Share via

Windows firewall exceptions for a domain trust

jpcapone 1,776 Reputation points
2024-03-06T21:02:09.0466667+00:00

If I have two disparate domains and I need to deploy a domain trust, do I need to create exceptions for the required network ports on each Windows server firewall for every domain controllers?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments
Accepted answer
  1. Yanhong Liu 14,195 Reputation points Microsoft External Staff
    2024-03-07T06:16:12+00:00

    Hello jpcapone,

    Thank you for posting in Q&A forum.

    Yes, when you deploy a domain trust between two different domains, you usually need to open some specific network ports on the firewall of each domain controller to allow the necessary communication between the two domains. This is because domain trust involves authentication, authorization, and synchronization of directory service information, which requires the use of protocols such as Kerberos, LDAP, DNS, and others. Here are some common port requirements:

    Kerberos Protocol:

    TCP/UDP port 88 (Kerberos Key Distribution Center (KDC) service)

    Lightweight Directory Access Protocol (LDAP):

    TCP/UDP port 389 (LDAP)

    TCP port 636 (LDAPS, if SSL encryption is used)

    DNS Services:

    UDP port 53 (DNS lookup)

    TCP port 53 (for zone transfer or update)

    SMB Ports:

    445/TCP: SMB (for file sharing)

    W32Time Port:

    123/UDP: W32Time (for time synchronization)

    In order to ensure that the domain trust is working properly and that there is valid communication between the two domains, an exception or allow rule should be created in the firewall rule for the above ports, and that the trust relationship between the two domains and the forest trust relationship are configured correctly and that the DNS resolution is correct.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 49,715 Reputation points MVP Volunteer Moderator
    2024-03-06T23:59:56.8633333+00:00

    In general, you should - unless you know very well your AD environment and you can determine which domain controllers are communicating with each other. That, however, might change anyway due to a domain controller failure or an intermittent issue that alters that communication.

    Details at https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/config-firewall-for-ad-domains-and-trusts

    hth
    Marcin

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.