Enabling Windows Firewall on Windows 2003 Active Directory Domain Controller

Some time ago I discovered that my (two) Active Directory controllers weren’t actually talking to each other too well. After some debugging I found that the local Windows Firewall was enabled on one of the AD controllers and it was basically blocking everything that had to do with AD. So I disabled it and all was well. All servers are located behind a firewall anyway, so the risk was minimal.

Now I thought it was about time to enable the firewall on my AD controllers again. And it turns out that, as usual, Microsoft lets the ports flow wild. There are three services that don’t have a fixed port: NTDS, NTFrs and NetLogon. Without a fixed port it is difficult to enable firewall for them. The local firewall can enable based on process, but my external can’t.

The good news is that you can set fixed ports for these services. This is described in the knowledge base article http://support.microsoft.com/kb/555381.

But who wants to read all that?
Here is the short version:

  1. Change registry to set fixed ports either by follow the knowledge base article or simply by running this .reg-file.
    Note: As always when downloading .reg-files have a look at it first to see what it actually does.
    Download, unzip, execute .reg-file, answer yes to question about importing it:
  2. Reboot the AD-controller.
  3. Note that if all servers are on same subnet you can increase security a lot by setting Scope to “My network (subnet) only”.

    Enable Windows Firewall and set the following rules:

    1. Port Protocol Name Notes
          File and Printer Sharing Already exist, must be enabled.
      NOTE: If servers are not on local subnet you may need to modify Scope.
      53 TCP DNS (TCP)  
      53 UDP DNS (UDP)  
      88 TCP Kerberos (TCP)  
      88 UDP Kerberos (UDP)  
      123 UDP NTP  
      389 TCP LDAP (TCP)  
      389 UDP LDAP (UDP)  
      3268 TCP Global Catalog LDAP  
      53211 TCP AD Replication This was set by the .reg-file
      53212 TCP File Replication Service This was set by the .reg-file
      53213 TCP NetLogon This was set by the .reg-file
          Remote Desktop Optional: Recommended/required if you access server remotely.
  4. Repeat on all AD controllers you want to enable firewall on.
  5. Make sure you check Event Log on other servers for errors related to enabling firewall.

Enjoy! 🙂

1 thought on “Enabling Windows Firewall on Windows 2003 Active Directory Domain Controller”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Tedds blog

Subscribe now to keep reading and get access to the full archive.

Continue reading