Complete List Of Active Directory Ports And What They Do Explained

23 Feb Complete List of Active Directory Ports and What They Do Explained by Hitesh Jethva in Active DirectoryComments

Complete List of Active Directory Ports and What They Do Explained. In this article we will firstly introduce what is Active Directory (AD) is and how it functions.

What is Active Directory (AD)?

Active Directory is a combination of services and databases that connect end users with the network resources needed to get the job done. The database, also called the Directory, contains essential information about the network ecosystem, including details about the users and computers and their respective system rights.

To explain it in simple terms, if a directory has a list of 1000 user accounts with details like personal phone number, job title, and password, it will also record each individual system’s rights and permissions.

Active Directory predominantly controls most of the activity that goes on in an IT ecosystem. AD makes sure that every user who enters the environment is the person they claim to be (authentication) by checking their user ID and password and allowing them to access only those data for which they have the rights (authorization).

Also Read

How to Setup Active Directory Cloud Domain on Azure/AWS/GCP

How Does Active Directory Work?

The primary Active Directory service is Active Directory Domain Service (AD DS), and it is a part of the Windows Server operating system. The servers running the AD DS are called Domain Controllers (DCs). Every organization usually has many domain controllers and every DC would have a replica of the Directory for the entire domain.

If there is a change in the Directory on one domain controller, it is replicated to the other DCs as well so that they all stay up to date. You can include laptops, desktops and other systems running Windows (other than Windows Server) in the Active Directory environment. However, these devices do not run Active Directory Domain Service.

AD DS works on certain standard and established protocols, including Kerberos, Lightweight Directory Access Protocol (LDAP), and Domain Name System (DNS). It would help if you remembered that Active Directory is only for Microsoft on premises environments. Microsoft Cloud Environment uses Azure Active Directory(AAD), which is similar to AD in on prem environments.

Also Read

Benefits of Active Directory (Pros and Cons)

Active Directory Ports

Active Directory functions under the Local Security Authority Server Service- Lsass.exe method and contains the replication and authentication engines for Windows Domain Controllers. Client computers, domain controllers and application servers need network connectivity for Active Directory on particular hard coded ports. Furthermore, if there is no tunneling protocol to contain traffic to Active Directory, a series of transitory TCP ports between 1024 till 5000 and 49152 till 65535 are needed.

Active Directory correspondence involves a lot of ports and someone working as a system administrator would know about a few of them. Enterprises need Active Directory for workstation and server management, group policy management, authentication, etc. A complete list of Active Directory Ports and their functions, including services used by Microsoft clients and server operating systems are listed below.

The server products from Microsoft use a variety of protocols and network ports to connect with the client systems and various other server systems within the network.  Also ensure you have implemented Active Directory security best practices.

Application Protocol	Protocols	Ports
Active Directory Web Services (ADWS)	TCP	9389
Active Directory Management Gateway Service	TCP	9389
Global Catalog	TCP	3269
Global Catalog	TCP	3268
ICMP	–	No Port Number
Lightweight Directory Access Protocol (LDAP) Server	TCP	389
Lightweight Directory Access Protocol (LDAP) Server	UDP	389
Lightweight Directory Access Protocol Server (SSL)	TCP	636
IPsec ISAKMP	UDP	500
NAT-T	UDP	4500
RPC	TCP	135
RPC randomly allocated high TCP ports	TCP	1024 – 5000 and 49152 – 65535
SMB	TCP	445

Active Directory Report Tool

with Infra SOS

Click here for more info

AD Important Ports

• If your computer system network environment uses Windows Server 2008 and later versions (2012, 2016, 2019, 2022) Microsoft Windows have increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the default end port is 65535 so you should enable network connectivity over the highest port range of 49152 to 65535.

• If your computer system network environment Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 along with Windows version that came earlier or before Windows Server 2008 and Windows Vista, then you must use connectivity over two port ranges, Lowest port range from 1025 to 5000 and highest port range from 49152 to 65535

• If your computer system network environment uses only versions that came earlier or before Windows Server 2008 and Windows Vista, then you should use network connectivity over the lowest port range from 1025 to 5000.

A summarized result would consist of a VPN gateway situated next to a filtering router that opts for the Layer 2 Tunneling Protocol (L2TP) along with IPsec. Under this summarized condition, you should allow the below mentioned items through the router rather than opening all the protocols and ports listed.

• IPsec Encapsulating Security Protocol (ESP) (IP protocol 50)*
• IPsec Network Address Translator Traversal NAT T (UDP port 4500)*
• IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500)*

Additionally, the Microsoft LDAP client enforces ICMP pings to authenticate that an LDAP server has a pending request present in the server network. The below mentioned settings are LDAP session points:

• PingKeepAliveTimeout = 120 seconds (the amount of time it would hold after the last response before resending the ping)
• PingLimit = 4 (the number of pings that are sent before closing the connection)
• PingWaitTimeout = 2000 ms (the amount of time it waits for ICMP to respond)

What’s more, if need be, you may hard code the port that you require for Active Directory replication by following Restricting Active Directory RPC Traffic to one particular port. The system service nomenclature is LSASS.

Also Read

LDAP vs Active Directory – What’s the Difference ? (Explained)

Active Directory ports client to domain controller

The communications of Active Directory take place using multiple ports. These ports in question are required by both Domain Controllers and Client Computers. For example, whenever a client computer searches for a domain controller, it sends a DNS Query over Port 53 to find the domain controller name within the domain.

Mentioned below is the list of ports for Active Directory communication and their services:

• UDP Port 88 for Kerberos authentication.
• UDP and TCP Port 135 for the client to domain controller operations and domain controllers to domain controller operations.
• TCP Port 139 and UDP 138 are used for File Replication Service between domain controllers.
• UDP Port 389 for LDAP to handle regular queries from client computers to domain controllers.
• TCP and UDP Port 445 for File Replication Service.
• TCP and UDP Port 464 for Kerberos Password Change.
• TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
• TCP and UDP Port 53 for DNS from domain controller to domain controller and client to the domain controller.

Active Directory will be enabled to function properly by opening the above mentioned ports between domain controllers or between domain controllers and client controllers in Firewall.

How Secure is Your Active Directory ?

78% of companies have an insecure Active Directory and are vulnerable to a potential attack!!

 

Download our FREE  Active Directory Security Best Practices Compliance Checker

First Name Second Name Email Free Download

Ports, Protocols Required For Checking Active Directory, Group Policy And Exchange

Port	Protocol	Target	What They Do
389	TCP	Domain Controllers	LDAP Common Queries
3268	TCP	Domain Controllers	LDAP, Group Membership, GC Search
3269	TCP	Domain Controllers	Global Catalog LDAP over SSL
88	TCP/UDP	Domain Controllers	Kerberos Authentication
135, 1024 – 65535	TCP	Domain Controllers	Windows Management Instrumentation
445	TCP	Domain Controllers	Authenticated communication between Server and Domain Controllers
53	UDP	DNS Server	DNS Client
135 and 1024 – 65535	TCP	Exchange Server	Windows Management Instrumentation., Retrieve Exchange Server configuration settings
5985, 5986	TCP	Exchange Server	Windows Remote Management, PowerShell Connections: 5985 – For HTTP
80, 443	TCP	Exchange Server	PowerShell Connections

Also Read

Difference between Active Directory vs Azure AD (Pros and Cons)

Active Directory Domain Controller Communication Ports List

Below are the additional Active Directory Ports that are used for Active Directory communications:

• TCP, UDP port 135: RPC (Remote Procedural Call)
• TCP, UDP port 137: NetBIOS name service
• UDP port 138: DFSN, NetBIOS Datagram Service, NetLogon
• TCP port 139: DFSN, NetBIOS Session Service, NetLogon
• TCP, UDP port 389: LDAP
• TCP port 636: LDAP SSL
• TCP, UDP port 445: SMB, NetLogon, SamR
• TCP, UDP port 1512: WINS Resolution
• TCP, UDP port 42: WINS Replication
• TCP Dynamic: RPC, DCOM, NetLogonR

Active Directory Replication Ports

The ports given below are used for Active Directory Replication.

• TCP port 135: RPC (Remote Procedure Call)
• TCP, UDP port 389: LDAP
• TCP, UDP port 636: LDAP SSL
• TCP 3268 port: Global Catalog LDAP
• TCP 3269 port: Global Catalog LDAP SSL
• TCP, UDP port 53: DNS
• TCP, UDP port 88: Kerberos
• TCP port 445: SMB

Also Read

How to Setup Active Directory Domain on Windows Server 2022 (Tutorial)

Active Directory Authentication Ports

The below mentioned ports are used for Active Directory authentication:

• UDP port 389: LDAP
• TCP port 53: DNS
• TCP, UDP port 88: Kerberos
• TCP, UDP port 445: SMB over IP

Active Directory Errors

With Active Directory ports, you can understand which ports to allow in the firewall. If the ports are not configured in the firewall, it could lead to blocking requests in Active Directory communications.

There are certain common problems that Active Directory ports face. They are:

• Replication traffic is unsuccessful on port 3268, or there could be some other issues with replication.
• LDAP is unable to authenticate users while using LDAPS over SSL.
• Kerberos is unable to authenticate users while using TGS over SSL.
• Replication fails to perform over port 3268.
• LDAP fails to authenticate users while using LDAP over SSL.

An Active directory port could either be a TCP or a UDP port that services Active Directory Domain Controller for requests. Active Directory Domain Controllers (DCs) use the various ports mentioned above for data transfer and communication. The most common protocols used are:

• LDAP
• Kerberos
• RPC
• DNS
• SMB over IP

Depending upon the requirements, a system administrator can configure which port needs to be opened.

Also Read

How to Setup Active Directory Certificate Services (PKI) in Azure, AWS, GCP (Certificate Authority)

The Ephemeral Ports

Also known as service response ports, Ephemeral ports are very important for communications. These ports are established dynamically for sessions response to each client that establishes a session. The client is not restricted to Windows OS only. It could be Linux and Unix as well. Once the sessions are dissolved, the ports are reinstated back into the pool for reuse.

The following chart tells you what the Ephemeral ports are based on the Operating System in use and what they do.

Operating System	Ports And Protocols	What they Do
Windows 2003 and new versions	TCP and UDP 1024 – 5000	Ephemeral Dynamic Service Response Ports
Windows 2008 and newer versions	TCP and UDP 49152 – 65535	Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral	RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS	Replication, Computer and User Authentication, Group Policy, Trusts
UDP Dynamic Ephemeral	DCOM, RPC, EPM	Group Policy

Port Requirements RODC - Read Only Domain Controllers

Traffic	Type Of Traffic
UDP 53 DNS	DNS
TCP 53 DNS	DNS
TCP 135	RPC, EPM
TCP Static 53248	FRsRPc
TCP 389	LDAP
TCP and UDP Dynamic 1025 – 5000	Ephemeral Ports
TCP and UDP Dynamic 49152 – 65535	Ephemeral ports

Also Read

FSMO Roles in Active Directory (5 Roles Explained)

Restricting Access To Ports Across A Firewall

You can restrict the Domain Controller to Client communications and Domain Controller to Domain Controller traffic to certain specific ports. It all depends on what service and ports you want to have restricted access to. When selecting this option, you must be particular about the correct ports for the exemplary service.

1. Method A

This method is used to set the particular AD replication port. It uses the dynamic port to replicate data from one Domain Controller site to another as a standard process. It is applicable for restricting AD replication to a specific port group.

 

Procedure:  Modify registry to select a static port.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

 

Applies to: all supported versions of Windows Server

 

Restricting Active Directory replication traffic and client RPC traffic to a specific port http://support.microsoft.com/kb/224196

2. Method B

This method is used for configuring the port range within the Windows firewall. The default dynamic port range for IP/TCP has been changed from Windows Server 2008 

 

Netsh – use the following examples to set a starting port range, and number of ports after it to use

netsh int ipv4 set dynamicport tcp start=10000 num=1000netsh int ipv4 set dynamicport udp start=10000 num=1000

 

The default dynamic port range for TCP/IP has changed from Windows Vista and in Windows Server 2008 and also Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10 – all editionshttp://support.microsoft.com/kb/929851

3. Modify the registry

Modification of registry is for Windows services communication. It also affects Active Directory communications.

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

 

How to configure RPC dynamic port allocation to work with firewalls http://support.microsoft.com/kb/154596/en-us

Also Read

Best Top 20 FREE Active Directory Reporting Tools

Complete List of Active Directory Ports and What They Do Explained Conclusion

Now that you read about what Active Directory Ports are and what they do, it is essential to implement the ports with a complete understanding of the technology. Active Directory is dependent on multiple communication services to communicate between Domain Controller and client computers. Understanding how AD communicates can be critical when working with Domain Controllers and client computers separated by routers or firewalls.

Related Posts:

• Complete List of Windows Print Server Ports and What They Do
• Proxy Servers: What They Are and How They Work ?
• The Basics of Transparent Proxies: What They Are & How They Work
• Which SMTP Port Should You Use ? (Ports 25, 587, 465, or 2525)
• Different Types of Compliance Audits and Why They are Important
• The Fundamentals of Web Servers: Understanding How They Work

Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

4.9 8 votes Article Rating Subscribe Notify of new follow-up comments new replies to my comments Please login to comment 0 Comments Most Voted Newest Oldest Inline Feedbacks View all comments wpDiscuz00Would love your thoughts, please comment.x()x| ReplyInsert