locked
AD port requirements when DCs and clients segmented by firewall. RRS feed

  • Question

  • I'll try and simplify my scenario to 2 networks.  I have client machines in network A and domain controllers in network B.  I'm trying to narrow down the open ports from the client network to the DC network.  The DCs are 2008R2.  After searching many posts, I've come up with the following list.

    Source: Network A

    Destination: Network B

    TCP 135
    TCP 137
    TCP 139
    TCP/UDP 389
    TCP 636
    TCP 3268
    TCP 3269
    TCP/UDP 88
    TCP/UDP 53
    TCP/UDP 445
    TCP/UDP 464  
    UDP 123
    UDP 137
    UDP 138
    TCP/UDP 49152-65535

    My first question is if there are any ports that I may have missed and second, would there be any communication initiated by the DCs to the client network requiring another set of fw rules from Network B to Network A?

    Thanks in advance for any help.

    Wednesday, February 3, 2016 3:47 PM

Answers

  • Hi,

    The following is the list of services and their ports used for Active Directory communication:

    • UDP Port 88 for Kerberos authentication
    • UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
    • TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
    • UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
    • TCP and UDP Port 445 for File Replication Service
    • TCP and UDP Port 464 for Kerberos Password Change
    • TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    • TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
    • udp 123 for time service
    • udp for netlogon and netbios
    • TCP 139 for 

    Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly. "

    Please check the below link for more details.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ea85317-56c3-446d-9736-bfd046fc589c/port-needed-between-a-member-server-and-domain-controller-that-are-separated-by-a-firewall?forum=winserversecurity

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html

    Thanks,

    Arindam

    • Proposed as answer by Alvwan Tuesday, February 9, 2016 4:01 AM
    • Marked as answer by Mahdi Tehrani Friday, February 19, 2016 5:08 AM
    Wednesday, February 3, 2016 5:16 PM
  • In addition, you may want to restrict the RPC ports to a specific range. If this is your case then you can refer to that: https://support.microsoft.com/en-us/kb/154596

    RPC ports are not required for your clients but is needed for computers or servers who which you do AD administration.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Alvwan Tuesday, February 9, 2016 4:01 AM
    • Marked as answer by Mahdi Tehrani Friday, February 19, 2016 5:08 AM
    Thursday, February 4, 2016 12:39 AM
  • Hi,

    More articles for your reference:

    Active Directory Replication over Firewalls

    https://msdn.microsoft.com/en-us/library/bb727063.aspx

    https://wiki.technet.microsoft.com/wiki/active-directory-replication-over-firewalls/

    Active Directory Firewall Ports – Let’s Try To Make This Simple

    http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Tuesday, February 9, 2016 4:01 AM
    • Marked as answer by Mahdi Tehrani Friday, February 19, 2016 5:08 AM
    Thursday, February 4, 2016 2:01 AM

All replies

  • Hi,

    The following is the list of services and their ports used for Active Directory communication:

    • UDP Port 88 for Kerberos authentication
    • UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
    • TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
    • UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
    • TCP and UDP Port 445 for File Replication Service
    • TCP and UDP Port 464 for Kerberos Password Change
    • TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    • TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
    • udp 123 for time service
    • udp for netlogon and netbios
    • TCP 139 for 

    Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly. "

    Please check the below link for more details.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ea85317-56c3-446d-9736-bfd046fc589c/port-needed-between-a-member-server-and-domain-controller-that-are-separated-by-a-firewall?forum=winserversecurity

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html

    Thanks,

    Arindam

    • Proposed as answer by Alvwan Tuesday, February 9, 2016 4:01 AM
    • Marked as answer by Mahdi Tehrani Friday, February 19, 2016 5:08 AM
    Wednesday, February 3, 2016 5:16 PM
  • In addition, you may want to restrict the RPC ports to a specific range. If this is your case then you can refer to that: https://support.microsoft.com/en-us/kb/154596

    RPC ports are not required for your clients but is needed for computers or servers who which you do AD administration.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Alvwan Tuesday, February 9, 2016 4:01 AM
    • Marked as answer by Mahdi Tehrani Friday, February 19, 2016 5:08 AM
    Thursday, February 4, 2016 12:39 AM
  • Hi,

    More articles for your reference:

    Active Directory Replication over Firewalls

    https://msdn.microsoft.com/en-us/library/bb727063.aspx

    https://wiki.technet.microsoft.com/wiki/active-directory-replication-over-firewalls/

    Active Directory Firewall Ports – Let’s Try To Make This Simple

    http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Tuesday, February 9, 2016 4:01 AM
    • Marked as answer by Mahdi Tehrani Friday, February 19, 2016 5:08 AM
    Thursday, February 4, 2016 2:01 AM