Below is a comprehensive list of the servers, including specific ports, which must be open in your firewall in order to access Active Directory (UMROOT) servers and the test forest servers. For the similarities and differences between the production (UMROOT) and test forests, see Active Directory Test Forest. To get access to the test forest, submit a request to the ITS Service Center.
Contents:
Production Forest (UMROOT)
Easiest Firewall Option—Use IP Address Ranges
The easiest option for configuring firewalls to allow your computers to access Active Directory (UMROOT) is to open your firewall to the following networks on all ports:
- 141.211.91.0/26
- 141.211.22.32/28
- 141.211.142.48/28
- 141.213.136.128/27
- 141.215.69.0/24
Server Names and Addresses for UMROOT
If you must configure your firewall more narrowly, you can use the server names and IP addresses listed below. Be aware, though, that you will need to make updates should any of these change in the future.
UMROOT Read/Write Domain Controllers, Global Catalogs
It is best to use the alias: adsroot.itcs.umich.edu
The individual server names and addresses are:
- adprod-dc-m1.adsroot.itcs.umich.edu — 141.211.91.41
- adprod-dc-m2.adsroot.itcs.umich.edu — 141.211.91.42
- adprod-dc-s1.adsroot.itcs.umich.edu — 141.211.142.52
- adprod-dc-n1.adsroot.itcs.umich.edu — 141.213.136.143
- adprod-dc-n2.adsroot.itcs.umich.edu — 141.213.136.144
- adprod-dc-d1.adsroot.itcs.umich.edu — 141.215.69.206
- adprod-dc-d2.adsroot.itcs.umich.edu — 141.215.69.207
- adprod-dc-dr.adsroot.itcs.umich.edu — 141.211.22.36
Firewalling individual ports is strongly discouraged. If you proceed, anyway, the domain controllers use the following ports on campus, and your network will need to be open to all of them. You may also need RPC ports open (1024 > 65536). For a detailed discussion of the network port requirements for Windows, see Service overview and network port requirements for Windows (Microsoft Knowledgebase)
- 53 (DNS) TCP
- 53 (DNS) UDP
- 88 (Kerberos) TCP
- 88 (Kerberos) UDP
- 123 (NTP) UDP
- 135 (RPC endpoint mapper/DCOM) TCP
- 137 (NetBIOS name service) TCP
- 137 (NetBIOS name service) UDP
- 138 (NetBIOS datagram service) UDP
- 139 (NetBIOS session service) TCP
- 389 (LDAP) TCP
- 389 (LDAP) UDP
- 445 (SMB) TCP
- 464 (Kerberos Password Change) TCP
- 464 (Kerberos Password Change) UDP
- 636 (LDAP over SSL) TCP
- 3268 (Global Catalog) TCP
- 3269 (Global Catalog over SSL) TCP
UMROOT WINS Servers
- 141.211.76.103
- 141.211.21.102
UM-Ann Arbor DNS Servers
Please use the UM-Ann Arbor DNS servers if possible, rather than UMROOT DNS servers.
- 10.10.10.10
- 10.10.5.5
UMROOT DNS Servers (use only if no alternative)
Use the UMROOT DNS servers in place of the campus DNS servers only if you have no alternative.
- 141.213.134.16
- 141.213.134.14
- 141.213.136.143
- 141.213.136.144
Terminal Server Licensing Servers
- rdsl01.adsroot.itcs.umich.edu — 141.211.7.253
- rdsl02.adsroot.itcs.umich.edu — 141.211.21.98
KMS Servers
Open TCP/1688 from clients/servers to the KMS servers.
It is best to use the CNAME rather than individual IP addresses for configuration:
- CNAME: mskms.umich.edu
- 141.211.21.99
- 141.211.76.100
UMROOT PKI Server
- pki02.adsroot.itcs.umich.edu — 141.211.143.144
Test Forest
Easiest Firewall Option—Use IP Address Ranges
The easiest option for configuring firewalls to allow your computers to access the test forest is to open your firewall to the following networks on all ports:
- 141.211.91.0/26
- 141.211.22.32/28
- 141.215.69.0/24
- 141.213.136.128/27
Server Names and Addresses for the Test Forest
If you must configure your firewall more narrowly, you can use the server names and IP addresses listed below. Be aware, though, that you will need to make updates should any of these change in the future.
Test Forest Read/Write Domain Controllers, Global Catalogs
It is best to use the alias: adsroot.itd.umich.edu
The individual server names and addresses are:
- ADQA-DC-M1.adsroot.itd.umich.edu — 141.211.91.40
- ADQA-DC-N1.adsroot.itd.umich.edu — 141.213.136.145
- ADQA-DC-D1.adsroot.itd.umich.edu — 141.215.69.205
- ADQA-DC-DR.adsroot.itd.umich.edu — 141.211.22.37
Firewalling individual ports is strongly discouraged. If you proceed, anyway, the domain controllers use the following ports on campus, and your network will need to be open to all of them. You may also need RPC ports open (1024 > 65536). For a detailed discussion of the network port requirements for Windows, see Service overview and network port requirements for Windows (Microsoft Knowledgebase)
- 53 (DNS) TCP
- 53 (DNS) UDP
- 88 (Kerberos) TCP
- 88 (Kerberos) UDP
- 123 (NTP) UDP
- 135 (RPC endpoint mapper/DCOM) TCP
- 137 (NetBIOS name service) TCP
- 137 (NetBIOS name service) UDP
- 138 (NetBIOS datagram service) UDP
- 139 (NetBIOS session service) TCP
- 389 (LDAP) TCP
- 389 (LDAP) UDP
- 445 (SMB) TCP
- 464 (Kerberos Password Change) TCP
- 464 (Kerberos Password Change) UDP
- 636 (LDAP over SSL) TCP
- 3268 (Global Catalog) TCP
- 3269 (Global Catalog over SSL) TCP
UM-Ann Arbor DNS Servers
Use the UM-Ann Arbor DNS servers if possible, rather than test forest DNS servers.
- 10.10.10.10
- 10.10.5.5
Test Forest DNS Servers (use only if no alternative)
Use the test forest DNS servers in place of the campus DNS servers only if you have no alternative.
- 141.213.134.15
- 141.213.136.145
Terminal Server Licensing Servers
- rdsl01.adsroot.itcs.umich.edu — 141.211.7.253
- rdsl02.adsroot.itcs.umich.edu — 141.211.21.98
KMS Servers
Open TCP/1688 from clients/servers to the KMS servers.
It is best to use the CNAME rather than individual IP addresses for configuration:
- CNAME: mskms.umich.edu
- 141.211.21.99
- 141.211.76.100
Test Forest PKI Server
- its-pki2.adsroot.itd.umich.edu — 141.211.76.247