LKBEN10600: Which ports to open for Active Directory replication in a site.


Replication of active directory DC (domain controller) does not function


The firewall is configured to restrictive


The RPC-based replication uses dynamic port mapping by default. The RPC run time contacts the RPC endpoint mapper on

the server on the well-known port 135. The server queries the RPC endpoint mapper to determine what port has been

assigned for Active Directory replication on the server. (This has been assigned dynamically) This query occurs even

when the port assignment is fixed.

Service    UDP    TCP

ldap        389    389

ldap            636 (SSL)

ldap            3268 (Global catalog)

Kerberos    88    88

DNS        53    53

SMB over IP    445    445

And FRS (file replication service) uses a dynamic RPC Port.

For a firewall this means to open a wide range of ports. FRS cannot be restricted to a fixed port but you can edit

the registry to restrict the directory replication service to communicate on a static port.

To set the rpc replication to a certain port instead of a variable one you can use the following registry key.

Windows Registry Editor Version 5.00

"TCP/IP Port"=dword:0000c000

This will set the port to 49152 decimal. This port needs to be opened on the firewall instead of opening a port



The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!

About the Author

Author: Wim Peeters - Keskon GmbH & Co. KG

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience, including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform.