Summary: A comprehensive reference for the firewall rules required to allow Active Directory to function correctly across network boundaries, covering client-to-DC, DC-to-DC replication, trust, and management traffic — including guidance on restricting dynamic RPC port ranges.
Active Directory relies on a broad set of protocols and ports spanning DNS, Kerberos, LDAP, RPC, SMB, and more. When Domain Controllers and clients are separated by a firewall — common in segmented networks, remote branch offices, DMZ scenarios, or cloud environments — every required port must be explicitly permitted.
Incorrectly configured firewall rules are one of the most common causes of intermittent authentication failures, Group Policy not applying, replication errors, and trust issues. This note provides a structured breakdown of all required rules organised by traffic flow.
⚠️ Dynamic RPC Ports
By default, Windows uses a dynamic port range (49152–65535 on modern Windows) for RPC-based AD communications. This is difficult to manage with firewalls. Microsoft supports restricting this to a defined static range — see the RPC section below. This should be done on all DCs before implementing firewall rules in production.
AD traffic flows across three main paths, each with its own port requirements:
┌──────────────┐ ┌──────────────────┐ ┌──────────────┐
│ Clients / │ │ Domain │ │ Domain │
│ Workstations│◀───────▶│ Controllers │◀───────▶│ Controllers │
│ │ Auth │ (same site/WAN) │ Repl. │ (other site)│
└──────────────┘ └──────────────────┘ └──────────────┘
▲
│ Management
▼
┌──────────────────┐
│ Admin Workstati-│
│ ons / SCCM / NPS│
└──────────────────┘
These rules must be in place for any client on a different subnet or VLAN from the DC to log in, apply Group Policy, and access AD-integrated services.
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 53 | TCP + UDP | Client → DC | DNS — DC discovery via SRV records |
| 88 | TCP + UDP | Client → DC | Kerberos — TGT and service ticket exchange |
| 389 | TCP + UDP | Client → DC | LDAP — DC Locator (CLDAP), directory queries |
| 636 | TCP | Client → DC | LDAPS — encrypted LDAP (if enabled) |
| 3268 | TCP | Client → DC | Global Catalogue LDAP |
| 3269 | TCP | Client → DC | Global Catalogue LDAPS (if enabled) |
| 445 | TCP | Client → DC | SMB — SYSVOL/NETLOGON access for GPOs |
| 135 | TCP | Client → DC | RPC Endpoint Mapper |
| 49152–65535* | TCP | Client → DC | RPC Dynamic Ports (see note on restricting range) |
| 123 | UDP | Client → DC | NTP — time synchronisation (Kerberos requires clock sync) |
*Restrict this range — see KBA-028 - Restricting RPC Dynamic Port Range on Windows.
These rules are required between all DCs for AD replication to function. Rules should be bidirectional.
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 53 | TCP + UDP | DC ↔ DC | DNS — zone transfers and resolution |
| 88 | TCP + UDP | DC ↔ DC | Kerberos — inter-DC authentication |
| 389 | TCP + UDP | DC ↔ DC | LDAP — replication queries |
| 636 | TCP | DC ↔ DC | LDAPS (if enabled) |
| 3268 | TCP | DC ↔ DC | Global Catalogue |
| 445 | TCP | DC ↔ DC | SMB — SYSVOL/DFS-R replication, NETLOGON |
| 135 | TCP | DC ↔ DC | RPC Endpoint Mapper |
| 49152–65535* | TCP | DC ↔ DC | RPC Dynamic Ports (AD replication, NetLogon, FRS/DFS-R) |
| 123 | UDP | DC ↔ DC | NTP time sync |
| 9389 | TCP | DC ↔ DC | AD Web Services (ADWS) — used by PowerShell AD module |
When trusts exist between domains or forests, the following must be permitted between the DCs of each domain/forest. Rules should be bidirectional.
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 53 | TCP + UDP | DC ↔ DC (trusted) | DNS — name resolution across trust |
| 88 | TCP + UDP | DC ↔ DC (trusted) | Kerberos — cross-realm ticket referrals |
| 389 | TCP + UDP | DC ↔ DC (trusted) | LDAP — trust validation queries |
| 445 | TCP | DC ↔ DC (trusted) | SMB — NetLogon secure channel |
| 135 | TCP | DC ↔ DC (trusted) | RPC Endpoint Mapper |
| 49152–65535* | TCP | DC ↔ DC (trusted) | RPC Dynamic Ports — NetLogon, trust operations |
These rules cover administration of DCs and AD from management workstations or systems such as SCCM, NPS, and RSAT.
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 445 | TCP | Admin → DC | SMB — remote admin, sc.exe, PsExec |
| 135 | TCP | Admin → DC | RPC Endpoint Mapper |
| 49152–65535* | TCP | Admin → DC | RPC Dynamic Ports — remote management |
| 3389 | TCP | Admin → DC | RDP — remote desktop to DC (restrict to jump hosts only) |
| 9389 | TCP | Admin → DC | AD Web Services — PowerShell AD module, ADAC |
| 5985 | TCP | Admin → DC | WinRM HTTP — PowerShell remoting |
| 5986 | TCP | Admin → DC | WinRM HTTPS — PowerShell remoting (encrypted) |
⚠️ Restrict RDP and WinRM Access
TCP 3389 (RDP) and WinRM (5985/5986) to Domain Controllers should be locked down to dedicated jump hosts or PAWs (Privileged Access Workstations) only. Never permit these ports from general client subnets to DCs.
By default, RPC uses a wide dynamic port range (49152–65535). This can be restricted to a narrower range on all DCs to simplify firewall rules.
# Platform: PowerShell (run on each DC as Administrator)
# Restrict RPC dynamic ports to a defined range (e.g. 50000–51000)
# This requires a reboot to take effect.
# Set the RPC port range
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Rpc\Internet" `
-Name "Ports" -Value "50000-51000" -Type MultiString
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Rpc\Internet" `
-Name "PortsInternetAvailable" -Value "Y" -Type String
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Rpc\Internet" `
-Name "UseInternetPorts" -Value "Y" -Type String
# Reboot required for changes to take effect
Restart-Computer
Navigate to:
Computer Configuration > Administrative Templates > Network > RPC > RPC Endpoint Mapper Client Authentication
And for the port range:
Computer Configuration > Administrative Templates > Network > RPC > Restrictions for Unauthenticated RPC Clients
Summary: Port Range — Choose a range of at least 200–500 ports to ensure sufficient RPC connections are available under load. A range such as 50000–50500 is commonly used. Update your firewall rules to match the chosen range.
Read-Only Domain Controllers deployed at branch offices have slightly different traffic patterns. The hub DC replicates to the RODC (unidirectional). Clients at the branch authenticate to the RODC locally.
| Rule | Direction | Notes |
|---|---|---|
| All client-to-DC rules | Client → RODC | Same ports as standard client-to-DC |
| Replication from hub DC | Hub DC → RODC | AD replication is unidirectional to RODC |
| RODC password replication | RODC → Hub DC | RODC forwards auth requests for uncached accounts |
| No inbound replication from RODC | — | RODCs never replicate changes back to hub DCs |
| Symptom | Likely Cause | Fix |
|---|---|---|
| "No logon servers available" | DNS (53) or Kerberos (88) blocked to DC | Verify UDP/TCP 53 and 88 are open; run nltest /dsgetdc:<domain> |
| GPOs not applying | SMB (445) blocked to DC — SYSVOL unreachable | Open TCP 445 from client to DC; check gpresult /r |
| Replication failing between DCs | RPC dynamic ports blocked between DCs | Check DCDiag replication errors; verify port 135 and RPC range are open |
| LDAP queries timing out | TCP/UDP 389 blocked | Test with Test-NetConnection dc01 -Port 389 |
| Cross-forest auth failing | Trust firewall rules missing | Verify bidirectional rules for 88, 389, 445, 135, RPC range between forest DCs |
| AD PowerShell module not connecting | TCP 9389 (ADWS) blocked | Open TCP 9389 from admin host to DC |
| Clock skew Kerberos errors | UDP 123 (NTP) blocked | Permit NTP from clients to DC or NTP source |
# Test connectivity to key DC ports from a client or admin host
$DC = "dc01.corp.local"
$ports = @(53, 88, 135, 389, 445, 636, 3268, 9389)
foreach ($port in $ports) {
$result = Test-NetConnection -ComputerName $DC -Port $port -WarningAction SilentlyContinue
[PSCustomObject]@{
Port = $port
Success = $result.TcpTestSucceeded
}
}
# Run DCDiag to check replication and connectivity health
dcdiag /test:replications /test:connectivity /v
# Check replication status between DCs
repadmin /replsummary
repadmin /showrepl
# Verify DC discovery is working
nltest /dsgetdc:corp.local
# Check NTP sync status on a DC
w32tm /query /status