Complete List of Active Directory Ports and What They Do Explained

Complete List of Active Directory Ports and What They Do Explained. In this article we will firstly introduce what is Active Directory (AD) is and how it functions.

What is Active Directory (AD)?

Active Directory is a combination of services and databases that connect end users with the network resources needed to get the job done. The database, also called the Directory, contains essential information about the network ecosystem, including details about the users and computers and their respective system rights.

To explain it in simple terms, if a directory has a list of 1000 user accounts with details like personal phone number, job title, and password, it will also record each individual system’s rights and permissions.

Active Directory predominantly controls most of the activity that goes on in an IT ecosystem. AD makes sure that every user who enters the environment is the person they claim to be (authentication) by checking their user ID and password and allowing them to access only those data for which they have the rights (authorization).

How Does Active Directory Work?

The primary Active Directory service is Active Directory Domain Service (AD DS), and it is a part of the Windows Server operating system. The servers running the AD DS are called Domain Controllers (DCs). Every organization usually has many domain controllers and every DC would have a replica of the Directory for the entire domain.

If there is a change in the Directory on one domain controller, it is replicated to the other DCs as well so that they all stay up to date. You can include laptops, desktops and other systems running Windows (other than Windows Server) in the Active Directory environment. However, these devices do not run Active Directory Domain Service.

AD DS works on certain standard and established protocols, including Kerberos, Lightweight Directory Access Protocol (LDAP), and Domain Name System (DNS). It would help if you remembered that Active Directory is only for Microsoft on premises environments. Microsoft Cloud Environment uses Azure Active Directory(AAD), which is similar to AD in on prem environments.

Active Directory Ports

Active Directory functions under the Local Security Authority Server Service- Lsass.exe method and contains the replication and authentication engines for Windows Domain Controllers. Client computers, domain controllers and application servers need network connectivity for Active Directory on particular hard coded ports. Furthermore, if there is no tunneling protocol to contain traffic to Active Directory, a series of transitory TCP ports between 1024 till 5000 and 49152 till 65535 are needed.

Active Directory correspondence involves a lot of ports and someone working as a system administrator would know about a few of them. Enterprises need Active Directory for workstation and server management, group policy management, authentication, etc. A complete list of Active Directory Ports and their functions, including services used by Microsoft clients and server operating systems are listed below.

The server products from Microsoft use a variety of protocols and network ports to connect with the client systems and various other server systems within the network.  Also ensure you have implemented Active Directory security best practices.

Application Protocol Protocols Ports
Active Directory Web Services (ADWS)
TCP
9389
Active Directory Management Gateway Service
TCP
9389
Global Catalog
TCP
3269
Global Catalog
TCP
3268
ICMP
No Port Number
Lightweight Directory Access Protocol (LDAP) Server
TCP
389
Lightweight Directory Access Protocol (LDAP) Server
UDP
389
Lightweight Directory Access Protocol Server (SSL)
TCP
636
IPsec ISAKMP
UDP
500
NAT-T
UDP
4500
RPC
TCP
135
RPC randomly allocated high TCP ports
TCP
1024 – 5000 and 49152 – 65535
SMB
TCP
445

AD Important Ports

  • If your computer system network environment uses Windows Server 2008 and later versions (2012, 2016, 2019, 2022) Microsoft Windows have increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the default end port is 65535 so you should enable network connectivity over the highest port range of 49152 to 65535.
  • If your computer system network environment Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 along with Windows version that came earlier or before Windows Server 2008 and Windows Vista, then you must use connectivity over two port ranges, Lowest port range from 1025 to 5000 and highest port range from 49152 to 65535
  • If your computer system network environment uses only versions that came earlier or before Windows Server 2008 and Windows Vista, then you should use network connectivity over the lowest port range from 1025 to 5000.

A summarized result would consist of a VPN gateway situated next to a filtering router that opts for the Layer 2 Tunneling Protocol (L2TP) along with IPsec. Under this summarized condition, you should allow the below mentioned items through the router rather than opening all the protocols and ports listed.

  • IPsec Encapsulating Security Protocol (ESP) (IP protocol 50)*
  • IPsec Network Address Translator Traversal NAT T (UDP port 4500)*
  • IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500)*

Additionally, the Microsoft LDAP client enforces ICMP pings to authenticate that an LDAP server has a pending request present in the server network. The below mentioned settings are LDAP session points:

  • PingKeepAliveTimeout = 120 seconds (the amount of time it would hold after the last response before resending the ping)
  • PingLimit = 4 (the number of pings that are sent before closing the connection)
  • PingWaitTimeout = 2000 ms (the amount of time it waits for ICMP to respond)

What’s more, if need be, you may hard code the port that you require for Active Directory replication by following Restricting Active Directory RPC Traffic to one particular port. The system service nomenclature is LSASS.

Active Directory ports client to domain controller

The communications of Active Directory take place using multiple ports. These ports in question are required by both Domain Controllers and Client Computers. For example, whenever a client computer searches for a domain controller, it sends a DNS Query over Port 53 to find the domain controller name within the domain.

Mentioned below is the list of ports for Active Directory communication and their services:

  • UDP Port 88 for Kerberos authentication.
  • UDP and TCP Port 135 for the client to domain controller operations and domain controllers to domain controller operations.
  • TCP Port 139 and UDP 138 are used for File Replication Service between domain controllers.
  • UDP Port 389 for LDAP to handle regular queries from client computers to domain controllers.
  • TCP and UDP Port 445 for File Replication Service.
  • TCP and UDP Port 464 for Kerberos Password Change.
  • TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
  • TCP and UDP Port 53 for DNS from domain controller to domain controller and client to the domain controller.

Active Directory will be enabled to function properly by opening the above mentioned ports between domain controllers or between domain controllers and client controllers in Firewall.

How Secure is Your Active Directory ?

78% of companies have an insecure Active Directory and are vulnerable to a potential attack!!

 

Download our FREE  Active Directory Security Best Practices Compliance Checker

Ports, Protocols Required For Checking Active Directory, Group Policy And Exchange

Port Protocol Target What They Do
389
TCP
Domain Controllers
LDAP Common Queries
3268
TCP
Domain Controllers
LDAP, Group Membership, GC Search
3269
TCP
Domain Controllers
Global Catalog LDAP over SSL
88
TCP/UDP
Domain Controllers
Kerberos Authentication
135, 1024 – 65535
TCP
Domain Controllers
Windows Management Instrumentation
445
TCP
Domain Controllers
Authenticated communication between Server and Domain Controllers
53
UDP
DNS Server
DNS Client
135 and 1024 – 65535
TCP
Exchange Server
Windows Management Instrumentation., Retrieve Exchange Server configuration settings
5985, 5986
TCP
Exchange Server
Windows Remote Management, PowerShell Connections: 5985 – For HTTP
80, 443
TCP
Exchange Server
PowerShell Connections

Active Directory Domain Controller Communication Ports List

Below are the additional Active Directory Ports that are used for Active Directory communications:

  • TCP, UDP port 135: RPC (Remote Procedural Call)
  • TCP, UDP port 137: NetBIOS name service
  • UDP port 138: DFSN, NetBIOS Datagram Service, NetLogon
  • TCP port 139: DFSN, NetBIOS Session Service, NetLogon
  • TCP, UDP port 389: LDAP
  • TCP port 636: LDAP SSL
  • TCP, UDP port 445: SMB, NetLogon, SamR
  • TCP, UDP port 1512: WINS Resolution
  • TCP, UDP port 42: WINS Replication
  • TCP Dynamic: RPC, DCOM, NetLogonR

Active Directory Replication Ports

The ports given below are used for Active Directory Replication.

  • TCP port 135: RPC (Remote Procedure Call)
  • TCP, UDP port 389: LDAP
  • TCP, UDP port 636: LDAP SSL
  • TCP 3268 port: Global Catalog LDAP
  • TCP 3269 port: Global Catalog LDAP SSL
  • TCP, UDP port 53: DNS
  • TCP, UDP port 88: Kerberos
  • TCP port 445: SMB

Active Directory Authentication Ports

The below mentioned ports are used for Active Directory authentication:

  • UDP port 389: LDAP
  • TCP port 53: DNS
  • TCP, UDP port 88: Kerberos
  • TCP, UDP port 445: SMB over IP

Active Directory Errors

With Active Directory ports, you can understand which ports to allow in the firewall. If the ports are not configured in the firewall, it could lead to blocking requests in Active Directory communications.

There are certain common problems that Active Directory ports face. They are:

  • Replication traffic is unsuccessful on port 3268, or there could be some other issues with replication.
  • LDAP is unable to authenticate users while using LDAPS over SSL.
  • Kerberos is unable to authenticate users while using TGS over SSL.
  • Replication fails to perform over port 3268.
  • LDAP fails to authenticate users while using LDAP over SSL.

An Active directory port could either be a TCP or a UDP port that services Active Directory Domain Controller for requests. Active Directory Domain Controllers (DCs) use the various ports mentioned above for data transfer and communication. The most common protocols used are:

  • LDAP
  • Kerberos
  • RPC
  • DNS
  • SMB over IP

Depending upon the requirements, a system administrator can configure which port needs to be opened.

The Ephemeral Ports

Also known as service response ports, Ephemeral ports are very important for communications. These ports are established dynamically for sessions response to each client that establishes a session. The client is not restricted to Windows OS only. It could be Linux and Unix as well. Once the sessions are dissolved, the ports are reinstated back into the pool for reuse.

The following chart tells you what the Ephemeral ports are based on the Operating System in use and what they do.

Operating System Ports And Protocols What they Do
Windows 2003 and new versions
TCP and UDP 1024 – 5000
Ephemeral Dynamic Service Response Ports
Windows 2008 and newer versions
TCP and UDP 49152 – 65535
Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
Replication, Computer and User Authentication, Group Policy, Trusts
UDP Dynamic Ephemeral
DCOM, RPC, EPM
Group Policy

Port Requirements RODC - Read Only Domain Controllers

Traffic Type Of Traffic
UDP 53 DNS
DNS
TCP 53 DNS
DNS
TCP 135
RPC, EPM
TCP Static 53248
FRsRPc
TCP 389
LDAP
TCP and UDP Dynamic 1025 – 5000
Ephemeral Ports
TCP and UDP Dynamic 49152 – 65535
Ephemeral ports

Restricting Access To Ports Across A Firewall

You can restrict the Domain Controller to Client communications and Domain Controller to Domain Controller traffic to certain specific ports. It all depends on what service and ports you want to have restricted access to. When selecting this option, you must be particular about the correct ports for the exemplary service.

1. Method A

This method is used to set the particular AD replication port. It uses the dynamic port to replicate data from one Domain Controller site to another as a standard process. It is applicable for restricting AD replication to a specific port group.

 

Procedure:  Modify registry to select a static port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

 

Applies to: all supported versions of Windows Server

 

Restricting Active Directory replication traffic and client RPC traffic to a specific port
 http://support.microsoft.com/kb/224196

2. Method B

This method is used for configuring the port range within the Windows firewall. The default dynamic port range for IP/TCP has been changed from Windows Server 2008 

 

Netsh – use the following examples to set a starting port range, and number of ports after it to use

netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000

 

The default dynamic port range for TCP/IP has changed from Windows Vista and in Windows Server 2008 and also Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10 – all editions
http://support.microsoft.com/kb/929851

3. Modify the registry

Modification of registry is for Windows services communication. It also affects Active Directory communications.

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

 

How to configure RPC dynamic port allocation to work with firewalls
 http://support.microsoft.com/kb/154596/en-us

Complete List of Active Directory Ports and What They Do Explained Conclusion

Now that you read about what Active Directory Ports are and what they do, it is essential to implement the ports with a complete understanding of the technology. Active Directory is dependent on multiple communication services to communicate between Domain Controller and client computers. Understanding how AD communicates can be critical when working with Domain Controllers and client computers separated by routers or firewalls.

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

4.9 8 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x