In Windows 2000 and Windows XP, the Internet Control Message Protocol (ICMP) must be allowed through the firewall from the clients to the domain controllers so that the Active Directory Group Policy client can function correctly through a firewall. ICMP is used to determine whether the link is a slow link or a fast link.
In Windows Server 2008 and later versions, the Network Location Awareness Service provides the bandwidth estimate based on traffic with other stations on the network. There is no traffic generated for the estimate.
The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made, and when a server is located by using DFS. This applies to SYSVOL access by domain members.
If you want to minimize ICMP traffic, you can use the following
sample firewall rule:
<any> ICMP -> DC IP addr = allow
Unlike the TCP protocol layer and the UDP
protocol layer, ICMP does not have a port number. This is because ICMP is
directly hosted by the IP layer.
By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be changed by a specific registry setting. For more information, see Microsoft Knowledge Base article 260186: SendPort DNS registry key does not work as expected
For more information about Active Directory and firewall configuration, see the Active Directory in Networks Segmented by Firewalls
Microsoft white paper. Or, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel. This limits the number of ports that the firewall has to open. For PPTP, the following ports must be enabled.
Collapse this tableExpand this table
|Client Ports||Server Port||Protocol|
In addition, you would have to enable IP PROTOCOL 47
Collapse this imageExpand this image
When you add permissions to a resource on a trusting domain for users in a trusted domain, there are some differences between the Windows 2000 and Windows NT 4.0 behavior. If the computer cannot display a list of the remote domain's users, consider the following behavior:
- Windows NT 4.0 tries to resolve manually-typed names by
contacting the PDC for the remote user's domain (UDP 138). If that
communication fails, a Windows NT 4.0-based computer contacts its own PDC, and
then asks for resolution of the name.
- Windows 2000 and Windows Server 2003 also try to contact the remote user's PDC for resolution over UDP 138. However, they do not rely on using their own PDC. Make sure that all Windows 2000-based member servers and Windows Server 2003-based member servers that will be granting access to resources have UDP 138 connectivity to the remote PDC.