Firewall Ports Required to Join AD Domain

To follow up on my previous post on the Firewall Ports Required to Join AD Domain, I had done some detail testing and would like to share on my finding

Firewall Rules configured (Tested in My Lab)

Server LAN to Client LAN – Only allow Ping Traffics (ICMP Type 8, Code:255)

Client LAN to Server LAN – Only allow

TCP : 88, 135, 139, 389, 445, 49152-65535 (High Ports)

UDP : 53, 123, 137, 138, 389, 123 , 49152-65536 (High Ports)

Firewall-01

You will receive the above error if UDP 389 is not open when you try to join AD domain from Windows 7

Firewall-02

You will receive the above error if TCP 88 is not open

Firewall-03

Without the high ports (49152 to 65535) open, the Windows 7 can join to AD Domain and login successfully with some delay. However, it seem that Windows 7 is initial lot of high ports traffics to Windows 2012 R2 Domain and was dropped by firewall

Firewall-04

Group Policy will NOT be applied if the high ports are not opened

To successfully apply Group Policy, a client computer must be able to contact a domain controller over the Kerberos, LDAP, SMB, and RPC protocols.

https://support.microsoft.com/en-us/kb/832017

Share This