Do I need to open port 137 and 138 from members server to the trusted PDC emulator ?

Discussion in 'Active Directory' started by Eric, Nov 30, 2009.

  1. Eric

    Eric Guest


    We have several trusted domain in our company. Some of them are still
    using Windows NT domain.
    Every domain is trusted with the same Active Directory domain.

    The trusts relationship are working correctly but we have a problem
    with a specific trusted domain.

    Indeed, when we are connected to a server member of this specific NT
    domain, we cannot display users of our AD trusted domain.
    We have an error "Cannot display objects from this location because of
    the following error : The specified domain either does not exist or
    could not be contacted"

    And then if we open port 137/UDP and 138/UDP from the specific server
    member of NT and the PDC EMULATOR of our AD domain, then it working.

    I dont understand why in this specific situation I need to open those
    ports as they are not needed for my other trusted NT domain.

    Moreover this means I have to open those ports for every member server
    to our PDC emulator which is not very clean in term of security.

    Do you have any idea of the problem here ?
    Is it a bad WINS configuration ? A computer browser specific
    configuration ?

    Thank you !
    Eric, Nov 30, 2009
    1. Advertisements

  2. Meinolf Weber [MVP-DS], Nov 30, 2009
    1. Advertisements

  3. As Meinolf stated, that's an absolute requirement with NT4. NT4 is NetBIOS
    based, unlike AD which is DNS based. Also, if your ports are that tightened
    down, you may be blocking other necessary ports that are required for


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
    2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check for regional support phone numbers.
    Ace Fekay [MCT], Nov 30, 2009
  4. Those are required as Meinolf pointed out. The NetBios piece is what is
    biting you.

    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
    Paul Bergson [MVP-DS], Nov 30, 2009
  5. Eric

    Eric Guest


    thank you for your answer.

    Are you agree that these port requirements are needed for MEMBER
    Servers ?

    When I read the KB, I understand that these ports needs to be opened
    between PDC and DC but not between MEMBER servers and the PDC Emulator
    of the trusted domain.

    Thank you
    Eric, Nov 30, 2009
  6. If any clients are to resolve and connect to the resources on the NT4
    machine, they will need NetBIOS opened.

    Ace Fekay [MCT], Nov 30, 2009
  7. Eric

    Eric Guest

    Actually they dont need to connect to the ressources on the NT4

    I am using a Windows 2003 server member of a PDC NT4 domain.
    The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
    Directory domain.

    I want to list my AD domain users from my Windows 2003 server member of
    my NT4 domain.

    Perhaps I am wrong but in the KB quoted above, it seems that I need to
    open only port 138/UDP.

    Am I wrong ?

    Thank you
    Eric, Nov 30, 2009

  8. You will also need 139 and all the UDP service response ports opened (also
    known as emepheral ports: UDP 1024-5000 and if 2008 is involved, may as well
    open the whole UDP range).

    So what other ports have you not opened?

    Also, can you elaborate on this sentence, please?
    Where do you want to "list" the users on the NT4 side? In a resource (shared
    permissions & security tab permissions or printer properties) or somewhere

    Ace Fekay [MCT], Nov 30, 2009
  9. Eric

    Eric Guest

    Thank you Ace.

    I am really not sure that I need to open all these ports and I am also
    not sure with the KB about the need to open 138/UDP port.

    Indeed, we have another site with exactly the same configuration BUT
    there is no open port between member servers of the remote site (in NT
    domain) and the PDC emulator (in our AD local site) and if I use
    Wireshark from the member server or watch the denied trafic from my
    firewall, I dont see any 137/138 or 139 ports connections attempts
    and/or denied.

    So, I can confirm that there is no need to open those ports if I want
    to list users of my AD domain from a server member of the NT domain. As
    you said, I am trying to display the AD users from the security tab
    permissions of a server member of the NT domain.

    Now, It seems to be a problem with my Active Directory.
    Indeed, if I connect to two local DC (in the site where the NT domain
    is installed), and I launch the command : nltest /sc_query:NT_Domain I
    have the following error : "Trusted DC Connection Status Status = 5 0x5

    BUT if I launch this same command on a third local DC, recently
    installed, I have the message "Trusted DC Connection Status Status = 0
    0x0 NERR_Success"

    When I use wireshark on my client while accessing to the Security Tab,
    I can see that it is pointing to one of the bad DCs.
    I would like to told my member server to point to the newly installed
    I have edited the lmhost file on the member server but the problem

    Thank you
    Eric, Dec 1, 2009
  10. This is while trying to connect to a resource on the NT4 side from a client
    on the AD side?

    In that case, it's using pass-through authentication through it's own domain
    controller across the trust.
    Then that could mean that you have SMB signing and may need to be disabled
    on each DC to allow legacy, backward level NTLM authentication, which
    doesn't support SMB Signing.

    To disable it, go to the Domain Controller Local Security Policy (in
    Administrative Tools), then to "Computer Configuration\Windows
    Settings\Security Settings\Local Policies\Security Options." You will see:

    Microsoft network server: Digitally sign communications (always) Policy
    Setting: enabled
    Microsoft network server: Digitally sign communications (if client agrees)
    Policy Setting: enabled

    Disable both.
    But I can't see how a freshly installed 2003 DC will allow communication. So
    that leads me to believe either there is a security policy on the older DCs
    preventing communication, or it was disabled on the new one, or firewall
    rules are preventing it.
    It depends on how you edited the lmhosts file. Can you specify exactly what
    entry you gave it? Did you follow the following KB?

    Trust between a Windows NT domain and an Active Directory domain cannot be
    established or it does not work as expected

    Here's Paul's article on it:

    NT4 / AD Trust ConfigurationAll trust communication traffic flows between
    the Windows 2003 PDCe and the PDC. It doesn't matter how you have your
    LMHosts table setup or your firewall ...

    FYI, anytime I see firewall rules are made between organizations and there's
    a trust involved, I've always encountered errors. I can tell you how many
    times I've seen these issues from my students asking me what is wrong and
    what needs to be opened, to customers that I try to troubleshoot trusts when
    their corp security policy dictates that only certain ports need to be
    opened. I've spent time after time, hours upon hours to capture and read
    netmon captures to determine the issue, and the solution is not always the
    same. I've never seen problems where the ports are left wide open, and it's
    funny, the captures I see are not from the machine to a DC on the other side
    of the trust, rather they go to their own DC, which performs the
    pass-through. So if the firewalls are blocking any of the DCs with necessary
    ports, that will cause it. Like I said, you have a task at hand to read your
    captures and not only on member servers, rather between the DCs themselves
    across the trust.

    I hope that helps.

    Ace Fekay [MCT], Dec 1, 2009
  11. Eric

    Eric Guest

    Thank you Ace.

    Finally I solved the problem !
    I created a new domain controller and demoted the old one and the
    problem has been solved.

    I didnt have to open 138/UDP port (and neither any netbios port between
    my servers member of NT domain to my DC) like it is written in the KB
    quoted above.

    From the old DC I had this error with nltest : Trusted DC Connection
    Status Status = 5 0x5 ERROR_ACCESS_DENIED

    From the new DC : Trusted DC Connection Status Status = 0 0x0

    Hope this help :)
    Eric, Dec 7, 2009

  12. Hmm, so there was a problem with the machine? I wonder what it was. But I am
    glad that you figured it out and got it working!!

    Ace Fekay [MCT], Dec 7, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.