Active Directory 域和信任配置防火墙

Windows 域控制器防火墙；开放端口

::W32Time
netsh advfirewall firewall add rule name="W32Time-UDP" dir=in action=allow protocol=UDP localport=123

:: DNS
netsh advfirewall firewall add rule name="DNS-TCP" dir=in action=allow protocol=TCP localport=53
netsh advfirewall firewall add rule name="DNS-UDP" dir=in action=allow protocol=UDP localport=53

:: Kerberos
netsh advfirewall firewall add rule name="Kerberos-TCP" dir=in action=allow protocol=TCP localport=88
netsh advfirewall firewall add rule name="Kerberos-UDP" dir=in action=allow protocol=UDP localport=88
netsh advfirewall firewall add rule name="Kerberos-Password-TCP" dir=in action=allow protocol=TCP localport=464
netsh advfirewall firewall add rule name="Kerberos-Password-UDP" dir=in action=allow protocol=UDP localport=464

:: RPC 135
netsh advfirewall firewall add rule name="RPC-135" dir=in action=allow protocol=TCP localport=135

:: SMB 445（Netlogon、DFSR必须）
netsh advfirewall firewall add rule name="SMB-445" dir=in action=allow protocol=TCP localport=445

:: LDAP
netsh advfirewall firewall add rule name="LDAP-TCP" dir=in action=allow protocol=TCP localport=389
netsh advfirewall firewall add rule name="LDAP-UDP" dir=in action=allow protocol=UDP localport=389
netsh advfirewall firewall add rule name="LDAPS-TCP" dir=in action=allow protocol=TCP localport=636

:: 动态RPC端口
netsh advfirewall firewall add rule name="RPC-Dynamic" dir=in action=allow protocol=TCP localport=49152-65535

:: LDAP GC
netsh advfirewall firewall add rule name="GC-TCP" dir=in action=allow protocol=TCP localport=3268
netsh advfirewall firewall add rule name="GC-SSL-TCP" dir=in action=allow protocol=TCP localport=3269

::ADWS
netsh advfirewall firewall add rule name="ADWS-TCP" dir=in action=allow protocol=TCP localport=9389

参考；

为 AD 域和信任配置防火墙 - Windows Server | Microsoft Learn