locked
Required ports for AD to replicate RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    hi there!

    We have 2008 r2 domain controllers with domain and functional level 2008 r2.

    We would like to install another DC in other location (locations are connected with site to site vpn).

    I am familiar with this info: http://support.microsoft.com/kb/179442#method3, and http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx but my question is in which direction must this ports be opened to/from other location? In both? From DC1 (in primary location) to DC2 (in secondary location), or from DC2 to DC1? Just one way or both directions? Who is the iniciator in the replication?

    Does our network guys need to open this in both direction or in 1-way direction only?:

    Client Port(s) Server Port Service
    49152 -65535/UDP 123/UDP W32Time
    49152 -65535/TCP 135/TCP RPC Endpoint Mapper
    49152 -65535/TCP 464/TCP/UDP Kerberos password change
    49152 -65535/TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)
    49152 -65535/TCP/UDP 389/TCP/UDP LDAP
    49152 -65535/TCP 636/TCP LDAP SSL
    49152 -65535/TCP 3268/TCP LDAP GC
    49152 -65535/TCP 3269/TCP LDAP GC SSL
    53, 49152 -65535/TCP/UDP 53/TCP/UDP DNS
    49152 -65535/TCP 49152 -65535/TCP FRS RPC (*)
    49152 -65535/TCP/UDP 88/TCP/UDP Kerberos
    49152 -65535/TCP/UDP 445/TCP SMB
    49152 -65535/TCP 49152-65535/TCP DFSR RPC (*)

    what does client ports stands for? In this case who's the client and who's the server?

    with best regards,

    bostjanc


    • Edited by B_C_R Tuesday, August 6, 2013 11:24 AM bostjanc edited
    Tuesday, August 6, 2013 11:23 AM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    as each DC is able to create new objects, they inform the others that changes are available, so ports must be open in both directions.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, August 6, 2013 11:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You can reduce the high ports required between DC's for RPC, see my blog below.
    http://blogs.dirteam.com/blogs/paulbergson/archive/2012/05/15/windows-2000-2003-replication-through-a-firewall.aspx

    You will need ports open on both sides but it isn't as bad as it seems.  If you follow my guidelines to only have the NTFRS and NTDS, you can close all the rest of the high ports if you so choose but then if you have a need for other connections on RPC for things like AV or backups then you need to either lock down the ports or not use them.

    Client ports are just that, clients who need to connect for authentication services.  So if you have two DC's in two sites and the clients will only be connecting locally to their site then it will help with firewall issues.  When a computer makes a connection to another server it needs to use a predefined port -but- on the client side when the server needs to talk back to the client, the client also has to have a port open and that is where the high ports come in to play.  So even though Kerberos is on port 88 on the server side the client randomly selects a port for the DC to talk to the client.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Meinolf Weber Tuesday, August 6, 2013 12:09 PM
    Tuesday, August 6, 2013 11:58 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Any updates?

    Please feel free to let us know if you need further assistance.

    Regards.

    If you have any feedback on our support, please click here

    Vivian Wang
    TechNet Community Support

    Thursday, August 8, 2013 2:50 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Vivan hi.

    I am waiting from our network guys to confirm they understood everything.

    The main question/misunderstanding was if ports which MS recommends to be opened should be opened in both ways.

    bostjanc


    • Edited by B_C_R Thursday, August 8, 2013 7:39 AM edited
    Thursday, August 8, 2013 7:39 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    One more question:

    Can you please help me clarify this.
    For example if our scenario is like this:

    DC1 located in primary location has ip 192.168.1.5
    DC2 in dislocated location has ip 192.168.30.5

    Opening PORTS:

    53/TCP/UDP in both directions between 192.168.1.5 and 192.168.30.5
    88/TCP/UDP in both directions between 192.168.1.5 and 192.168.30.5
    123/UDP in both directions between 192.168.1.5 and 192.168.30.5
    135/TCP in both directions between 192.168.1.5 and 192.168.30.5
    389/TCP/UDB in both directions between 192.168.1.5 and 192.168.30.5
    445/TCP in both directions between 192.168.1.5 and 192.168.30.5
    464/TCP/UDP in both directions between 192.168.1.5 and 192.168.30.5
    636/TCP in both directions between 192.168.1.5 and 192.168.30.5
    3268/TCP in both directions between 192.168.1.5 and 192.168.30.5
    3269/TCP in both directions between 192.168.1.5 and 192.168.30.5
    49152-65535/TCP/UDP in both directions between 192.168.1.5 and 192.168.30.5

    Would this be ok?

    bostjanc

    Thursday, August 8, 2013 10:49 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    i miss:

    TCP 5722

    File Replication

    RPC, DFSR (SYSVOL)

    UDP Dynamic

    Group Policy

    DCOM, RPC, EPM

    UDP 138

    DFS, Group Policy

    DFSN, NetLogon, NetBIOS Datagram Service

    TCP 9389

    AD DS Web Services

    SOAP (if used)

    UDP 137

    User and Computer Authentication,

    NetLogon, NetBIOS Name Resolution

    TCP 139

    User and Computer Authentication, Replication

    DFSN, NetBIOS Session Service, NetLogon

    See http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx for all related ports.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Thursday, August 8, 2013 11:11 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Meinolf thanks!

    Your line:

    UDP Dynamic

    Group Policy

    DCOM, RPC, EPM  is missing a port number Meinolf?

    bostjanc

    Thursday, August 8, 2013 11:38 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Please check the similar thread:

    Ports required to replicate DCs

    http://social.technet.microsoft.com/Forums/en-US/6d038165-e6ec-4683-8da1-5a4fecdd288b/ports-required-to-replicate-dcs

    Regards.

    If you have any feedback on our support, please click here

    Vivian Wang
    TechNet Community Support

    • Marked as answer by Vivian_Wang Monday, August 26, 2013 1:52 AM
    Tuesday, August 20, 2013 1:31 AM