Windows Server 2016-active Directory Domain Services Port rollup

This chapter simply collates the port requirements for Windows Server Active Directory and Active Directory Domain Services (AD DS) components. Production environment in our network adjustment, firewall or switch port white list and other operations, many times will encounter synchronization anomalies and other issues, specifically, which strategies affect port communications caused by our difficult to timely troubleshooting, this chapter will be simple for everyone to tidy up, I hope we can less detours, improve the efficiency of the error. Note: Both writable domain controllers and read-only domain controllers (RODC) have the same port requirements.

I, the default dynamic port range:

In a domain consisting of Windows Server 2003-based domain controllers, the default dynamic port range is 1025 to 5000. Windows Server R2 and Windows Server 2008 meet the recommendations of the Internet Number Allocation Authority (IANA), which increases the range of dynamic port connections. The new default start port is 49152, and the new default port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in the firewall. If your hybrid domain environment contains Windows Server R2 and Windows Server 2008 servers and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535.

When you see "TCP Dynamic" in the protocols and port columns in the following table, it refers to Port 1025 to (the default port range for Windows Server 2003) and to ports 49152 through 65535, which is from the Windows Server 2008 the default port range to start with.

You can use the following Netsh command to view the dynamic port range on a computer that is running Windows Server 2008:

netsh int ipv4 show dynamicport TCP

netsh int ipv4 show dynamicport UDP

netsh int ipv6 show dynamicport TCP

netsh int ipv6 show dynamicport UDP

Note: Set the range separately for each transport (TCP or UDP). The port range is now a true starting and ending point with a range. The deployment server that is running Windows Server 2008 for Microsoft customers may affect the server if you use RPC communication between firewalls on the internal network. In these cases, we recommend that you reconfigure the firewall to allow communication between servers in the dynamic port range of 49152 to 65535. This scope does not include known ports that are used by services and applications. Alternatively, you can modify the port range used by the server on each server. You can adjust this range by using the Netsh command as follows:

netsh int <ipv4 | ipv6> Set Dynamic <tcp | udp> start = number num = Range

This command sets the TCP dynamic port range. The starting port is the number, and the total number of ports is the zone. The following is an example command:

netsh int ipv4 set dynamicport tcp start=10000 num=1000

netsh int ipv4 set dynamicport UDP start=10000 num=1000

netsh int ipv6 set dynamicport tcp start=10000 num=1000

netsh int ipv6 set dynamicport UDP start=10000 num=1000

These sample commands set the dynamic port range for port 10000 and end Port 10999 (1000 port) at the beginning. The minimum number of ports that can be set is a range of 255. The minimum starting port that can be set is 1025. The maximum end port (depending on the configured range) cannot exceed 65535. To replicate the default behavior of Windows Server 2003, 1025 is used as the start port and 3976 is used as a range of TCP and UDP. This causes the 1025 start port and the end port to be 5000.

Note When you install Microsoft Exchange Server 2007 on a Windows Server 2008-based computer, the default port range is 1025 through 60000.

II, restrict RPC to a specific port:

As described in the previous section, "Default dynamic port range," RPC traffic is used within the dynamic port range. How to restrict RPC traffic to a specific port, please refer to the following:

By default, Active directory replication Remote Procedure call (RPC) occurs dynamically on an available port by using port 135 through the RPC Endpoint Mapper (RPCSS). Administrators can override this feature and specify the ports through which all active Directory RPC passes. This process locks the port.

When you specify the port to use by using the registry key that is mentioned in the "More Information" section, the endpoint mapper sends Active Directory server-side replication traffic and client RPC traffic to these ports. This configuration is possible because all RPC interfaces supported by Active Directory are running on all ports on which they are listening.

Note 

This summary does not describe how to configure AD replication for a firewall. You must open a different port to replicate through the firewall. For example, you might need to open a port for the Kerberos protocol.

More information: Important This section, methods, or tasks contain steps that explain how to modify the registry. However, serious problems may occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify the registry. Then, if a problem occurs, you can restore the registry.

When you connect to an RPC endpoint, the RPC runtime on the client contacts the RPC Endpoint mapper (RPCSS) on the server on the well-known port (135) and obtains the port to connect to support the required RPC interface. This assumes that the client does not know the complete binding. This is the case for all AD RPC services.

The service registers one or more endpoints at startup, and can select dynamically allocated ports or specific ports.

If the Active Directory and Netlogon are configured to run at Port X (as shown in the following entry), this becomes the port that the endpoint mapper registers in addition to the standard dynamic port.

Use Registry Editor to modify the following values on each domain controller to use a restricted port. Member servers are not considered logon servers, so the static port allocation for NTDS has no effect on them.

The member server does have a Netlogon RPC interface, but it is seldom used. Some examples may be remote configuration retrievals, such as "nltest/server:member.contoso.com/sc_query:contoso.com".

Registry key value 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Registry VALUE:TCP/IP Port

Value Type:reg_dword

Value data: (Available port)

Registry key value 2:

You need to restart the computer for the new setting to become effective.

Registry Key 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry Value:dctcpipport

Value Type:reg_dword

Value data: (Available port)

If the last two registry keys are modified, you will need to restart the Netlogon service for the new settings to take effect.

Note 

When you use the Dctcpipport registry key and set it to the same port as the "TCP/IP Port" registry key, you receive Netlogon Error event 5809 under NTDS \ parameters. This indicates that the configured port is in use and you should select a different port.

When you have a unique port, you receive the same event, and you restart the Netlogon service on the domain controller. This is done by design and is due to the way the RPC runtime manages its server ports. The port will be used after a reboot, and the event can be ignored.

If any intermediate network devices or software are used to filter packets between domain controllers, the administrator should confirm that communication through the specified port is enabled.

Typically, you must also manually set up the File Replication service (FRS) RPC ports because AD and FRS replication use the same domain controller for replication. The File Replication Service (FRS) RPC port should use a different port.

Do not assume that clients only use the Netlogon RPC service, so you only need to set dctcpipport. Customers also use other RPC services, such as SAMRPC,LSARPC and the Directory Replication Service (DRS) interface. As a result, you should always configure two registry settings and open two ports on the firewall.

Note After you specify a port, you may experience the following known issues:

• Long logon hours after setting a specific static port for NTDs and Netlogon in a Windows Server R2-based domain environment
  
• AD replication fails with RPC issues after you set up a static port for NTDS in a Windows-based domain environment
  
• Logon failure After you restrict client RPC to DC communication in Windows Server R2 or Windows Server R2

III, the communication port with the domain controller is summarized:

The following table lists the port requirements for establishing DC-to-DC communication in all versions of Windows sever that start with Windows Server 2003. (additional ports are required for communication between a read-only domain controller (RODC) and a writable DC.) ）

Protocols and Ports	AD and AD DS usage	Port type
TCP and UDP 389	directory, replication, user and computer authentication, Group Policy, trust	Ldap
TCP 636	directory, replication, user and computer authentication, Group Policy, trust	LDAP SSL
TCP 3268	directory, replication, user and computer authentication, Group Policy, trust	LDAP GC
TCP 3269	directory, replication, user and computer authentication, Group Policy, trust	LDAP GC SSL
TCP and UDP 88	User and computer authentication, forest-level trusts	Kerberos
TCP and UDP 53	User and computer authentication, name resolution, trust	Dns
TCP and UDP 445	replication, user and computer authentication, Group Policy, trust	Smb,cifs,smb2,dfsn,lsarpc,nbtss,netlogonr,samr, srvsvc
TCP 25	Copy	Smtp
TCP 135	Copy	Rpc,epm
TCP Dynamic	replication, user and computer authentication, Group Policy, trust	Rpc,dcom,epm,drsuapi,netlogonr,samr,frs
TCP 5722	File copy	RPC,DFSR (SYSVOL)
UDP 123	Windows Time, trust	Windows time
TCP and UDP 464	replication, user and computer authentication, trust	Kerberos Change/Set Password
UDP Dynamic	Group Policy	Dcom,rpc,epm
UDP 138	DFS, Group Policy	Dfsn,netlogon,netbios Datagram Service
TCP 9389	AD DS Web Service	Soap
UDP 67 and UDP 2535	Dhcp (DHCP is not the core AD DS service, but it often occurs in many AD DS deployments.) ）	Dhcp,madcap
UDP 137	User and computer authentication,	Netlogon,netbios Name resolution
TCP 139	User and computer authentication, replication	Dfsn,netbios Session service, NetLogon

Windows Server 2016-active Directory Domain Services Port rollup

Alibaba Cloud Hot Products
Elastic Compute Service (ECS)	Dedicated Host (DDH)	ApsaraDB RDS for MySQL (RDS)	ApsaraDB for PolarDB(PolarDB)	AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL)	Data Transmission Service (DTS)	Server Load Balancer (SLB)	Global Accelerator (GA)	Cloud Enterprise Network (CEN)
Object Storage Service (OSS)	Content Delivery Network (CDN)	Short Message Service (SMS)	Container Service for Kubernetes (ACK)	Data Lake Analytics (DLA)
ApsaraDB for Redis (Redis)	ApsaraDB for MongoDB (MongoDB)	NAT Gateway	VPN Gateway	Cloud Firewall
Anti-DDoS	Web Application Firewall (WAF)	Log Service	DataWorks	MaxCompute
Elastic MapReduce (EMR)	Elasticsearch