How can I create a domain trust through a firewall?

A. When creating trust relationships communications between the two domains is carried out over a number of protocols with each protocol using different TCP/IP port. Below is a list of ports which need to be enabled on the firewall for a trust relationship:

  • PORT 135 (TCP or UDP) for Remote Procedure Call(RPC)Service
  • PORT 137 (UDP) for NetBIOS Name Service
  • PORT 138 (UDP) for NetBIOS datagram (Browsing)
  • PORT 139 (TCP) for NetBIOS session (NET USE)
  • ALL PORTS above 1024 for RPC Communication

You may use LMHOSTS for name resolution (which would have #pre #dom entries for the domain controllers) or WINS can be used which requires:

  • PORT 53 (TCP and UDP) for DNS
  • PORT 42 (TCP and UDP) for WINS Replication

Alternatively, a trust can be established through point-to-point tunneling protocol (PPTP). For PPTP, the following ports must be enabled:

  • PORT (TCP) 1723 for PPTP

If you only wish to perform management through a firewall and/or RRAS you can only allow TCP any-139, TCP 139-any and UPD 138-138 through the firewall. Also allow UDP 137-137 to the WINS Servers. This allows all the remote management tools to run from the management NT Workstations.

Also see the following knowledge base articles:

  • Q167128 SMS: Network Ports Used by Remote Helpdesk Functions
  • Q174395 Event ID 4202 Attempting WINS Replication across Router

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.