This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I need help understanding how to manually set the Windows Firewall for all Domain Controllers with Advanced Security capabilities by enabling the Active Directory Domain Services and Active Directory Web Services rule groups.
According to this official article from Microsoft: Service overview and network port requirements - Windows Server | Microsoft Learn
There are Port 49152-65535 – RPC Ephemeral Ports how do I ensure these ports are not blocked by the Windows Firewall?
Any assistance and clarity would be highly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
When you enable windows firewall , you should be sure that all ports required for domain controller are opened, for more information you can refer to the following link :
How to configure a firewall for Active Directory domains and trusts
Please don't forget to accept helpful answer
Hi @Thameur-BOURBITA ,
I assume after clicking the [Use recommended settings] button, the Firewall will be enabled automatically for all 3 profiles for my domain controllers.
and because nothing is blocking from the below command result, so it will be OK?
Get-NetFirewallRule : No matching MSFT_NetFirewallRule objects found by CIM query for instances of the root/standardcimv2/MSFT_NetFirewallRule class on the CIM server: SELECT * FROM
MSFT_NetFirewallRule WHERE ((Enabled = 1)) AND ((Direction = 2)) AND ((Action = 4)). Verify query parameters and retry.
At line:2 char:5
+ Get-NetFirewallRule -Action Block -Enabled True -Direction Outbou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (MSFT_NetFirewallRule:String) [Get-NetFirewallRule], CimJobException
+ FullyQualifiedErrorId : CmdletizationQuery_NotFound,Get-NetFirewallRule
Get-NetFirewallRule : No matching MSFT_NetFirewallRule objects found by CIM query for instances of the root/standardcimv2/MSFT_NetFirewallRule class on the CIM server: SELECT * FROM
MSFT_NetFirewallRule WHERE ((Enabled = 1)) AND ((Direction = 1)) AND ((Action = 4)). Verify query parameters and retry.
At line:8 char:5
+ Get-NetFirewallRule -Action Block -Enabled True -Direction Inboun ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (MSFT_NetFirewallRule:String) [Get-NetFirewallRule], CimJobException
+ FullyQualifiedErrorId : CmdletizationQuery_NotFound,Get-NetFirewallRule
You should check if the default rules allows all required ports for domain controllers.
When you add new roles on windows server a firewall rule will be created automatically during the roles installation to allow all required ports.
You should check if all rules required for domain controllers alreday exist on your domain controller before enable recommened settings just to avoid any incident. You can also make network trace to check which ports used by the server. In a big and complex envirement this kind of action should be well prepared
Please don't forget to accept helpful answer
Just checking if there is any progress ?
Please don't forget to accept helpful answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello EnterpriseArchitect,
Thank you for posting in Q&A forum.
You can check if these ports are blocked or not by the Windows Firewall based on the way in the following link.
https://www.itechtics.com/check-windows-firewall-blocking-ports/
Also, here is a similar thread with method for your reference.
https://serverfault.com/questions/26564/how-to-check-if-a-port-is-blocked-on-a-windows-machine
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Thank you @daisy zhou ,
Based on your suggestion, does the logging can only be retrieved when the Firewall rule is enabled?
how can I get the firewall log without blocking or activating the rules first?