Firewall Ports Required for AD Replication

Please refer to the lab prepared to verify the Firewall Ports Required for AD Replication in Windows 2019 AD Server

Components used

  1. Windows 2019 Server AD Domain Controller (LAB-WIN19 –
  2. Windows 2019 Server AD Domain Controller (LAB-WIN19A –
  3. Pfsense Firewall with the following
  • LAN –
  • OPT1 –

Firewall Ports Required for AD Replication with RPC High Ports

The following TCP & UDP Firewall Ports are required for inbound & outbound connections

  • TCP 53 (DNS)
  • TCP 88 (Kerberos Key Distribution Center)
  • TCP 135 (Remote Procedure Call)
  • TCP 139 (NetBIOS Session Service)
  • TCP 389 (LDAP)
  • TCP 445 (SMB, Net Logon)
  • TCP 464 (Kerberos Password)
  • TCP 3268 (Global Catalog)
  • TCP 49152 – 65535 (Randomly Allocated High Ports)
  • UDP 53 (DNS)
  • UDP 123 (NTP)
  • UDP 389 (LDAP)
  • UDP 445
  • UDP 464

Configuration of Firewall Rules in Pfsense

Allowed traffics from LAN to OPT1

firewall ports required for AD replication

Allowed traffics from OPT1 to LAN

Verification on Both AD Domain Controllers

Ensure that there is no error found for the test below

  1. Run repadmin /replsum to verify the AD replication
  2. Push the changes on 1 AD DC with repadmin /syncall lab-win19 /APeD
  3. Manually create a new Folder in C:\Windows\SYSVOL\Domain\Scripts and it should sync across both DC with Distributed File System Replication (DFSR)

Firewall Ports Required for AD Replication with Fixed Ports

We can fixed the firewall ports used for AD & SysVol Replication if RPC high ports are NOT allowed due to security concern

Fixed Port for AD Replication to TCP 50000

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "TCP/IP Port" -Value ”50000”  -PropertyType Dword

Fixed Port for SysVol Replication to TCP 51000

dfsrdiag staticRPC /port:51000

Restart AD Domain Controller for the changes to take affected and change the firewall rule to allow only TCP 50,000 & 51,000 as below

Verification that fixed ports are working

Run "netstat | findstr 50000" to list only TCP Port 50,000

AD & SysVol Replication is running via Fixed TCP 50,000 & 51,000 now.

Reference Links


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top