Do I need to open port 137 and 138 from members server to the trusted PDC emulator ?

Discussion in 'Windows Server' started by Eric, Nov 30, 2009.

  1. Eric

    Eric Guest

    Hello,

    We have several trusted domain in our company. Some of them are still
    using Windows NT domain.
    Every domain is trusted with the same Active Directory domain.

    The trusts relationship are working correctly but we have a problem
    with a specific trusted domain.

    Indeed, when we are connected to a server member of this specific NT
    domain, we cannot display users of our AD trusted domain.
    We have an error "Cannot display objects from this location because of
    the following error : The specified domain either does not exist or
    could not be contacted"

    And then if we open port 137/UDP and 138/UDP from the specific server
    member of NT and the PDC EMULATOR of our AD domain, then it working.

    I dont understand why in this specific situation I need to open those
    ports as they are not needed for my other trusted NT domain.

    Moreover this means I have to open those ports for every member server
    to our PDC emulator which is not very clean in term of security.

    Do you have any idea of the problem here ?
    Is it a bad WINS configuration ? A computer browser specific
    configuration ?

    Thank you !
     
    Eric, Nov 30, 2009
    #1
    1. Advertisements

  2. In line ...

    Windows NT uses NeBIOS as a primary (only) name resolution during
    authentication process (LM, NTLM, NTLMv2).
    Ports 137 and 138 are related to NetBIOS services:
    NETBIOS Name Service (TCP/UDP: 137)
    NETBIOS Datagram Service (TCP/UDP: 138)
    NETBIOS Session Service (TCP/UDP: 139)
    They are needed for NT domains.
    You can set up your firewall so that it only allows traffic from/to approved
    IP ranges.
    This is by design on Windows NT domains.
    Good luck and regards.
    DuskoS
     
    Dusko Savatovic, Nov 30, 2009
    #2
    1. Advertisements


  3. Dusko,

    This was also multi-posted in the
    microsoft.public.windows.server.active_directory newsgroup with multiple
    responses.

    Ace
     
    Ace Fekay [MCT], Dec 1, 2009
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.