Make sure your firewall/routing is configured correctly, "is not reachable" is most likely a connection issue.
You will need these (unfiltered) ports:
Outbound |
Inbound |
49152 -65535/UDP |
123/UDP W32Time |
49152 -65535/TCP |
135/TCP RPC Endpoint Mapper |
49152 -65535/TCP |
464/TCP/UDP Kerberos password change |
49152 -65535/TCP |
49152-65535/TCP RPC for LSA, SAM, NetLogon (*) |
49152 -65535/TCP/UDP |
389/TCP/UDP LDAP |
49152 -65535/TCP |
636/TCP LDAP SSL |
49152 -65535/TCP |
3268/TCP LDAP GC |
49152 -65535/TCP |
3269/TCP LDAP GC SSL |
53, 49152 -65535/TCP/UDP |
53/TCP/UDP DNS |
49152 -65535/TCP |
49152 -65535/TCP FRS RPC (*) |
49152 -65535/TCP/UDP |
88/TCP/UDP Kerberos |
49152 -65535/TCP/UDP |
445/TCP SMB (**) |
49152 -65535/TCP |
49152-65535/TCP DFSR RPC (*) |
Not all the ports that are listed here are required in all scenarios. For example, if the firewall separates members and DCs, you don't have to open the FRS or DFSR ports. So in this case i'd think youd have to.
Microsoft LDAP also uses ICMP, when a LDAP request is pending for extended time and it waits for a response. If it does not receive ping responses, it fails the LDAP request with LDAP_TIMEOUT.
The Windows Redirector also uses ICMP messages to verify that a server IP is resolved by the DNS service before a connection is made, and when a server is located by using DFS. So make sure, ICMP is enabled between the DCs.