These ports are then used by Configuration Manager during communications to the reporting services point. If your Root is a member of AD, then you probably aren't getting any value from

Based on the information that is contained in the named log collection setting, the Performance Logs and Alerts service starts and stops each named performance data collection. The following list provides an overview of the information that this article contains: This article uses certain terms in specific ways.
The service also includes the web server that serves the device in addition to service descriptions and a presentation page. Earlier versions of Windows-based programs, such as My Network Places, the net view command, and Windows Explorer, all require browsing capability. Known as “The PKI Guy” at Microsoft for 10 years. Otherwise all interaction Additionally, for successful validation on Windows Failover Clusters on 2008 and above, allow inbound and outbound traffic for ICMP4, ICMP6, and port 445/TCP for SMB. This service uses Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or time stamp, is assigned for network validation and for resource access requests. Thank you again for your insight and responses. All of these systems use SMB. Managers, programmers, and users see the cluster as a single system. World Wide Web Publishing Service provides the infrastructure that you must have to register, manage, monitor, and serve websites and programs that are registered with IIS. Offline Files and Roaming User Profiles cache user data to computers for offline use. The Net Logon system service maintains a security channel between your computer and the domain controller to authenticate users and services. System service names: ProfSvc, CscService. SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service. After you have configured the certificate template and autoenrollment, you can refresh Group Policy on all target servers. For more information, see Windows PE Peer Cache.

The process manager controls the processes where custom applications and websites reside.

-------------------------------------------------. You can use the Remote Installation system service to install Windows 2000, Windows XP, and Windows Server 2003 on Pre-Boot Execution Environment (PXE) remote boot-enabled client computers. https://blogs.technet.microsoft.com/pki/2010/06/25/firewall-rules-for-active-directory-certificate-services/. The site server that runs migration uses several ports to connect to applicable sites in the source hierarchy. Thanks for marking this as the answer. A summarized list of services, ports, and protocols required for member computers and domain controllers to inter-operate with one another or for application servers to access Active Directory include but are not limited to the following. For a list of ports for each client deployment method, see Ports used during Configuration Manager client deployment, For more information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall and port settings for clients. On the computer where you are planning to install AD CS, assign the computer a static IP address, rename the computer, join the computer to the domain, and then log on to the computer with a user account that is a member of the Domain Admins and Enterprise Admins groups. ³ This is the range in Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista. In this encapsulated scenario, you must allow the following items through the router instead of opening all the ports and protocols listed in this topic: Finally, you can hard-code the port that is used for Active Directory replication by following the steps in Restricting Active Directory RPC traffic to a specific port. Communication is bidirectional. The ports that Configuration Manager uses during client installation depends on the deployment method. For more information, see Port that clients use to receive requests for delta content. ¹ For more information about how to customize this port, see Distributed Transaction Coordinator in the References section. I do have a two follow up questions regarding an online Root CA in the two tier configuration if I may. This system service provides NAT, addressing, and name resolution services for all computers on your home network or your small-office network. American National Standards Institute (ANSI), RFC 2349 - Time-out interval, and transfer size options, Distributed File System Replication (if not using FRS for SYSVOL replication), File Replication Service (if not using DFSR for SYSVOL replication), WINS (in Windows Server 2003 SP1 and later versions for backup Active Directory replication operations, if DNS is not working), Certificate Services (required for specific configurations), Distributed File System Namespaces (if using domain-based namespaces). From SubCA to AD (https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx). DNS servers are required to locate devices and services that are identified by using DNS names and to locate domain controllers in Active Directory. When this service runs, it relies on the WORKSTATION service and on the Local Security Authority service to listen for incoming requests. You can establish one or more DHCP servers to maintain TCP/IP configuration information and to provide that information to client computers. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe). The logs can be viewed programmatically through the event log APIs or through the Event Viewer in an MMC snap-in. These programs can communicate across heterogeneous networks and can send messages between computers that may be temporarily unable to connect to one another. Thank you for calling it out. If you enable a host-based firewall on the SQL server, configure it to allow the correct ports. (Certificate Authority and Certificate Authority Web Enrollment). You can move the content library to another storage location to free up hard drive space on your central administration or primary site servers. You can help protect yourself from scammers by verifying that the contact is a, official Clients use this communication to confirm whether the other client is awake on the network. Ephemeral range ports that are used by Active Directory and other components occur over RPC in the ephemeral port range. IPsec Encapsulating Security Protocol (ESP) (IP protocol 50), IPsec Network Address Translator Traversal NAT-T (UDP port 4500), IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500), Secure/Multipurpose Internet Mail Extensions (S/MIME). System service name: Remote_Storage_User_Link. it seems specific to that. The Computer Browser system service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. Its core components were developed by using COM, and it has a flexible architecture that you can customize for specific programs. Configuration Manager uses the following ports for the discovery and publishing of site information: On-premises Configuration Manager clients or site systems can make the following external connections: Asset Intelligence synchronization point --> Microsoft, Client --> Global catalog domain controller, Configuration Manager console --> Internet, Site server < --> Issuing Certification Authority (CA), Software update point --> Upstream WSUS Server, CMG connection point --> CMG cloud service.

The call is being made over the single port as I understand it so we would not want to open the Root and Subordinate CAs entire port range of 49152-65535 I would think.