Recently I was asked by a client to produce a list of firewall ports that are used by Active Directory Domain Services (AD DS), specifically those for domain controllers. This is what I came up with:
| TCP and UDP 389 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
LDAP |
| TCP 636 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
LDAP SSL |
| TCP 3268 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
LDAP GC |
| TCP 3269 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts |
LDAP GC SSL |
| TCP and UDP 88 | User and Computer Authentication, Forest-Level Trusts |
Kerberos |
| TCP and UDP 53 | User and Computer Authentication, Name Resolution, Trusts |
DNS |
| TCP and UDP 445 | Replication, User and Computer Authentication, Group Policy, Trusts |
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc |
| TCP 25 | Replication | SMTP |
| TCP 135 | Replication | RPC, EPM |
| TCP Dynamic | Replication, User and Computer Authentication, Group Policy, Trusts |
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS |
| TCP 5722 | File Replication | RPC, DFSR (SYSVOL) |
| UDP 123 | Windows Time, Trusts | Windows Time |
| TCP and UDP 464 | Replication, User and Computer Authentication, Trusts |
Kerberos change/set password |
| UDP Dynamic | Group Policy | DCOM, RPC, EPM |
| UDP 138 | DFS, Group Policy | DFSN, NetLogon, NetBIOS Datagram Service |
| TCP 9389 | AD DS Web Services | SOAP |
| UDP 137 | User and Computer Authentication, | NetLogon, NetBIOS Name Resolution |
| TCP 139 | User and Computer Authentication, Replication |
DFSN, NetBIOS Session Service, NetLogon |
One of the sites I polled for this information also listed the ports for DHCP (which is not an AD component, but is often installed on domain controllers). Another listed that there are more ports for Azure AD and Office 365. I am not including all of these. I just set out to list the ports required for on-premises Active Directory in Windows Server 2016.
The World According to Mitch 
Leave a Reply