Firewall Ports Required To Join AD Domain - AventisTech

Skip to content

Refer to the lab below on the testing done to verify Firewall Ports Required to Join AD Domain

Components in this lab

• Windows 10 Machine – 172.16.1.200
• Windows 2019 AD Domain Controller – 10.10.10.200
• Firewall Policy in PfSense

1. Block Access from 172.16.1.0/24 to 10.10.10.0/24
2. Block Access from 10.10.10.0/24 to 172.16.1.0/24

The Firewall Ports will be opened one by one from 172.16.1.0/24 to 10.10.10.0/24 to verify the actual ports required

Firewall Ports required to join AD Domain (Minimum)

Windows 10 Client can join to Windows 2019 AD Domain with the following Ports allow in Firewall

Without TCP High Ports open

The following Message appear even join to domain successfully and there is a lot of TCP high ports are blocked in Firewall

• Group Policy cannot be applied
• It take very long time to for computer to startup and login to domain successfully

Optional Ports

Without TCP 464 Open

User can still change their password successfully even thought TCP 464 is blocked in Firewall

Firewall Rules in pfesense Firewall

The following Firewall Rule is created

1. Traffics from WIN10 (172.16.1.200) to AD Domain Controller (10.10.10.200)

2. Traffics from AD Domain Controller (10.10.10.200) to WIN10 (172.16.1.200) – All Block

Reference Links

https://support.microsoft.com/en-us/kb/832017

Related

Post navigation ← Previous PostNext Post →

Leave a Comment Cancel Reply

Your email address will not be published. Required fields are marked *

Type here..

Name*

Email*

Website

Save my name, email, and website in this browser for the next time I comment.

SearchSearch

Recent Posts

• How to Configure Postfix Email Relay via Office 365
• IPSec IKEv2 VPN between FortiGate and Cisco ASA
• IPSec VPN between FortiGate and Cisco ASA
• Authenticate Aruba Devices Against ClearPass with RADIUS
• Authenticate ClearPass Admin Against AD

Scroll to Top