The diagram below shows data flow between all components involved and the ports, eventually needed to be open if a firewall is placed between any nodes.
The ports on the diagram above serve the following purposes:
|53||UDP + TCP||DNS Queries|
|88||UDP + TCP||Kerberos exchange|
|135||TCP||RPC Endpoint mapper|
|389||TCP + UDP||AD DS (LDAP)|
|21572||TCP||SystoLOCK Client to Server Communication|
|21573||TCP||SystoLOCK Console to Server Communication|
|3268||TCP||AD DS Global Catalog (LDAP)|
|9389||TCP||AD DS Web Services (for AD DS PowerShell)|
SystoLOCK AD FS Adapter and Identity Provider are also considered to be Clients and communicate accordingly.
For RPC port range, please consult your AD CS installation as various setups my differ. To find out what ports are used to implement dynamic RPC calls, use the following command line example:
PS C:\> netsh int ipv4 show dynamicport tcp Protocol tcp Dynamic Port Range --------------------------------- Start Port : 49152 Number of Ports : 16384
In the example above, ports 49152 to 65535 are used.
You may also want to consult a Microsoft document on how to configure RPC dynamic port allocation to work with firewalls.