DC之间要做Replication, 假如DC间的通信有防火墙隔着,需要开什么端口呢,TechNet有个Wiki说得很清楚,以下是一些摘录,和大家分享下。


Introduction

Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service architecture:

  • Initially promoting a server to a domain controller.

  • Replicating traffic between domain controllers.

Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple Mail Transfer Protocol [SMTP] can be used in certain situations—schema, configuration, and global catalog replication, but not domain naming context—limiting its usefulness.) Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. There are three possible approaches:

  • Open the firewall wide to permit RPC's native dynamic behavior.

  • Limit RPC's use of TCP ports and open the firewall just a little bit.

  • Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for that.

Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and more pros than cons at the bottom. So although this document describes how to do all three, most of its focus is on the IPSec approach because of its benefits over the other two.

Top of page

Full Dynamic RPC

Pros

Cons

No special server configuration

Turns the firewall into "Swiss cheese"

Random incoming high-port connections

Insecure firewall configuration

Although configuring your environment to work this way is certainly possible, there are plenty of reasons not to do it—most importantly—it results in an insecure network. It does, however, require the least amount of configuration work.

To enable replication over dynamic RPC, configure your firewall to permit the following.

Service

Port/protocol

RPC endpoint mapper

135/tcp, 135/udp

Network basic input/output system (NetBIOS) name service

137/tcp, 137/udp

NetBIOS datagram service

138/udp

NetBIOS session service

139/tcp

RPC dynamic assignment

1024-65535/tcp

Server message block (SMB) over IP (Microsoft-DS)

445/tcp, 445/udp

Lightweight Directory Access Protocol (LDAP)

389/tcp

LDAP ping

389/udp

LDAP over SSL

636/tcp

Global catalog LDAP

3268/tcp

Global catalog LDAP over SSL

3269/tcp

Kerberos

88/tcp, 88/udp

Domain Name Service (DNS)

53/tcp1, 53/udp

1
TCP is used for zone transfers and whenever answers to questions exceed 512 bytes.

For a reference of Windows port requirements, see:
832017 Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017

It is that "RPC dynamic assignment" rule that makes this scenario insecure. Sometimes referred to as "TCP high ports," the rule needs to permit inbound traffic on any port above 1024. If your firewall permits this, there is very little reason even to have a firewall.

If you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the files for information on how to use them.

 

详细参考:

 

http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx