followed?



    Wednesday, June 29, 2011 7:59 AM
  • For your 1st question, you need to follow 1b. You can restrict the dynamic ports. As far as I know, when you completely switch to DFSR, FRS service is not used neither NTFRS. You can lock down the dynamic ports to a single port.



    Restricting AD replication ports in windows 2008




    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Wednesday, June 29, 2011 4:26 PM
    • Marked as answer by ChadInStoke Thursday, June 30, 2011 8:13 AM
    Wednesday, June 29, 2011 9:13 AM
  • Hi Awinish,

    Thanks for that! Thngs are a little clearer now!

    We have a root domain and three child domains in our forest, over a well-connected geo site.

    I have left all DCs for 3 of the domains in one site, and created ChildX-WDC and ChildX-RODC sites, and placed the writable DCs for domain ChildX into the first site, and the RODCs for domain ChildX (in the DMZ) into the second site.

    The links are:

    • Default-First-Site-Name --> ChildX-WDC
    • Child-WDC --> Child-RODC

    I will specify / lock-down AD and SYSVOL (DFS-R) replication ports on all ChildX DCs (writable and RO) only. I will leave all other forest DCs to use dynamic ports.

    I think / hope this covers everything! Anything I have missed, please let me know!


    Wednesday, June 29, 2011 2:21 PM
  • The above plan looks good to me, but as a caution would recommend to keep an eye on the traffic using Netmon/Wireshark/Ethereal between RODC/RWDC for packet transmission,just to be on safe side.

    Understanding “Read Only Domain Controller” authentication



    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, June 30, 2011 5:06 AM