域控防火墙配置



摘自: http://support.microsoft.com/kb/555381

域控需要开放如下端口:

123:udp:*:enabled:NTP
3268:tcp:*:enabled:Global Catalog LDAP
389:tcp:*:enabled:LDAP
389:udp:*:enabled:LDAP
53:tcp:*:enabled:DNS
53:udp:*:enabled:DNS
53211:tcp:*:enabled:AD Replication
53212:tcp:*:enabled:File Replication Service
88:tcp:*:enabled:Kerberos
88:udp:*:enabled:Kerberos

指定端口用于AD复制
1. Configure AD and FRS to use a specific port
a. select two TCP port numbers to be used (e.g. 53211 and 53212) that are not being used by anything on any of the Domain Controllers.  You can use any number between 49152 and 65535.  The command netstat -a -o -n will list all of the ports currently open, but can not list ports that might be used by applications or services that are not currently running (see Knowledgebase article 832017 for ports used by Window Server).  See References below for the URL for the definitive source for port number information.
b. on all Domain Controllers in the Forest, add the following two registry values with regedit (or use a .reg file – see References below)

i. HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\TCP/IP Port
             – DWORD containing the selected TCP port number  for AD replication (e.g. 53211 – cfdb (hex))
ii. HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\RPC TCP/IP Port Assignment
             – DWORD containing the selected TCP port number for FRS (e.g. 53212 – cfdc (hex))