Firewalls with NETID domain

Last updated: January 30, 2023
Audience: IT Staff / Technical

Firewalls on domain controllers and member servers and workstations need to be properly configured to ensure proper function of the trust and ultimately the domains themselves.

Your Domain Controllers

At a minimum, the following ports:

tcp 53, 88, 135, 389, 445, 636, 3268, 3269, *
udp 53, 88, 135, 389, 445, *

need to be granted access to: ( ( (

for network traffic TO and FROM your domain controllers.

* Additionally a range of dynamic RPC ports for the RPC endpoint mapper needs access if you want to be able to do trust validation. By default, this is a large set of ports: pre-Server 2008: 1024-65535/TCP, Server 2008 and on: 49152-65535/TCP. You can limit it to a a much smaller set on your servers. See the Microsoft whitepaper below (in appendix E) for more on that. The NETID domain controllers have the default set of dynamic RPC ports.

Your Workstations and Servers

If you have firewalls on your member servers or workstations, then the ports:

tcp 53, 88, 135, 137, 139, 389, 445, 636, 3268, 3269
 udp 53, 88, 123, 135, 137, 138, 389, 445

need to be granted access to:

for network traffic TO and FROM your client computers.

This will ensure authentication and normal Windows operations work correctly between the NETID domain and your domain.

Troubleshooting Problems

You will need to verify and demonstrate that your firewall settings permit the required traffic noted above. At that time, UW-IT engineers will look into any issues related to the NETID domain. If it appears that the firewall is causing the issues we will ask that it be disabled to test functionality.

Future Changes

Should the networks that the NETID domain controllers are on change in the future, an announcement will be made to all trust requestors in advance.

Related Documents

Microsoft KB 179442, Configure Firewall for Domain Controllers
Windows Domains and Firewalls
Domain Controllers on p172 at the UW