I have a single domain forest with multiple firewalls between domain controllers and network segments, with multiple versions of Windows Server, with at least one of each of 2003, 2008, 2008R2 and 2012.
The domain is running on Windows Server 2008 in Windows Server 2003 mode.
I have firewall rules in place that allow domain controller to domain controller replication, authentication and access - these are all working.
One of the network tiers is a 'management tier' with a number of servers running in it. This tier has two domain controllers in it, which are up to date and working correctly, with no errors.
I have installed the GPMC on a Windows 2012 server in this tier, and can manage group policies. What I cannot do is manage 'Windows Firewall with Advanced Security' and 'Advanced Audit Policy Configuration' - I get errors when I try to open these nodes within GPMC.
Windows Firewall with Advanced Security fails with: an error occurred while trying to open the policy, The specified domain either does not exist or could not be contacted. Code 0c54B
Advanced Audit Policy Configuration fails with: A severe error occurred which has caused Advanced Audit Configuration to unload. Following messages can help debug this error: The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B).
And my question: Does GPMC need to be able to communicate with the PDCe directly itself? or is it sufficient to only communicate with a local Domain Controller? If GPMC needs to talk to the PDCe directly, what ports does it use?