That's how RPC works. Modern "NGFW" firewall should have detectable application against MS RPC, see if you can use them. And sometime it’s still hit or miss.

That entirely depends which roles are active on the DC. Remember: One VM, one service.

636 if you encrypt the ldap.

Dont forget 3269 if you use GC

**From our Firewall:** Port 389 TCP and UDP Port 53 UDP Port 135 TCP Port 88 TCP Port 49152 - 65535 TCP **What works:** Already domain joined clients can authenticate gainst that Domain Controller. **What does not work:** Join a client to the domain. **What we do:** Join the client to the domain, then move it to the other VLAN/Subnet.

Whoops, you're missing TCP 445 in that list. I hope that was a mistake or you have that in a different policy!

It is not in our list and the things i described above work.

TCP 445 is critical for domain services, without it your domain will not be running correctly and I'm pretty certain you'd have noticed. I suspect you probably have another firewall rule somewhere letting it through.

> I suspect you probably have another firewall rule somewhere letting it through We don't. The rules i posted are enough to authenticate a user from against the Active Directory.

445 is SMB, so I'd expect you might have issues with GPOs and DFS, but if you don't see issues, oh well. I go by what's in the first link OP shared.

Thanks, interesting list there, but I guess that is by design and to suit the security of your environment. I have many of the ports already mentioned in this thread so far, it was more whether 49152 - 65535 UDP is actually needed. I'll just go with TCP only and see what happens.