Appendix A: List of Ports
Applies To: Windows Server 2003 with SP1
The following tables shows the list of ports that you must open before you set up trusts.
| Scenario | Outbound Ports | Inbound Ports | From - To |
|---|---|---|---|
Trust setup on both sides from the internal forest |
LDAP (389 UDP and TCP) Microsoft SMB (445 TCP) Kerberos (88 UDP) Endpoint resolution portmapper (135 TCP) Netlogon fixed port |
Internal domain domain controllers External domain domain controllers (all ports) |
|
Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only) |
LDAP (389 UDP) Microsoft SMB (445 TCP) Endpoint resolution portmapper (135 TCP) Netlogon fixed port |
Internal domain domain controllers External domain domain controllers (all ports) |
|
Object picker on the external forest to add objects that are in internal forest to groups and DACLs |
LDAP (389 UDP and TCP) Windows NT Server 4.0 directory service fixed port Netlogon fixed port Kerberos (88 UDP) Endpoint resolution portmapper (135 TCP) |
External server Internal domain PDCs (Kerberos) External domain domain controllers Internal domain domain controllers (Netlogon) |
|
Setup trust on the external forest from the external forest |
LDAP (389 UDP and TCP) Microsoft SMB (445 TCP) Kerberos (88 UDP) |
External domain domain controllers Internal domain domain controllers (all ports) |
|
Kerberos authentication (internal forest client to external forest) |
Kerberos (88 UDP) |
Internal client External domain domain controllers (all ports) |
|
NTLM authentication (internal forest client to external forest) |
Endpoint resolution portmapper (135 TCP) Netlogon fixed port |
External domain domain controllers Internal domain domain controllers (all ports) |
|
Domain join from internal computer to external domain |
LDAP (389 UDP and TCP) Microsoft SMB (445 TCP) Kerberos (88 UDP) Endpoint resolution portmapper (135 TCP) Netlogon fixed port Windows NT Server 4.0 directory service fixed port |
Internal client External domain domain controllers (all ports) |
Configure the following keys to specify the services that you want to run on a fixed port:
LSA(Local Security Authority) RPC port (same as NTDS fixed port) used for trust creation and other access to the LSA Policy database TCP/IPPortentry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry key.
Netlogon RPC port used for NTLM, Trust channel DCTcpipPort entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key.