Within the domain of enterprise IT infrastructure, Microsoft Active Directory (AD) assumes a pivotal and indispensable role, underscored by its critical significance. Its centrality in network management, security, and overall organizational efficiency is attributed to a confluence of factors.
In order to fortify its integrity, it is imperative to maintain a state of perpetual vigilance by ensuring that the firewall is consistently enabled. Additionally, specific ports must be deliberately opened to facilitate seamless and secure communication between clients and Active Directory servers.
Active Directory Dynamic Ports
Upon the installation of a new domain controller, Windows Firewall is automatically configured to open all essential ports for Active Directory. However, in practical scenarios, it is imperative to adopt a network segmentation approach by creating multiple VLANs. This strategic network segmentation aims to enhance the security of communication between client systems and servers. Consequently, it becomes necessary to meticulously verify and ensure the proper opening of specific ports between our domain controllers and clients in this segmented network environment
For network environments utilizing Windows Server 2008 and later versions (2012, 2016, 2019, 2022), Microsoft has expanded the dynamic client port range for outgoing connections. The default start port is now 49152, and the default end port is 65535. Therefore, it is essential to ensure network connectivity over the extended port range of 49152 to 65535.
In instances where your computer system network environment involves Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7, alongside versions predating Windows Server 2008 and Windows Vista, a dual-port range configuration is necessary. Specifically, the lowest port range should span from 1025 to 5000, and the highest port range should extend from 49152 to 65535.
If your computer system network environment uses only versions that came earlier or before Windows Server 2008 and Windows Vista, then you should use network connectivity over the lowest port range from 1025 to 5000.
Active Directory Clients to Domain controller Ports
Below are the ports to open between Active Directory clients and domain controller.
.
| Port | Protocol | Service |
|---|---|---|
| 53 | TCP/UDP | DNS |
| 88 | TCP/UDP | Kerberos authentication |
| 123 | UDP | W32Time |
| 135 | TCP | RPC Endpoint Mapper |
| 137/138 | UDP | NetBIOS |
| 139 | TCP | NetBIOS |
| 389 | TCP/UDP | LDAP |
| 445 | TCP | SMB |
| 464 | TCP/UDP | Kerberos password change |
| 636 | TCP | LDAP SSL |
| 3268/3269 | TCP | LDAP Global Catalog / LDAP GC SSL |
| 1025-5000 / 49152-65535 | TCP | RPC Ephemeral Ports |
| 9389 | TCP | AD PowerShell module / Active Directory Administrative Center |
- TCP/UDP Port 88 (Kerberos):
- Purpose: Kerberos authentication, a key component for secure authentication within the Active Directory domain.
- TCP/UDP Port 135 (RPC):
- Purpose: Remote Procedure Call (RPC) for various services, including the DCOM (Distributed Component Object Model) interface for domain communication.
- TCP/UDP Port 389 (LDAP):
- Purpose: Lightweight Directory Access Protocol (LDAP) for querying and modifying directory services, including user and computer accounts.
- TCP Port 445 (Microsoft-DS):
- Purpose: Microsoft-DS (Directory Services) for file and printer sharing and other domain-related communication.
- UDP Port 138 (NetBIOS Datagram Service):
- Purpose: NetBIOS Datagram Service for name resolution, an essential part of domain communication.
- TCP Port 139 (NetBIOS Session Service):
- Purpose: NetBIOS Session Service for establishing a session between computers, commonly used for file and printer sharing.
- TCP/UDP Port 464 (Kerberos Change/Set Password):
- Purpose: Kerberos Change/Set Password for password change operations.
- UDP Port 123 (Windows Time Service):
- Purpose: Windows Time Service for time synchronization, ensuring accurate time across the domain.
- TCP/UDP Port 53 (DNS):
- Purpose: Domain Name System (DNS) for name resolution, crucial for locating domain controllers and other domain resources.
- TCP Port 636 (LDAPS):
- Purpose: LDAP over TLS/SSL (LDAPS), LDAPS is a secure variation of the Lightweight Directory Access Protocol (LDAP), which is commonly used for accessing and managing directory information services.
- Port 3268 (TCP):
- Purpose: Global Catalog LDAP service without SSL/TLS encryption, used for querying the Global Catalog for information from multiple domains in a forest without encryption.
- Port 3269 (TCP):
- Purpose: Global Catalog LDAP service with SSL/TLS encryption. used for secure queries to the Global Catalog, ensuring that the communication is encrypted for enhanced security.
I trust this article was beneficial for you. If there’s anything you’d like to discuss or inquire about, please don’t hesitate to leave a comment below.
Thank you for being part of our community. Let’s explore, learn, and grow together at MyITDailyDose.com.
