Firewall Ports Required to Join AD Domain

To follow up on my previous post on the Firewall Ports Required to Join AD Domain, I had done some detail testing and would like to share on my finding

Firewall Rules configured (Tested in My Lab)

Server LAN to Client LAN – Only allow Ping Traffics (ICMP Type 8, Code:255)

Client LAN to Server LAN – Only allow

TCP : 88, 135, 139, 389, 445, 49152-65535 (High Ports)

UDP : 53, 123, 137, 138, 389, 123 , 49152-65536 (High Ports)


You will receive the above error if UDP 389 is not open when you try to join AD domain from Windows 7


You will receive the above error if TCP 88 is not open


Without the high ports (49152 to 65535) open, the Windows 7 can join to AD Domain and login successfully with some delay. However, it seem that Windows 7 is initial lot of high ports traffics to Windows 2012 R2 Domain and was dropped by firewall


Group Policy will NOT be applied if the high ports are not opened

To successfully apply Group Policy, a client computer must be able to contact a domain controller over the Kerberos, LDAP, SMB, and RPC protocols.