Active Directory Firewall Ports – Let’s Try To Make This Simple


Ace here again. I thought to clean up and re-publish my blog on AD ports requirements. Yes, they are extensive, to the dismay of the network group in your organization. But it is what it is, and it is what we need to follow to make AD work.

RPC server not available? Replication errors in the Event viewer? Sound familiar?

If so, you’ve been succumbed to the fact and realization there are possibly necessary ports being blocked causing these familiar AD communications errors. Whether between locations with firewall/VPN tunnel port blocks, Windows Firewall (which is usually not the culprit because they will auto-configure for the role of the machine and it’s current network location), or even security software or antivirus apps with some sort of “network traffic protection” feature enabled that is causing the problem.

Simply speaking, if there are replication or other AD communication problems, and you have an antivirus software installed on the endpoints or installed on all of  your DCs, disable it, or better yet, uninstall it. Uninstalling it is the best bet, so you know there are no traces of other subcomponents that are active that may still be causing the block. If after uninstalling it, and you find replication now works, well there you have it. At that point, you’ll need to contact your antivirus vendor to ask them the best way to configure it to allow AD communications and replication.

If it’s not your antivirus or security app, and disabling the Windows firewall doesn’t do the trick, then it’s obvious it’s an outside factor – your edge/perimeter firewalls.

Also to point out, when testing for port blocks, tools such as telnet is not a good tool to test AD/DC to DC connectivity, nor is any sort of standard port scan, such as using nmap, or a simple ping, resolving with nslookup (although resolving required records is a pre-requisite), or other tools. The only reliable test is using Microsoft’s PortQry, which tests specific AD ports and the ephemeral ports, and the required responses from the services on the required AD ports it specifically scans for.

AD through a NAT? Nope. Period.

Oh, and don’t expect to get this to work through a NAT. NATs cannot translate the encrypted RPC traffic therefore bonking LDAP communications.

Description of Support boundaries for Active Directory over NAT

How to configure RPC dynamic port allocation to work with firewalls”
AD communications won’t work through a NAT port translation, such as you cannot use DCOM through a NAT firewall that performs address translation (e.g. where a client connects to virtual address, which the firewall maps transparently to the server’s actual internal IP address of, say, This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it will not work.”
Quoted from:

Windows 2000 NAT Does Not Translate Netlogon Traffic (this applies to all DCs)
Quoted: “Windows 2000 NAT does not support Netlogon and translate Kerberos. If you have clients that are located behind a Windows 2000-based NAT server and need access to domain resources, consider creating a Routing and Remote Access virtual private network (VPN) tunnel for Netlogon traffic, or upgrade the clients to Windows 2000.”
Quoted from:


Ok, let’s find out if the ports are being blocked

Now you’re thinking that your network infrastructure engineers know what they’re doing and opened up the necessary ports, so you’re thinking, this can’t be the reason? or is it? Well, let’s find out. We can use PortQry to test it. And no, you don’t want to use ping, nslookup, nmap or any other port scanner, because they’re not designed to query the necessary AD ports to see if they are responding or not.

So let’s run PortQry:

First, download it:

       PortQryUI – GUI – Version 2.0 8/2/2004

Then run the “Domains & Trusts” option between DCs, or between DCs and any machine (other servers you want to promote, or even from a client machine), or from the bridgeheads in each site to the other bridgehead in the other site., pretty much anywhere that you want to test if there are any blocked AD ports.

The point is, you’ll want to run it in any scenario where a DC must communicate to another DC or to a client.

If you get any errors with “NOTLISTENING,” 0x00000001, and 0x00000002, that means there is a port block. Take note on which ports they are.

You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.

PortQry References

Knock Knock Is That Port Open?
By Mark Morowczynski [MSFT] 18 Apr 2011, Quick tutorial about PortQry GUI version.

“At times you may see errors such as The RPC server is unavailable or There are no more endpoints available from the endpoint mapper …”

How to use Portqry to troubleshoot Active Directory connectivity issues

If you want to use the command line only version:

Download details: PortQry Command Line Only Port Scanner Version 2.0

Understanding portqry and the command’s output: New features and functionality in PortQry version 2.0

Description of the Portqry.exe command-line utility

Portqry Remarks


DC to DC and DC to client communications Require Numerous ports

There’s no secret to this. That’s the simplest I can put it.

And, the list of ports required is long, to the dismay of network infrastructure engineering teams that must bequest ports to allow AD to communicate, replicate, etc., these ports must be opened. There really isn’t much that can be done otherwise.

Here’s the list with an explanation of each port:

Protocol and Port
AD and AD DS Usage Type of traffic 
TCP 25 Replication SMTP
TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS
TCP 135 Replication RPC, EPM
TCP 137 NetBIOS Name resolution NetBIOS Name resolution
TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 9389 AD DS Web Services SOAP
TCP 5722 File Replication RPC, DFSR (SYSVOL)
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password
UDP 123 Windows Time, Trusts Windows Time
UDP 137  User and Computer Authentication NetLogon, NetBIOS Name Resolution
UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service
UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE

And We Must Never Forget the Ephemeral Ports!!

And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well.

See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved, the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux, Unix and other operating systems, as well. See below in the references section to find out more on what ‘ephemeral’ means.

The following chart shows what the ephemeral ports are depending on the OS version, and what they are used for.

Window 2003, Windows XP, and Windows 2000


1024-5000 Ephemeral Dynamic Service Response Ports
Windows 2008/Vista and newer TCP & UDP 49152-65535 Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic Ephemeral Group Policy DCOM, RPC, EPM

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:

TCP & UDP 1024 – 65535 NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB

See, wasn’t that simple?


The Short list without port explanations:

Protocol Port
TCP 25
TCP 42
TCP 135
TCP 137
TCP 139
TCP and UDP 389
TCP 636
TCP 3268
TCP 3269
TCP and UDP 88
TCP and UDP 53
TCP and UDP 445
TCP 9389
TCP 5722
TCP and UDP 464
UDP 123
UDP 137
UDP 138
UDP 67
UDP 2535
TCP & UDP 1024-5000
TCP & UDP 49152-65535

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDC:

The following Ephemeral ports must be opened (yes, it’s pretty much the whole range):

TCP & UDP 1024-65535


Restricting Ports Across a Firewall

You also have the ability to restrict DC to DC replication traffic, and DC to client communications, to a specific ports. Keep in mind, it also depends on what ports and services you’ll want to restrict. When choosing this option, you must specify the correct ports for the correct service.

It depends on what ports and services you want to restrict?

1. Method 1

This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.

This is applicable for restriction AD replication to a specific port range.

Procedure:  Modify registry to select a static port.

Restricting Active Directory replication traffic and client RPC traffic to a specific port

2. Method 2

This is for configuring the port range(s) in the Windows Firewall.

Netsh – use the following examples to set a starting port range, and number of ports after it to use

netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000

The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

3. Modify the registry

This is for Windows services communications. It also affects AD communications.

How to configure RPC dynamic port allocation to work with firewalls

Here are some related links to restricting AD replication ports.

Reference thread:

RODC Firewall Port Requirements

Active Directory Replication over Firewalls


RODC – “Read only Domain Controllers” have their own port requirements

Type of Traffic
TCP Static 53248  FRsRpc

TCP and UDP Dynamic
1025 – 5000
Windows 2000, Windows 2003, Windows XP Ephemeral Ports
TCP and UDP Dynamic 49152 – 65535 Windows 2008, Windows Vista and all newer operating systems Ephemeral Ports

Designing RODCs in the Perimeter Network

Restricting Active Directory replication traffic and client RPC traffic to a specific port

Good discussion on RODC and firewall ports required:

Further info on how RODC authentication works will help understand the ports:
Understanding “Read Only Domain Controller” authentication



How to configure a firewall for domains and trusts

Active Directory and Active Directory Domain Services Port Requirements, Updated: June 18, 2009 (includes updated new ephemeral ports for Windows Vista/2008 and newer). This also discusses RODC port requirements. You must also make sure the ephemeral ports are opened. They are:
   TCP & UDP 1025-5000
   TCP & UDP 49152-65535

Windows 2008, 2008 R2, Vista and Windows 7 Ephemeral Port range has changed from the ports used by Windows 2003 Windows XP, and Windows 2000. Default ephemeral (Random service dynamic response ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

Quoted from KB929851 (link posted below): “To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”

Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports) have changed.

Active Directory and Firewall Ports – I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls. …

Active Directory Replication over Firewalls, Jan 31, 2006. (includes older pre-Windows Vista/2008 ephemeral ports)

How Domains and Forests Work
Also shows a list of ports needed.

Paul Bergson’s Blog on AD Replication and Firewall Ports


Exchange DS Access ports

Configuring an Intranet Firewall for Exchange 2003, April 14, 2006.
Protocol ports required for the intranet firewall and ports required for Active Directory and Kerberos communications


Additional Reading

Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …

How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …

Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
This KB indicates Checkpoint firewalls having an issue with AD communications.



Checkpoint Firewall and AD, DNS and RPC Communications and Replication traffic

Checkpoint firewalls have a known issue if you are running version R55 or older. You will need to make a registry entry to allows traffic to flow between the 2 sites via the vpn. The preferred solution is to upgrade the Checkpoint firewall.

More info:

Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
(This link relates to and helps resolve the Checkpoint issue)

Note from one poster on the internet with a Checkpoint firewall:
For Windows 2003 R2 and non-R2 remote domain controller we added the Server2003NegotiateDisable entry in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc



I know you’ve enjoyed reading this.

Well, whether you did or not, at least you now know what to do to make it work.

Comments, suggestions and corrections are welcomed!



I hope this helps!

Original Publication Date: 11/1/2011
Updated 11/4/2014

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

Complete List of Technical Blogs:

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory FSMO Roles Explained

Original Publication 1/16/2011
Updated 11/20/2014
by Ace Fekay

Ace here again. I’ve updated this blog to just clean it up a bit, but as for the technical information about FSMOs, not much as changed. If you see anything that you feel is inaccurate, by all means please contact me.


This blog contains some quoted material from the Microsoft Official Curriculum (MOC) 6425B Course

Course 6425C: Configuring and Troubleshooting Windows Server 2008 R2 Active Directory Domain Services

If interested in taking this course, please see the following link to find a training center near you:

Find Microsoft Training

Key Points

In any replicated database, some changes must be performed by one and only one replica because they are impractical to perform in a multimaster fashion.

Active Directory is no exception. A limited number of operations are not permitted to
occur at different places at the same time and must be the responsibility of only
one domain controller in a domain or forest. These operations, and the domain
controllers that perform them, are referred to by a variety of terms:

• Operations masters
• Operations master roles
• Single master roles
• Operations tokens
• Flexible single master operations (FSMOs)

Regardless of the term used, the idea is the same. One domain controller performs
a function, and while it does, no other domain controller performs that function.

All Active Directory domain controllers are capable of performing single master
operations. The domain controller that actually performs a single master operation is the
domain controller that currently holds the operation’s token, or the “role holder.”.

An operation token, and thus the role, can be transferred easily to another domain
controller without a reboot.

To reduce the risk of single points of failure, the operations tokens can be
distributed among multiple DCs.

AD DS contains five operations master roles. Two roles are performed for the
entire forest, and two roles are performed by three roles for each domain.

Forest Roles (two roles):

  • Domain naming
  • Schema

Domain Roles (three roles):

  • Relative identifier (RID)
  • Infrastructure
  • PDC Emulator

In a forest with a single domain, there are, therefore, five operations masters. In a forest with two domains, there are eight operations masters because the three domain master roles are implemented separately in each of the two domains.

Forest-Wide Operations Master Roles

The schema master and the domain naming master must be unique in the forest.
Each role is performed by only one domain controller in the entire forest.

Domain Naming Master Role:

The domain naming role is used when adding or removing domains in the forest. When you add or remove a domain, the domain naming master must beaccessible, or the operation will fail.

Schema Master Role:

The domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the domain controller holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.

Domain-Wide Operations Master Roles

Each domain maintains three single master operations: RID, Infrastructure, and PDC Emulator. Each role is performed by only one domain controller in the domain.

RID Master Role

The RID master plays an integral part in the generation of security identifiers
(SIDs) for security principals such as users, groups, and computers. The SID of a
security principal must be unique. Because any domain controller can create
accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs
generated by a DC are unique. Active Directory domain controllers generate SIDs
by assigning a unique RID to the domain SID. The RID master for the domain
allocates pools of unique RIDs to each domain controller in the domain. Thus,
each domain controller can be confident that the SIDs it generates are unique.


The RID master role is like DHCP for SIDs. If you are familiar with the concept that
you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID master, which allocates pools of RIDs to domain controllers for the creation of SIDs.

Infrastructure Master Role

In a multidomain environment, it’s common for an object to reference objects in other domains. For example, a group can include members from another domain.

Its multivalued member attribute contains the distinguished names of each
member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the group’s member attribute accordingly.

Note: The infrastructure master. You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.

Also note: This role only pertains in a multi-domain forest. The infrastructure master if running on the same DC as a GC, will conflict and cause the infrastructure master role to fail its intended purpose. One way to eliminate any issues with the Infrastructure Master Role & GC conflict is to simply make all DCs a GC. More info on this can be found in the following link:

Global Catalog and FSMO Infrastructure Master Relationship

PDC Emulator Role

The PDC Emulator role performs multiple, crucial functions for a domain:

• Emulates a Primary Domain Controller (PDC) for backward compatibility
In the days of Windows NT® 4.0 domains, only the PDC could make changes
to the directory. Previous tools, utilities, and clients written to support
Windows NT 4.0 are unaware that all Active Directory domain controllers can
write to the directory, so such tools request a connection to the PDC. The
domain controller with the PDC emulator role registers itself as a PDC so that
down-level applications can locate a writable domain controller. Such
applications are less common now that Active Directory is nearly 10 years old,
and if your enterprise includes such applications, work to upgrade them for
full Active Directory compatibility.

• Participates in special password update handling for the domain
When a user’s password is reset or changed, the domain controller that makes
the change replicates the change immediately to the PDC emulator. This
special replication ensures that the domain controllers know about the new
password as quickly as possible. If a user attempts to log on immediately after
changing passwords, the domain controller responding to the user’s logon
request might not know about the new password. Before it rejects the logon
attempt, that domain controller forwards the authentication request to a PDC
emulator, which verifies that the new password is correct and instructs the
domain controller to accept the logon request. This function means that any
time a user enters an incorrect password, the authentication is forwarded to
the PDC emulator for a second opinion. The PDC emulator, therefore, should
be highly accessible to all clients in the domain. It should be a well-connected,
high-performance DC.

• Manages Group Policy updates within a domain
If a Group Policy object (GPO) is modified on two DCs at approximately the
same time, there could be conflicts between the two versions that could not be
reconciled as the GPO replicates. To avoid this situation, the PDC emulator
acts as the focal point for all Group Policy changes. When you open a GPO in
the Group Policy Management Editor (GPME), the GPME binds to the domain
controller performing the PDC emulator role. Therefore, all changes to GPOs
are made on the PDC emulator by default.

• Provides a master time source for the domain
Active Directory, Kerberos, File Replication Service (FRS), and DFS-R each rely
on timestamps, so synchronizing the time across all systems in a domain is
crucial. The PDC emulator in the forest root domain is the time master for the
entire forest, by default. The PDC emulator in each domain synchronizes its
time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domain’s PDC emulator. All
other domain members synchronize their time with their preferred domain
controller. This hierarchical structure of time synchronization, all implemented
through the Win32Time service, ensures consistency of time. Universal
Coordinated Time (UTC) is synchronized, and the time displayed to users is
adjusted based on the time zone setting of the computer.

Note: Change the time service only one way. It is highly recommended to allow Windows to maintain its native, default time synchronization mechanisms. The only change you should make is to configure the PDC emulator of the forest root domain to synchronize with an extra time source. If you do not specify a time source for the PDC emulator, the System event log will contain errors reminding you to do so. See the following link and the articles it refers to, for more information.

Configure the Windows Time service on the PDC emulator in the Forest Root Domain

Configuring the Windows Time Service – A step by step with a Contingency Plan – This is a procedure I put together for an enterprise.

Configuring the Windows Time Service for Windows Server, explanation of the time service hierarchy, and more

Acts as the domain master browser
When you open Network in Windows, you see a list of workgroups and
domains, and when you open a workgroup or domain, you see a list of
computers. These two lists, called browse lists, are created by the Browser
service. In each network segment, a master browser creates the browse list: the
lists of workgroups, domains, and servers in that segment. The domain master
browser serves to merge the lists of each master browser so that browse clients
can retrieve a comprehensive browse list.

What happens when a FSMO Role Fails

PDC Emulator failure

The PDC Emulator is the operations master that will have the most immediate
impact on normal operations and on users if it becomes unavailable. Fortunately,
the PDC Emulator role can be seized to another domain controller and then
transferred back to the original role holder when the system comes back online.

Infrastructure master failure

A failure of the infrastructure master will be noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect although, as mentioned earlier in this lesson, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.

RID master failure

A failed RID master will eventually prevent domain controllers from creating new
SIDs and, therefore, will prevent you from creating new accounts for users, groups,
or computers. However, domain controllers receive a sizable pool of RIDs from the
RID master, so unless you are generating numerous new accounts, you can often
go for some time without the RID master online while it is being repaired. Seizing
this role to another domain controller is a significant action. After the RID master
role has been seized, the domain controller that had been performing the role
cannot be brought back online.

Schema master failure

The schema master role is necessary only when schema modifications are being
made, either directly by an administrator or by installing an Active Directory
integrated application that changes the schema. At other times, the role is not
necessary. It can remain offline indefinitely until schema changes are necessary.
Seizing this role to another domain controller is a significant action. After the
schema master role has been seized, the domain controller that had been
performing the role cannot be brought back online.

Domain naming master failure

The domain naming master role is necessary only when you add a domain to the
forest or remove a domain from a forest. Until such changes are required to your
domain infrastructure, the domain naming master role can remain offline for an
indefinite period of time. Seizing this role to another domain controller is a
significant action. After the domain naming master role has been seized, the
domain controller that had been performing the role cannot be brought back

Recovering from FSMO Role Failures

There are a number of steps that must be performed if any of the FSMO roles fail, and keep in mind, it’s not just based
on the FSMO role failure itself, rather you must also take into account the DC, too, because it usually means the DC itself
has failed, therefore the DC failure must be addressed.

If a DC fails, then you must address the DC failure as a whole, and not just the FSMO roles. This is because the DC’s account is referenced in the AD database by other DCs, and it expects it to be there to contribute and work with replication, among other AD functions. Therefore you must clean out the DC’s reference from the AD database, which also includes seizing the roles it held to other DCs.

This also includes the services a specific FSMO role held, such as the Time Service. This service runs on the PDC Emulator and must be moved to the new PDC Emulator you are seizing the role to.

For more information, with a complete and specific step by step, including any services the DC held which was FSMO role specific, please see the following article for more information:

Complete Step by Step to Remove an Orphaned Domain controller

Monitoring DCs for failures

Microsoft Monitoring Products

There are a number of tools to monitor your domain controllers from native Windows event logs, to using SCOM.

System Center Operations Manager 2007 (SCOM) – Platform MonitoringOct 6, 2010 … Take advantage of System Center Operations Manager 2007 for cross-platform monitoring, beta software and management packs.

To learn how to use SCOM, Microsoft has a specific course just for this product. For more information on the course, please see:

Microsoft Official Curriculum Course 50028B:
Installing and Configuring System Center Operations Manager 2007

Third Party Monitoring Tools

There are also numerous third party monitoring utilities available such as the following list:

Quest – Windows Management Solutions – Trust the Experts for Simplified Windows Management

Network Monitor Software and Windows Development ToolsNetwork Monitor Tool site – Network Monitoring Tools for Windows, Linux, Unix and Novell.

NetVision Audit for Active Directory – Monitoring Active Directory – Active Directory Reports – Easy Audit Reporting and Real-Time Monitoring

Windows Monitoring, Windows Server Monitoring, Windows Application …Download Windows monitoring tool for Windows server monitoring, IIS Server, . … Monitor Windows CPU, disk, process monitoring, memory and ensure high …

Windows Server Monitoring and Windows Event Log Management SoftwareDevelopers of Windows administration tools that monitor in real-time system performance, security logs, and event logs, and send automated, user-defined …

Nagios Core – Monitoring Windows Machines:

Network Management Software | Server Monitoring | WhatsUp GoldWhatsUp Gold is an award-winning network monitoring software, managing over 100000 networks worldwide. Download trials & free tools now!

Comments, suggestions and corrections are welcomed!



I hope this helps!

Original Publication Date: 11/1/2011
Updated 11/4/2014

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262[2] clip_image00462[2] clip_image00662[2] clip_image00862[2] clip_image01062[2] clip_image01262[2] clip_image01462[2]

Complete List of Technical Blogs:

This posting is provided AS-IS with no warranties or guarantees and confers no rights.