Resolution
Which communication ports must be open for DMA to work properly?
fact
Domain Migration Administrator 6.x
fact
Domain Migration Administrator 7.x
fix
Technically, DMA doesn't require any ports to be open. DMA is not an application like an FTP client or SMTP client that specifically needs to connect at the application layer to a specific port in order to work (21 and 25 by default respectively). In DMA's case, it is only the underlying OS that requires open ports. The largest problem is that those requirements will vary widely depending on the particular OS type, configuration and security strength settings.
At a minimum, where Windows 2000 is involved as either source or target domain, the following ports should be open:
- 137-139 TCP & UDP
- 389 for LDAP
- 445 for Kerberos authentication
- 3268 AD GC
In addition, if IPSec is enabled between any of the contacted DCs/machines, still more ports must be open.
- 88 UDP Kerberos
- 389 TCP LDAP
- 464 UDP Kerberos password
- 3268 TCP Global Catalog
These port numbers are customizable; the best way to determine the required port numbers for any given installation of Windows 2000 Active Directory is to examine the applicable domain's DNS SRV records. The required ports and their protocols (TCP/UDP) are displayed there.
Microsoft has a listing of the ports commonly used by Windows in Microsoft Knowledge Base Article 150543
DMA will not migrate data through a firewall unless the RPC locator TCP port 135 (could be any one of 135-139) is opened.
NOTE: As an added security measure, we strongly recommend that if customers open these ports on their firewall that they only do so on a controlled basis (i.e. only allow communication over those ports between the hosts involved in the migration and no others).