Cisco Support Community
Community Member

Windows DC's cannot talk now...


Just installed a firewall between our main campus and satelite campus. Now my windows dc's cannot talk to eachother. Does anyone know what I need to do to pass windows active directory replications through?



Cisco Employee

Re: Windows DC's cannot talk now...

Hi Gary,

By default, AD uses ports 1025 or 1026 for logon and AD replication. You may want to open these up on the firewall for these hosts.




Re: Windows DC's cannot talk now...

Hello Yatin,

I opened the ports 1025 and 1026 for both udp and tcp. Still having an issue with the DC's talking and replicating across this wan. Any suggestions?




Re: Windows DC's cannot talk now...

You really would need to post error messages, but your problem is somewhat MS specific.

Currently, is only one DC behind a firewall? Is there a plan to get both DC behind firewalls?

Community Member

Re: Windows DC's cannot talk now...

Are you using any kind of NAT because kerberos authentication will not work.


Re: Windows DC's cannot talk now...

Not sure exactly what you are asking. I am using a range of private ip's behind the firewall, but believe it is a PAT (port) translation. Will this work?


Re: Windows DC's cannot talk now...

The dc is at the end of a WAN link and the DC at that end. Do you know if Cisco has any docs related to Cisco firewalls and Windows? I wasn't able to find any.


Community Member

Re: Windows DC's cannot talk now...

Last time I checked they only had a document for NT 4.0 not 2000. I got my two domain talking by opening DNS tcp/udp, port 445 tcp, and upd port 389. Also are you building a two way trust or just want to add a membe server to a domain.


Re: Windows DC's cannot talk now...

Just a member domain. I opened up all the ports you meantion. Still will not see eachother or replicate. I have read that RPC may be an issue, it that it uses port 135, but responds to the cleint request with a random port number. I have modified the registry per a microsoft doc. Cannot reboot the computer until later today to see if successful or not.

Community Member

Re: Windows DC's cannot talk now...

Can you look this article in microsoft : Q224196

y default, Active Directory replication over RPC (Remote Procedure Calls) takes

place dynamically over an available port via the RPC Endpoint Mapper (RPCSS)

using port 135; the same as Microsoft Exchange. As with Microsoft Exchange, the

administrator may override this functionality and specify the port that all

replication traffic passes through, thereby locking the port down.

NOTE: Note that this article does not imply that replication can occur through a

firewall. For example, there are a number of ports that must be opened (for

kerberos, and so on) to make it work. If you need to do so, use Virtual Private




WARNING: Using Registry Editor incorrectly can cause serious problems that may

require you to reinstall your operating system. Microsoft cannot guarantee that

problems resulting from the incorrect use of Registry Editor can be solved. Use

Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and

Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete

Information in the Registry" and "Edit Registry Data" Help topics in

Regedt32.exe. Note that you should back up the registry before you edit it. If

you are running Windows NT or Windows 2000, you should also update your

Emergency Repair Disk (ERD).

When connecting to an RPC endpoint, assuming the client does not know the

complete binding, which is the case with DS Replication, the RPC run-time on the

client contacts the RPC endpoint mapper (RPCSS) on the server at a well-known

port (135), and obtains the port to connect to for the service supporting

desired RPC interface.

The service registers the endpoint when it starts, and has the choice of a

dynamically assigned port or a specific port.

If you configure Active Directory to run at "port x," per the below entry, this

becomes the port that gets registered with the endpoint mapper.

Using Registry Editor, modify the following value on each domain controller where

the restricted port is to be used:

Registry key:


Registry Value: TCP/IP Port

Value Type: REG_DWORD

Value Data: (available port)

Administrators should confirm that if any intermediate network devices or

software is used to filter packets between domain controllers, that

communication over the specified port is enabled.

CreatePlease to create content