Please refer to the lab prepared to verify the Firewall Ports Required for AD Replication in Windows 2019 AD Server
Components used
- Windows 2019 Server AD Domain Controller (LAB-WIN19 – 10.10.10.200)
- Windows 2019 Server AD Domain Controller (LAB-WIN19A – 172.16.1.200)
- Pfsense Firewall with the following
- LAN – 10.10.10.1/24
- OPT1 – 172.16.1.1/24
Firewall Ports Required for AD Replication with RPC High Ports
The following TCP & UDP Firewall Ports are required for inbound & outbound connections
Configuration of Firewall Rules in Pfsense
Allowed traffics from LAN to OPT1
Allowed traffics from OPT1 to LAN
Verification on Both AD Domain Controllers
Ensure that there is no error found for the test below
- Run repadmin /replsum to verify the AD replication
- Push the changes on 1 AD DC with repadmin /syncall lab-win19 /APeD
- Manually create a new Folder in C:\Windows\SYSVOL\Domain\Scripts and it should sync across both DC with Distributed File System Replication (DFSR)
Firewall Ports Required for AD Replication with Fixed Ports
We can fixed the firewall ports used for AD & SysVol Replication if RPC high ports are NOT allowed due to security concern
Fixed Port for AD Replication to TCP 50000
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "TCP/IP Port" -Value ”50000” -PropertyType Dword
Fixed Port for SysVol Replication to TCP 51000
dfsrdiag staticRPC /port:51000
Restart AD Domain Controller for the changes to take affected and change the firewall rule to allow only TCP 50,000 & 51,000 as below
Verification that fixed ports are working
Run "netstat | findstr 50000" to list only TCP Port 50,000
AD & SysVol Replication is running via Fixed TCP 50,000 & 51,000 now.
Reference Links