Domains and Forests Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
In this section
Tools for Managing Domains and Forests
Domains and Forests Registry Entries
Domains and Forests Group Policy Settings
Domains and Forests WMI Classes
Network Ports Used by Domains and Forests
Related Information
Administrators can use a number of methods to configure and manage Active Directory domain and forest environments. This section contains information about the tools, registry entries, Group Policy settings, Windows Management Instrumentation (WMI) classes, and network ports that are associated with Active Directory domains and forests.
Note
- When using Windows Server 2003 Active Directory administrative tools to connect to a domain controller running Windows 2000 you must first make sure that the Windows 2000–based domain controller to which you are connecting has Service Pack 3 or later installed. This is because Windows Server 2003 administrative tools sign and encrypt all LDAP traffic by default. If business reasons do not permit the installation of Service Pack 3 or later on domain controllers running Windows 2000 it is possible to disable this default behavior.
Tools for Managing Domains and Forests
The following tools are associated with domains and forests.
Adsiedit.exe: ADSI Edit
Category
ADSI Edit is included when you install Windows Server 2003 Support Tools.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
ADSI Edit is a Microsoft Management Console (MMC) tool that uses Active Directory Service Interfaces (ADSI), which ultimately uses the LDAP protocol. This tool can be used to view and modify directory objects in the Active Directory database.
To find more information about ADSI Edit, see “Adsiedit Overview.”
Csvde.exe: Csvde
Category
Csvde is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Csvde to import and export data from Active Directory by using files that store data in the comma-separated value (CSV) file format. Csvde also supports batch operations that are based on CSV.
To find more information about Csvde, see Command-Line References in the “Tools and Settings Collection.”
Dcdiag.exe: Domain Controller Diagnostic Tool
Category
The Domain Controller Diagnostic Tool command-line tool (Dcdiag) is included when you install the Windows Server 2003 Support Tools.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use the Domain Controller Diagnostic Tool to verify external trusts. This tool cannot be used to verify trust relationships based on the Kerberos version 5 authentication protocol; to verify Kerberos V5-based trust relationships, the recommended method is to use the Netdom tool. Using the Domain Controller Diagnostic Tool you can scope your external trust verification by site or by domain controller, check for trust establishment, check secured channel setup, and check for ticket validity between each pair of domain controllers. By default, errors are flagged. In verbose mode, successes are printed as well.
You can use the Domain Controller Diagnostic Tool to verify that there are sufficient resources for the DNS infrastructure when deploying the Windows 2000 Server or Windows Server 2003 Active Directory directory service. This tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, the Domain Controller Diagnostic Tool queries the directory service infrastructure and uses the results to identify abnormal behavior in the system. The Domain Controller Diagnostic Tool provides a framework for executing tests to verify different functional areas of the system. This framework selects which domain controllers are tested according to scope directives from the user, such as enterprise, site, or single server.
Dcpol.msc: Domain Controller Security Policy
Category
Domain Controller Security Policy is a snap-in for MMC and is automatically installed when you install Active Directory. You can also use Domain Controller Security Policy on computers not running Active Directory by installing the Administration Tools Pack (Adminpak.msi).
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can set security settings for a domain controller in Domain Controller Security Policy.
For more information about Domain Controller Security Policy, see Help and Support Center in Windows Server 2003.
Dcpromo.exe: Active Directory Installation Wizard
Category
An Active Directory wizard that is included with Windows Server 2003 and is available from the command line or from the Configure Your Server Wizard on any computer running Windows Server 2003.
Version compatibility
This tool is compatible with computers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.
The Active Directory Installation Wizard provides a graphical user interface for setting up a domain controller by installing Active Directory and, optionally, DNS. The Active Directory Installation Wizard can also be used on a Windows NT 4.0 primary domain controller (PDC) when upgrading it to Windows Server 2003 and forming a new forest, to raise the forest functional level to Windows Server 2003 interim, if appropriate.
Domain.msc: Active Directory Domains and Trusts
Category
An Active Directory Administrative Tools MMC snap-in that is automatically installed on all domain controllers running Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Note
- You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).
Active Directory Domains and Trusts provides a graphical interface in which you can view all domains in the forest. Using this tool, an administrator can manage each of the domains in the forest, trust relationships between domains, configure the functional level for each domain or forest, and configure the alternative user principal name (UPN) suffixes for a forest.
Active Directory Domains and Trusts can be used to accomplish most trust related tasks. It can be used to target all Active Directory domain controllers and can verify all Active Directory trust types. Trust verification takes place between two domains by enumerating all of the domain controllers in each domain. If you choose to have Active Directory Domains and Trusts create both sides of the trust at once, the trust password is automatically generated.
For more information about Active Directory Domains and Trusts, see Help in Active Directory Domains and Trusts.
Dompol.msc: Domain Security Policy
Category
Domain Security Policy is a snap-in for MMC and is automatically installed when you install Active Directory. You can also use Domain Controller Security Policy on computers not running Active Directory by installing the Administration Tools Pack (Adminpak.msi).
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Security settings for a domain are set in Domain Security Policy. Group Policy settings can be applied to lock-down which users are allowed to log on to the server as well as who can access the server from the network.
For more information about Domain Security Policy, see Help and Support Center in Windows Server 2003.
Dsa.msc: Active Directory Users and Computers
Category
An Active Directory Administrative Tools MMC snap-in that is automatically installed on all Windows Server 2003 domain controllers running Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Active Directory Users and Computers provides a graphical user interface that can be used to manage users and computers in Active Directory domains.
Additionally, LDAP Query can be used in this tool for the following:
To identify domain controllers running Windows NT 4.0
To connect to a domain
Dsadd.exe: Dsadd
Category
Dsadd is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsadd to add specific types of objects to the directory.
To find more information about Dsadd, see Command-Line References in the “Tools and Settings Collection.”
Dsget.exe: Dsget
Category
Dsget is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsget to display the selected properties of a specific object in the directory.
- To find more information about Dsget, see Command-Line References in the “Tools and Settings Collection.”
Dsmod.exe: Dsmod
Category
Dsmod is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsmod to modify an existing object of a specific type in the directory.
To find more information about Dsmod, see Command-Line References in the “Tools and Settings Collection.”
Dsmove.exe: Dsmove
Category
Dsmove is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsmove to move a single object in a domain from its current location in the directory to a new location. You can also use Dsmove to rename a single object without moving it in the directory tree.
To find more information about Dsmove, see Command-Line References in the “Tools and Settings Collection.”
Dsquery.exe: Dsquery
Category
Dsquery is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsquery to perform searches against Active Directory according to specified criteria. To find more information about Dsquery, see Command-Line References in the “Tools and Settings Collection.”
Dsrm.exe: Dsrm
Category
Dsrm is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsrm to delete an object of a specific type, or any general object, from the directory.
To find more information about Dsrm, see Command-Line References in the “Tools and Settings Collection.”
Dssite.msc: Active Directory Sites and Services
Category
An Active Directory Administrative Tools MMC snap-in that is automatically installed on all Windows Server 2003 domain controllers running Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Active Directory Sites and Services to create, modify, and delete site configuration objects in Active Directory, including sites, subnets, connection objects, and site links. You can also use Active Directory Sites and Services to create the intersite topology, including mapping subnet addresses to sites, creating and configuring site links, creating manual connection objects, forcing replication over a connection, setting a domain controller to be a global catalog server, and selecting preferred bridgehead servers.
For more information about Active Directory Sites and Services, see Help and Support Center in Windows Server 2003.
Ldifde.exe: Ldifde
Category
Ldifde is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Ldifde to create, modify, and delete directory objects on domain controllers. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.
To find more information about Ldifde, see Command-Line References in the “Tools and Settings Collection.”
Ldp.exe: Ldp
Category
Ldp is included when you install Windows Server 2003 Support Tools.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Ldp is a Lightweight Directory Access Protocol (LDAP) graphical user interface (GUI) tool that you can use to perform operations such as connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as Active Directory. You can also use Ldp to view objects that are stored in Active Directory, along with their metadata, such as security descriptors and replication metadata.
To find more information about Ldp, see “Windows Support Tools.”
Netdiag.exe: Network Connectivity Tester
Category
The Network Connectivity Tester command-line tool (Netdiag) is included when you install Windows Server 2003 Support Tools.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
The Netdiag command-line tool examines .dll files, output from other tools, and the system registry to find potential problems. You can use Netdiag to troubleshoot connectivity over the secured channel that exists between a workstation and a domain controller.
For the various trust related tasks that can be performed using this tool, see the table Trust Tools Comparison by Task earlier in this section. To find more information about Netdiag, see “Windows Support Tools.”
Netdom.exe: Windows Domain Manager
Category
The Windows Domain Manager command-line tool (Netdom) is included when you install Windows Server 2003 Support Tools.
Version compatibility
This tool is compatible with computers running Windows XP Professional; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Netdom is a command-line tool that allows you to create and manage Active Directory trust relationships (except forest trusts) and can help reduce the number of steps needed to create a trust by using Active Directory Domains and Trusts. You can also use the Netdom command line tool to complete batch management of trusts, join computers to domains, verify trusts (including forest trusts) and secured channels, and obtain information about the status of trusts.
Netdom can be targeted at all Active Directory domain controllers and can verify all Active Directory trust types. Verification is accomplished between two domains by enumerating the domain controllers in each domain. If you choose to have Netdom create both sides of the trust at once the trust password is automatically generated.
To find more information about Netdom, see “Windows Support Tools.”
Nltest.exe: NLTest
Category
The NLTest command-line tool is included when you install Windows Server 2003 Support Tools.
Version compatibility
This tool is compatible with computers running Windows XP Professional; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
You can use the NLTest command-line tool to perform trust-related network administrative tasks such as testing the trust relationship between a Windows–based computer that is a member of a domain and the domain controller on which its computer account is located. In domains where an external trust is defined, NLTest can be used to test the trust relationship between all domain controllers in the trusting domain and a domain controller in the trusted domain. Nltest can also be used to verify any secured channel.
To find more information about NLTest, see “Windows Support Tools.”
Ntdsutil.exe: Ntdsutil
Category
Ntdsutil is a command-line tool that ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
|
Domain controllers running:
|
Ntdsutil.exe provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory. You can also use Ntdsutil to create application directory partitions and perform authoritative restore operations. This tool is intended for use by experienced administrators.
To find more information about Ntdsutil, see Command-Line References in the “Tools and Settings Collection.”
Repadmin: Repadmin
Category
Repadmin is included when you install Windows Server 2003 Support Tools.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Administrators can use Repadmin to monitor and manage replication between domain controllers. You can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.
To find more information about Repadmin, at a command prompt type repadmin /? or see Command-Line References in the Tools and Settings Collection.
Schmmgmt.msc: Active Directory Schema
Category
An Active Directory Administrative Tools MMCsnap-in that is automatically installed on all domain controllers running Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Active Directory Schema is a graphical user interface that can be used to manage Active Directory objects and their associated attributes. The Active Directory Schema snap-in allows members of the Schema Admins group to manage the schema through a graphical interface. You can create and modify classes and attributes and also specify what attributes are indexed and what attributes are replicated to the Global Catalog. The tool should only be used in a test environment because it does not permit the user to set some important values on new schema objects.
Before the snap-in can be used, it must be registered so that it appears as an available snap-in for MMC.
Setspn.exe: Setspn
Category
Setspn is included when you install Windows Server 2003 Support Tools.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Administrators can use this command-line tool to read, modify, and delete values in the servicePrincipalNames attribute on an Active Directory service account object.
To find more information about Setspn, see “Windows Support Tools.”
Domains and Forests Registry Entries
The following registry entries are associated with domains and forests.
For data store related registry entries, see “Data Store Tools and Settings.”
For global catalog related registry entries, see “Global Catalog Tools and Settings.”
For replication related registry entries, see “Active Directory Replication Tools and Settings.”
For logon related registry entries, see “Interactive Logon Tools and Settings.”
For Kerberos related registry entries, see “Kerberos Authentication Tools and Settings.”
For Access Token related registry entries, see “Access Tokens Tools and Settings.”
Domains and Forests Group Policy Settings
The following tables list and describe the Group Policy settings that are associated with domains and forests.
Group Policy Settings Associated with Data Store
| Group Policy Setting | Description |
|---|---|
Audit Directory Services Access |
When it is enabled, this Group Policy setting causes successful and failed directory access events to be logged in the Directory Service event log. |
Group Policy Settings Associated with Active Directory Searches
| Group Policy Setting | Description |
|---|---|
Maximum size of Active Directory searches |
Specifies the maximum number of objects that the system displays in response to a command to browse or search Active Directory. This policy affects all browse displays that are associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes that are used to set permissions for user or group objects in Active Directory. If you enable this policy, you can use it to limit the number of objects that are returned from an Active Directory search. If you disable this policy or if you do not configure it, the system displays up to 10,000 objects. |
Enable filter in Find dialog box |
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. If you enable this policy, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. |
Hide Active Directory folder |
Hides the Active Directory folder in My Network Places. The Active Directory folder displays Active Directory objects in a browse window. If you enable this policy, the Active Directory folder does not appear in the My Network Places folder. If you disable this policy or if you do not configure it, the Active Directory folder appears in the My Network Places folder. |
Group Policy Settings Associated with Global Catalogs
| Group Policy Setting | Description |
|---|---|
Automated Site Coverage by the DC Locator DNS SRV Records |
Determines whether domain controllers dynamically register DC Locator site-specific SRV resource records for the closest sites where no domain controller for the same domain exists (or no global catalog server for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate domain controllers. |
Sites Covered by the GC Locator DNS SRV Records |
Specifies the sites for which global catalog servers should register the site-specific GC Locator SRV resource records in DNS. These records are registered in addition to the site-specific SRV resource records registered for the site where the global catalog server is located and, if the global catalog server is appropriately configured, for the sites without a global catalog server in the same forest for which this global catalog server is the closest global catalog server. These records are registered by Net Logon service. If this policy is not configured, it is not applied to any global catalog servers and global catalog servers use their local configuration. |
Group Policy Settings Associated with Replication
| Group Policy Setting | Description |
|---|---|
Account Lockout Policy:
|
Changes to these settings in the Domain Security Policy trigger urgent replication. |
Password Policy:
|
Changes to these settings in the Domain Security Policy trigger urgent replication. |
Contact PDC on logon failure |
Account lockout and domain password changes rely on contacting the primary domain controller (PDC) emulator urgently to update the PDC emulator with the change. If Contact PDC on logon failure is disabled, replication of password changes to the PDC emulator occurs non-urgently. |
Group Policy Settings Associated with Interactive Logon
| Group Policy Setting | Description |
|---|---|
Password Policy:
|
Changes to the Password Policy settings control:
|
Audit Policy:
|
Changes to the Audit Policy settings control:
|
User Rights Assignment:
|
Changes to the User Rights Assignment settings control:
|
Security Options:
|
Changes to the Security Options settings control:
|
Group Policy Settings Associated with Access Tokens
| Group Policy Setting | Description |
|---|---|
User Rights Assignment:
|
Changes to these settings control:
|
Audit Policy:
|
Changes to this setting will:
|
Security Options:
|
Changes to this setting affect whether Everyone is in the token for anonymous users. |
Group Policy User Rights Assignment Settings Associated with Kerberos
| Group Policy Setting | Description |
|---|---|
Impersonate a client after authentication |
Windows 2000 security setting that was first introduced in Windows 2000 SP4. When you assign this user right to a user, you permit programs that run on behalf of that user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes. By default, members of the Administrators group and the System account are assigned this user right. The following components also are assigned this user right:
|
Group Policy Kerberos Policy Settings Associated with Kerberos
| Group Policy Setting | Description |
|---|---|
Enforce user logon restrictions |
Determines whether the KDC validates every request for a session ticket against the user rights policy on the target computer. When this policy is enabled, the user requesting the session ticket must have the right to either Log on locally or to Access this computer from network. Validation of each request is optional because the extra step takes time and might slow network access to services. By default, this policy is enabled. |
Maximum lifetime for service ticket |
Determines the maximum amount of time (in minutes) that a ticket granted for a service (that is, a session ticket) can be used to access the service. If the setting is zero minutes, the ticket never expires. Otherwise, the setting must be greater than ten minutes and less than the setting for Maximum lifetime for user ticket. By default, the setting is 600 minutes (10 hours). |
Maximum lifetime for user ticket |
Determines the maximum amount of time (in hours) that a ticket-granting ticket (TGT) for a user can be used. When a TGT expires, a new one must be requested or the existing one must be renewed. By default, the setting is ten hours. |
Maximum lifetime for user ticket renewal |
Determines the longest period of time (in days) that a TGT can be used if it is repeatedly renewed. By default, the setting is seven days. |
Maximum tolerance for computer clock synchronization |
Determines the maximum difference (in minutes) that the Kerberos V5 protocol tolerates between the clock time on a client and the clock time on a server while still considering the two clocks synchronous. By default, the setting is five minutes. |
To find more information about these Group Policy settings, see Group Policy Settings Reference in the “Tools and Settings Collection” or see “Account Policy Settings.”
Domains and Forests WMI Classes
Windows Management Instrumentation (WMI) provides access to information about certain objects in a Windows 2000 Server or Windows Server 2003 operating system. WMI providers and classes represent the managed resources on a computer and are used by administrators and developers for scripting and monitoring purposes. The following tables list and describe the WMI classes that are associated with Active Directory domains and forests.
WMI Classes Associated with Data Store, Service Principal Names (SPNs) and Active Directory Searches
| Class Name | Namespace | Version Compatibility |
|---|---|---|
rootDSE |
root\directory\LDAP |
Domain controllers running:
|
DS_LDAP_Class_Containment |
root\directory\LDAP |
Domain controllers running:
|
DS_LDAP_Instance_Containment |
root\directory\LDAP |
Domain controllers running:
|
WMI Classes Associated with Active Directory Replication
| Class Name | Namespace | Version Compatibility |
|---|---|---|
MSAD_DomainController |
\\root\MicrosoftActiveDirectory |
Domain controllers running:
|
MSAD_NamingContext |
\\root\MicrosoftActiveDirectory |
Domain controllers running:
|
MSAD_ReplNeighbor |
\\root\MicrosoftActiveDirectory |
Domain controllers running:
|
MSAD_ReplCursor |
\\root\MicrosoftActiveDirectory |
Domain controllers running:
|
MSAD_ReplPendingOp |
\\root\MicrosoftActiveDirectory |
Domain controllers running:
|
WMI Classes Associated with Trusts
| Class Name | Namespace | Version Compatibility |
|---|---|---|
Microsoft_TrustProvider |
root\microsoftactivedirectory |
Domain controllers running Windows Server 2003 |
Microsoft_DomainTrustStatus |
root\microsoftactivedirectory |
Domain controllers running Windows Server 2003 |
Microsoft_LocalDomainInfo |
root\microsoftactivedirectory |
|
WMI Classes Associated with Interactive Logon
| Class Name | Namespace | Version Compatibility |
|---|---|---|
Win32_LogonSession |
\root\cimv2 |
Computers running:
|
Win32_LogonSessionMappedDisk |
\root\cimv2 |
Computers running:
|
Win32_NetworkLoginProfile |
\root\cimv2 |
Computers running:
|
WMI Classes Associated with Access Tokens
| Class Name | Namespace | Version Compatibility |
|---|---|---|
Win32_TokenGroups |
\root\cimv2 |
Computers running:
|
Win32_TokenPrivileges |
\root\cimv2 |
Computers running:
|
For more information about these WMI classes, see the WMI SDK documentation on MSDN.
Network Ports Used by Domains and Forests
The following tables list the network ports associated with domains and forests.
Port Assignments for Raising Active Directory Functional Levels
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
389 |
389 |
LDAP SSL |
N/A |
636 |
Port Assignments for Data Store
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
389 |
389 |
LDAP SSL |
N/A |
636 |
RPC Endpoint Mapper |
135 |
135 |
Global Catalog LDAP |
N/A |
3268 |
Global Catalog LDAP SSL |
N/A |
3269 |
Port Assignments for Service Publication and SPNs
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
389 |
389 |
LDAP SSL |
N/A |
636 |
RPC Endpoint Mapper |
135 |
135 |
Global Catalog LDAP |
N/A |
3268 |
Global Catalog LDAP SSL |
N/A |
3269 |
Kerberos |
88 |
88 |
Port Assignments for Raising Active Directory Searches
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
389 |
389 |
LDAP SSL |
N/A |
636 |
Global Catalog LDAP |
N/A |
3268 |
Global Catalog LDAP SSL |
N/A |
3269 |
Port Assignments for Global Catalogs
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
N/A |
3268 |
LDAP |
N/A |
3269 (global catalog Secure Sockets Layer [SSL]) |
LDAP |
389 |
389 |
LDAP |
N/A |
686 (SSL) |
RPC/REPL |
135 |
135 (endpoint mapper) |
Kerberos |
88 |
88 |
DNS |
53 |
53 |
SMB over IP |
445 |
445 |
Port Assignments for Replication
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
389 |
389 |
LDAP |
N/A |
686 (SSL) |
RPC/REPL |
N/A |
135 (endpoint mapper) |
LDAP |
N/A |
3268 |
Kerberos |
88 |
88 |
DNS |
53 |
53 |
SMB over IP |
445 |
445 |
Port Assignments for Operations Masters
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
389 |
389 |
LDAP |
N/A |
686 (SSL) |
RPC/REPL |
N/A |
135 (endpoint mapper) |
Netlogon |
N/A |
137 |
Kerberos |
88 |
88 |
DNS |
53 |
53 |
SMB over IP |
445 |
445 |
Port Assignments for Interactive Logon
| Service Name | UDP | TCP |
|---|---|---|
Kerberos |
88 |
88 |
Local Security Authority (LSA) RPC |
Dynamic RPC |
Dynamic RPC |
NTLM |
Dynamic |
Dynamic |
Port Assignments for Kerberos V5 Protocol
| Service Name | UDP | TCP |
|---|---|---|
DNS |
53 |
53 |
Kerberos |
88 |
88 |
Port Assignment for DC Locator
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
389 |
389 |
The following table shows the list of ports that might need to be opened before you establish trusts.
Ports Required for Trusts
| Task | Outbound Ports | Inbound Ports | From–To |
|---|---|---|---|
Set up trusts on both sides from the internal forest |
LDAP (389 UDP and TCP) Microsoft SMB (445 TCP) Kerberos (88 UDP) Endpoint resolution — portmapper (135 TCP) Net Logon fixed port |
N/A |
Internal domain domain controllers–External domain domain controllers (all ports) |
Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only) |
LDAP (389 UDP) Microsoft SMB (445 TCP) Endpoint resolution — portmapper (135 TCP) Net Logon fixed port |
N/A |
Internal domain domain controllers–External domain domain controllers (all ports) |
Use Object picker on the external forest to add objects that are in an internal forest to groups and DACLs |
N/A |
LDAP (389 UDP and TCP) Windows NT Server 4.0 directory service fixed port Net Logon fixed port Kerberos (88 UDP) Endpoint resolution portmapper (135 TCP) |
External server–Internal domain PDCs (Kerberos) External domain domain controllers–Internal domain domain controllers (Net Logon) |
Set up trust on the external forest from the external forest |
N/A |
LDAP (389 UDP and TCP) Microsoft SMB (445 TCP) Kerberos (88 UDP) |
External domain domain controllers–Internal domain domain controllers (all ports) |
Use Kerberos authentication (internal forest client to external forest) |
Kerberos (88 UDP) |
N/A |
Internal client–External domain domain controllers (all ports) |
Use NTLM authentication (internal forest client to external forest) |
N/A |
Endpoint resolution – portmapper (135 TCP) Net Logon fixed port |
External domain domain controllers–Internal domain domain controllers (all ports) |
Join a domain from a computer in the internal network to an external domain |
LDAP (389 UDP and TCP) Microsoft SMB (445 TCP) Kerberos (88 UDP) Endpoint resolution — portmapper (135 TCP) Net Logon fixed port Windows NT Server 4.0 directory service fixed port |
N/A |
Internal client–External domain domain controllers (all ports) |
Related Information
The following resources contain additional information that is relevant to this section.
Windows Support Tools
Command-Line References in the Tools and Settings Collection for information about DSQuery and Ntdsutil.
Microsoft Platform SDK on MSDN for more information about many WMI classes that are associated with the DNS Server service.
Group Policy Settings Reference in the Tools and Settings Collection for information about Group Policy settings that are associated with the DNS Client service.
Registry Reference in the Tools and Settings Collection for information about registry entries that are associated with DNS.