Windows Server 2016-active Directory Domain Services Port rollup

Source: Internet
Author: User
Tags file copy ldap

This chapter simply collates the port requirements for Windows Server Active Directory and Active Directory Domain Services (AD DS) components. Production environment in our network adjustment, firewall or switch port white list and other operations, many times will encounter synchronization anomalies and other issues, specifically, which strategies affect port communications caused by our difficult to timely troubleshooting, this chapter will be simple for everyone to tidy up, I hope we can less detours, improve the efficiency of the error. Note: Both writable domain controllers and read-only domain controllers (RODC) have the same port requirements.

I, the default dynamic port range:

In a domain consisting of Windows Server 2003-based domain controllers, the default dynamic port range is 1025 to 5000. Windows Server R2 and Windows Server 2008 meet the recommendations of the Internet Number Allocation Authority (IANA), which increases the range of dynamic port connections. The new default start port is 49152, and the new default port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in the firewall. If your hybrid domain environment contains Windows Server R2 and Windows Server 2008 servers and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535.

When you see "TCP Dynamic" in the protocols and port columns in the following table, it refers to Port 1025 to (the default port range for Windows Server 2003) and to ports 49152 through 65535, which is from the Windows Server 2008 the default port range to start with.

You can use the following Netsh command to view the dynamic port range on a computer that is running Windows Server 2008:

netsh int ipv4 show dynamicport TCP

netsh int ipv4 show dynamicport UDP

netsh int ipv6 show dynamicport TCP

netsh int ipv6 show dynamicport UDP

Note: Set the range separately for each transport (TCP or UDP). The port range is now a true starting and ending point with a range. The deployment server that is running Windows Server 2008 for Microsoft customers may affect the server if you use RPC communication between firewalls on the internal network. In these cases, we recommend that you reconfigure the firewall to allow communication between servers in the dynamic port range of 49152 to 65535. This scope does not include known ports that are used by services and applications. Alternatively, you can modify the port range used by the server on each server. You can adjust this range by using the Netsh command as follows:

netsh int <ipv4 | ipv6> Set Dynamic <tcp | udp> start = number num = Range

This command sets the TCP dynamic port range. The starting port is the number, and the total number of ports is the zone. The following is an example command:

netsh int ipv4 set dynamicport tcp start=10000 num=1000

netsh int ipv4 set dynamicport UDP start=10000 num=1000

netsh int ipv6 set dynamicport tcp start=10000 num=1000

netsh int ipv6 set dynamicport UDP start=10000 num=1000

These sample commands set the dynamic port range for port 10000 and end Port 10999 (1000 port) at the beginning. The minimum number of ports that can be set is a range of 255. The minimum starting port that can be set is 1025. The maximum end port (depending on the configured range) cannot exceed 65535. To replicate the default behavior of Windows Server 2003, 1025 is used as the start port and 3976 is used as a range of TCP and UDP. This causes the 1025 start port and the end port to be 5000.

Note When you install Microsoft Exchange Server 2007 on a Windows Server 2008-based computer, the default port range is 1025 through 60000.

II, restrict RPC to a specific port:

As described in the previous section, "Default dynamic port range," RPC traffic is used within the dynamic port range. How to restrict RPC traffic to a specific port, please refer to the following:

By default, Active directory replication Remote Procedure call (RPC) occurs dynamically on an available port by using port 135 through the RPC Endpoint Mapper (RPCSS). Administrators can override this feature and specify the ports through which all active Directory RPC passes. This process locks the port.

When you specify the port to use by using the registry key that is mentioned in the "More Information" section, the endpoint mapper sends Active Directory server-side replication traffic and client RPC traffic to these ports. This configuration is possible because all RPC interfaces supported by Active Directory are running on all ports on which they are listening.


This summary does not describe how to configure AD replication for a firewall. You must open a different port to replicate through the firewall. For example, you might need to open a port for the Kerberos protocol.

More information: Important This section, methods, or tasks contain steps that explain how to modify the registry. However, serious problems may occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify the registry. Then, if a problem occurs, you can restore the registry.

When you connect to an RPC endpoint, the RPC runtime on the client contacts the RPC Endpoint mapper (RPCSS) on the server on the well-known port (135) and obtains the port to connect to support the required RPC interface. This assumes that the client does not know the complete binding. This is the case for all AD RPC services.

The service registers one or more endpoints at startup, and can select dynamically allocated ports or specific ports.

If the Active Directory and Netlogon are configured to run at Port X (as shown in the following entry), this becomes the port that the endpoint mapper registers in addition to the standard dynamic port.

Use Registry Editor to modify the following values on each domain controller to use a restricted port. Member servers are not considered logon servers, so the static port allocation for NTDS has no effect on them.

The member server does have a Netlogon RPC interface, but it is seldom used. Some examples may be remote configuration retrievals, such as "nltest/".

Registry key value 1:


Registry VALUE:TCP/IP Port

Value Type:reg_dword

Value data: (Available port)

Registry key value 2:

You need to restart the computer for the new setting to become effective.

Registry Key 2


Registry Value:dctcpipport

Value Type:reg_dword

Value data: (Available port)

If the last two registry keys are modified, you will need to restart the Netlogon service for the new settings to take effect.


When you use the Dctcpipport registry key and set it to the same port as the "TCP/IP Port" registry key, you receive Netlogon Error event 5809 under NTDS \ parameters. This indicates that the configured port is in use and you should select a different port.

When you have a unique port, you receive the same event, and you restart the Netlogon service on the domain controller. This is done by design and is due to the way the RPC runtime manages its server ports. The port will be used after a reboot, and the event can be ignored.

If any intermediate network devices or software are used to filter packets between domain controllers, the administrator should confirm that communication through the specified port is enabled.

Typically, you must also manually set up the File Replication service (FRS) RPC ports because AD and FRS replication use the same domain controller for replication. The File Replication Service (FRS) RPC port should use a different port.

Do not assume that clients only use the Netlogon RPC service, so you only need to set dctcpipport. Customers also use other RPC services, such as SAMRPC,LSARPC and the Directory Replication Service (DRS) interface. As a result, you should always configure two registry settings and open two ports on the firewall.

Note After you specify a port, you may experience the following known issues:

    • Long logon hours after setting a specific static port for NTDs and Netlogon in a Windows Server R2-based domain environment
    • AD replication fails with RPC issues after you set up a static port for NTDS in a Windows-based domain environment
    • Logon failure After you restrict client RPC to DC communication in Windows Server R2 or Windows Server R2

III, the communication port with the domain controller is summarized:

The following table lists the port requirements for establishing DC-to-DC communication in all versions of Windows sever that start with Windows Server 2003. (additional ports are required for communication between a read-only domain controller (RODC) and a writable DC.) )

Protocols and Ports

AD and AD DS usage

Port type

TCP and UDP 389

directory, replication, user and computer authentication, Group Policy, trust


TCP 636

directory, replication, user and computer authentication, Group Policy, trust


TCP 3268

directory, replication, user and computer authentication, Group Policy, trust


TCP 3269

directory, replication, user and computer authentication, Group Policy, trust


TCP and UDP 88

User and computer authentication, forest-level trusts


TCP and UDP 53

User and computer authentication, name resolution, trust


TCP and UDP 445

replication, user and computer authentication, Group Policy, trust



TCP 25



TCP 135



TCP Dynamic

replication, user and computer authentication, Group Policy, trust


TCP 5722

File copy


UDP 123

Windows Time, trust

Windows time

TCP and UDP 464

replication, user and computer authentication, trust

Kerberos Change/Set Password

UDP Dynamic

Group Policy


UDP 138

DFS, Group Policy

Dfsn,netlogon,netbios Datagram Service

TCP 9389

AD DS Web Service


UDP 67 and UDP 2535


(DHCP is not the core AD DS service, but it often occurs in many AD DS deployments.) )


UDP 137

User and computer authentication,

Netlogon,netbios Name resolution

TCP 139

User and computer authentication, replication

Dfsn,netbios Session service, NetLogon

Windows Server 2016-active Directory Domain Services Port rollup

Alibaba Cloud Hot Products

Elastic Compute Service (ECS) Dedicated Host (DDH) ApsaraDB RDS for MySQL (RDS) ApsaraDB for PolarDB(PolarDB) AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL) Data Transmission Service (DTS) Server Load Balancer (SLB) Global Accelerator (GA) Cloud Enterprise Network (CEN)
Object Storage Service (OSS) Content Delivery Network (CDN) Short Message Service (SMS) Container Service for Kubernetes (ACK) Data Lake Analytics (DLA)

ApsaraDB for Redis (Redis)

ApsaraDB for MongoDB (MongoDB) NAT Gateway VPN Gateway Cloud Firewall
Anti-DDoS Web Application Firewall (WAF) Log Service DataWorks MaxCompute
Elastic MapReduce (EMR) Elasticsearch

Alibaba Cloud Free Trail

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.