2023年6月24日发(作者：)

域客户端登录用到的端口

域用户登陆与域控通信需要开通的哪些端口。公司防火墙做ACL,请问普通用户使用域帐户登陆域,需要开通哪些端口.

回答：根据您之前的描述，您想在域环境下设置防火墙，为了保障域用户的正常通讯，需要了解开通哪些端口。在域环境下，客户机和域控制器之间的通讯是 复杂，时间同步、DNS查询、GC的查找、kerberos认证等等。如果设置不当，会造成客户机与域控制器安全通道故障、用户不能登录域、用户无法访问 域资源域成员计算机上 （例如文件或打印机共享）等现象，

通常我们会开启以下的端口以及对应的服务：















服务端口 服务

123/UDP W32Time

138/UDP Netbios

389/TCP/UDP LDAP

3268/TCP LDAP GC

53/TCP/UDP DNS

88/TCP/UDP Kerberos

详细的配置以及为了保障您的企业环境正常运行，我们建议您参照以下的文章进行测试后再部署到您的企业环境：

如何为域控制器配置 Windows Server2003SP 防火墙

/kb/555381/zh-cn

此外，要使 Active Directory 通过防火墙正常工作，必须允许 Internet 控制消息协议 (ICMP) 通过防火墙从客户端到达域控制器，以便客户端可以接收组策略信息。ICMP 用于确定链接是慢速链接还是快速链接。

Dean Zhou

域客户端登录用到的端口的相关文章请参考

域控制器端口

域客户端登录用到的端口

域客户端远程管理端口 无法远程管理域客户端

主域控制器与辅域控制器通讯端口

Windows 2008 主域控与辅助域控通讯端口

分支域控制器同步端口

活动目录是可以跨网段的

—gnaw0725 /kb/555381/zh-cn

How to configure Windows Server 2003

SP1 firewall for a Domain Controller

Print

Email

Article translations

Article ID: 555381 - View products that this article applies to.

Author: Bruce Sanderson MVP

Community Solutions Content Disclaimer

System TipThis article applies to a different version of Windows than the one you are using.

Content in this article may not be relevant to the Windows 7 Solution Center

Expand all | Collapse all

SUMMARY

A Windows Server 2003 SP1 Domain Controller does not function correctly when the Windows

Firewall is enabled. The computer may fail to act as a Domain Controller or replication of some

Active Directory objects (e.g. GPOs) may not get replicated.

Back to the top | Give Feedback

SYMPTOMS

Symptoms might include:

1. client computers can not establish secure connections with the Domain Controller

2. users can not logon at client computers with domain user accounts

3. users can not access domain resources (e.g. file or printer shares) on domain member computers

4. a computer that is promoted to be a Domain Controller fails to function as a Domain Controller

5. in the File Replication Service Event Log, Event ID 13508 "The File Replication Service is

having trouble enabling replication from …" appears without a subsequent Event ID 13509 "The

File Replication Service has enabled replication from …" or 13516 "The File Replication Service

is no longer preventing the computer … from becoming a domain controller." 6. on a computer that is promoted to be a Domain Controller, the SYSVOL and NETLOGON

shares are not present

7. on a computer that is promoted to be a Domain Controller,

the %systemroot%SYSVOLdomainPolicies folder does not get populated from another Domain

Controller

Back to the top | Give Feedback

CAUSE

The Windows Server 2003 SP1 Firewall, either on this computer or the other Domain

Controller(s), is preventing client access to the Active Directory or preventing Active Directory

replication.

Back to the top | Give Feedback

RESOLUTION

Configure the Active Directory (AD) Replication & File Replication Service (FRS) to use specific

TCP/IP ports for replication (see References below for relevant Knowledgebase articles) and

configure the firewall to allow incoming connections to the required programs and ports.

1. Configure AD and FRS to use a specific port

a. select two TCP port numbers to be used (e.g. 53211 and 53212) that are not being used by

anything on any of the Domain Controllers. You can use any number between 49152 and

65535. The command netstat -a -o -n will list all of the ports currently open, but can not list ports

that might be used by applications or services that are not currently running (see Knowledgebase

article 832017 for ports used by Window Server). See References below for the URL for the

definitive source for port number information.

b. on all Domain Controllers in the Forest, add the following two registry values with regedit

(or use a .reg file - see References below)

i. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParametersTCP/IP Port

- DWORD containing the selected TCP port number for AD replication (e.g. 53211 -

cfdb (hex))

ii. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersRPC TCP/IP Port Assignment

- DWORD containing the selected TCP port number for FRS (e.g. 53212 - cfdc (hex))

2. Configure the Windows Server 2003 SP1 Windows Firewall for use on a Domain

Controller. You can add the required settings to the Default Domain Controller Group Policy

Object (GPO), or create a new GPO and link it to the Domain Controllers container. The Group

Policy Management Console is the recommended tool for this (see /downloads/?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en).

Note: After promotion to being a Domain Controller the computer will restart; after this first

restart, the computer will use the Windows Firewall's Domain Profile. After the first replication

completes successfully and the computer is restarted, the Domain Controller will use the Windows

Firewall's Standard Profile. So, to avoid problems, make the Domain and Standard profiles for

Domain Controllers identical.

In the following, only items specifically related to correct functioning of a Domain Controller are

listed; unlisted items can be set to any value desired. For example, it may be useful to have the

Allow Remote Desktop exception set to Enabled so the Domain Controller can be administered

remotely, which is common in large installations where Domain Controllers are remotely located.

a. Windows Firewall: Protect all network connections - Enabled

b. Windows Firewall: Allow remote administration exception - Enabled (enables port 135 and

445 which are both required for Domain Controllers)

b. Windows Firewall: Allow file and printer sharing exception: - Enabled

c. Windows Firewall: Define port exceptions: - Enabled (in the list of port exceptions below,

the * indicates incoming requests from any IP address will be accepted. Other values are possible

- see the text on the Setting tab in Group Policy Editor for details. For example, localsubnet may

be applicable in some circumstances). The strings below are exactly what needs to be in the list

of port exceptions.

123:udp:*:enabled:NTP

3268:tcp:*:enabled:Global Catalog LDAP

389:tcp:*:enabled:LDAP

389:udp:*:enabled:LDAP

53:tcp:*:enabled:DNS

53:udp:*:enabled:DNS

53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)

53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in

above)

88:tcp:*:enabled:Kerberos

88:udp:*:enabled:Kerberos

Back to the top | Give Feedback

MORE INFORMATION

As explained in KB article 832017, Active Directory replication and the File Replication Service,

by default, use a randomly selected port to use for Remote Procedure Calls (RPC). Incoming

connections on such a random port number will be blocked by the firewall. The simplest solution

to this issue is to configure these functions to use a specific port as described in KB articles

224196 and 319553.

References:

//kb/832017 Documents the services and ports (UDP and

TCP) used for various purposes by Windows Server

//kb/224196 Restricting Active Directory replication

traffic to a specific port

/kb/319553 How to restrict FRS replication traffic to a specific static

port

/assignments/port-numbers Definitive source for assigned port

numbers. Includes this statement:

The Dynamic and/or Private Ports are those from 49152 through 65535