Firewall Ports For AD Domain Join - Devopstales

• Home
• Linuxes
• Firewall Ports for AD Domain Join

Page content

• • Firewall Ports required to join AD Domain (Minimum)
  • Optional Ports
  • Firewall Rules in pfesense Firewall

In this post I will show you what port you need to enable for AD Domain Join.

Firewall Ports required to join AD Domain (Minimum)

Windows 10 Client can join to Windows 2019 AD Domain with the following Ports allow in Firewall

• TCP 88 (Kerberos Key Distribution Center)
• TCP 135 (Remote Procedure Call)
• TCP 139 (NetBIOS Session Service)
• TCP 389 (LDAP)
• TCP 445 (SMB,Net Logon)
• UDP 53 (DNS)
• UDP 389 (LDAP, DC Locator, Net Logon)
• TCP 49152-65535 (Randomly allocated high TCP ports)

Without TCP High Ports open the following Message appear even join to domain successfully:

there is a lot of TCP high ports are blocked in Firewall:

Optional Ports

• UDP 123 (NTP)
• TCP 53 (DNS)
• TCP 464 ( Kerberos Password V5 – Used when user change their password from desktop)
• UDP 137 (NetBIOS Name Resolution)
• UDP 138 (NetBIOS Datagram Service)
• TCP 636 (LDAP SSL)
• UDP 636 (LDAP SSL)
• TCP 3268 (Global Catalog)

User can still change their password successfully even thought TCP 464 is blocked in Firewall

Firewall Rules in pfesense Firewall

Blog Series

• cluster-mesh (5)
• container runtimes (20)
• k3s (7)
• k8s-authentication (9)
• k8s-gitops (7)
• k8s-lessons (13)
• k8s-network (31)
• k8s-operators (10)
• k8s-security (64)
• kubernetes (31)
• mikrotik (5)
• virtualization (3)

Social

GitHub DockerHub ArtifactHub OperatorHub.io helm-charts

Recent Posts

• Kubernetes Swap and etcd Stability: Preventing Control Plane Hangs
• Kubernetes DMZ Ingress with HAProxy and BGP: External Mode Without Cilium External Workload
• Implementing Mutual TLS (mTLS) with Traefik Ingress Controller: Per-Ingress Configuration
• Implementing Mutual TLS (mTLS) with NGINX Ingress Controller: Per-Ingress Configuration
• Migrating from NGINX Ingress Controller to Traefik: A Step-by-Step Guide
• Migrating from NGINX Ingress Controller to HAProxy: A Step-by-Step Guide
• Why Kubernetes Pods See Host Resources (And How to Fix It)
• Kubernetes Cluster API: a step by stap guide
• Automatic Kubernetes Certificate Renewal
• Known Issues of Azure Key Vault AKS integration and resolutions

Tags

2FA Active Directory Admission Controller AKS Alerta AlmaLinux Ansible Ansible Tower AWS AWX Azure Backup BGP Calico CentOS Centreon Ceph Certificate Authority Chef Cilium Cloud Sql Cluster Cluster-Mesh CNI-Genie Container Runtimes Containerd Control Plane CoreDNS Cosign CRI-O Debian Devops DMZ DNS Docker Docker Compose Ebpf ECR EKS Elasticsearch Etcd Falco Fedora Fedora CoreOS Firecracker Flannel Foreman GCP GitHub Gitlab Gitlab-Runner Gitops GKE GNS3 Google Cloud Platform Grafana Graylog Group Policy Gvisor HA HAproxy Harbor HashiCorp Vault Helm Helm-Controller Helm2 Helm3 HP Httpd Icinga ILO Influxdb Ingress Ingress Controller Ipmitool Ipsec Jitsi K0S K3S K8s Kafka Kata-Container Katello Keepassxc Keycloak Kube-Apiserver Kube-Openid-Connect Kube-Proxy Kube-Vip Kubedash Kubernetes Kyverno Linkerd LoadBalancer Logging Loki Mattermost MetalLB Microk8s Mikrotik Mtls Multus Mutating Webhook Mysql Naemon Nagios Nerdctl Network Security Nextcloud Nexus OSS Nginx Nmstate NoSQL Notary Oauth2 Oidc OpenID Openproject Openshift Openshift 3.11 Openshift 4 OpenVPN Operator Opnsense Pfsense Postgresql PowerShell Privacyidea Prometheus Proxmox Proxy PXE RADIUS Rancher RBAC Redmine Registry Resource Limits Rke2 Routeros Rsyslog Rundeck S3 Seccomp Secuity Security SIEM Skupper Sonarqube Spacewalk Squid Sso Submariner Supermicro Swap Tekton Telegraf Terraform Traefik Trivy-Operator Ubuntu Unifi Unifi Controller Vagrant Veeam Backup Vmware Volume Expansion VSphere Vxlan Wazuh Wildfly Windows ZFS This website makes use of third-party cookies. Learn More Okay