locked
How Can I change default port of active directory in windows 2008 RRS feed

  • Question

  • I don't want to use the default port 389. Please tell to how to configure it. Also How to enable ssl.

    Thanks.

    Friday, August 30, 2013 8:44 AM

Answers

  • Can i ask why you want to change the AD default port? It is not a best practice to do that - What are you trying to achieve? However - there are many default AD ports  - which in particular are you interested in . Please see the below 

    Protocol and Port AD and AD DS Usage Type of traffic

    TCP and UDP 389

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP

    TCP 636

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP SSL

    TCP 3268

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP GC

    TCP 3269

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP GC SSL

    TCP and UDP 88

    User and Computer Authentication, Forest Level Trusts

    Kerberos

    Regards 

    Masson Tech

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Friday, August 30, 2013 8:59 AM
  • Hello,

    enable LDAP with SSL http://support.microsoft.com/kb/321051/en-us so port 636 is used.

    Why do you need to change the default port?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Friday, August 30, 2013 9:11 AM
  • I agree with the other responses.

    To add, if you change the default LDAP port that EVERY LDAP application uses, then you have to change it on each and every client and application that uses AD to the port. Is that what you are planning on doing? The reason why, is that TCP 389 is the default LDAP port that all apps and services use to query an LDAP directory (AD, Novell, Sun NIS, etc), unless you were to change it to the SSL port. I'm not sure if you had realized that?

    Or did you want to mount a different version of the directory using a different port just for testing? You can use ntdsutil to mount a snapshot of the directory.

    I'm also looking forward to your reply to Meinolf's question.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Friday, August 30, 2013 6:03 PM
  • I would agree with others and I would highly recommend not making any changes on the default ports - Ace already provided a good explanation.

    If you would like to encrypt and sign LDAP traffic then enabling LDAPS is enough: You need a CA for that that have Domain Controllers certificate template enabled and your domain controllers can automatically enroll and renew their certificates. Once your DCs will have their certificates installed, LDAPS will be enabled. This is applicable in case if you use internal Microsoft CAs. For third party ones, Meinolf already provided the needed article.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Sunday, September 1, 2013 3:43 PM
  • I don't want to use the default port 389. Please tell to how to configure it. Also How to enable ssl.

    Thanks.

    You can't change default AD port neither you can completely disable port 389 even though you enable LDAPS. The reason is application will try to use LDAP over SSL when enabled, on failing it will try to use 389 port. I'm also interested to know why you want to change the default port? If security is something bothering you, the viable way is to have tight monitoring system in a place.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Monday, September 2, 2013 2:19 AM

All replies

  • Can i ask why you want to change the AD default port? It is not a best practice to do that - What are you trying to achieve? However - there are many default AD ports  - which in particular are you interested in . Please see the below 

    Protocol and Port AD and AD DS Usage Type of traffic

    TCP and UDP 389

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP

    TCP 636

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP SSL

    TCP 3268

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP GC

    TCP 3269

    Directory, Replication, User and Computer Authentication, Group Policy, Trusts

    LDAP GC SSL

    TCP and UDP 88

    User and Computer Authentication, Forest Level Trusts

    Kerberos

    Regards 

    Masson Tech

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Friday, August 30, 2013 8:59 AM
  • Hello,

    enable LDAP with SSL http://support.microsoft.com/kb/321051/en-us so port 636 is used.

    Why do you need to change the default port?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Friday, August 30, 2013 9:11 AM
  • I agree with the other responses.

    To add, if you change the default LDAP port that EVERY LDAP application uses, then you have to change it on each and every client and application that uses AD to the port. Is that what you are planning on doing? The reason why, is that TCP 389 is the default LDAP port that all apps and services use to query an LDAP directory (AD, Novell, Sun NIS, etc), unless you were to change it to the SSL port. I'm not sure if you had realized that?

    Or did you want to mount a different version of the directory using a different port just for testing? You can use ntdsutil to mount a snapshot of the directory.

    I'm also looking forward to your reply to Meinolf's question.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Friday, August 30, 2013 6:03 PM
  • I would agree with others and I would highly recommend not making any changes on the default ports - Ace already provided a good explanation.

    If you would like to encrypt and sign LDAP traffic then enabling LDAPS is enough: You need a CA for that that have Domain Controllers certificate template enabled and your domain controllers can automatically enroll and renew their certificates. Once your DCs will have their certificates installed, LDAPS will be enabled. This is applicable in case if you use internal Microsoft CAs. For third party ones, Meinolf already provided the needed article.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Sunday, September 1, 2013 3:43 PM
  • I don't want to use the default port 389. Please tell to how to configure it. Also How to enable ssl.

    Thanks.

    You can't change default AD port neither you can completely disable port 389 even though you enable LDAPS. The reason is application will try to use LDAP over SSL when enabled, on failing it will try to use 389 port. I'm also interested to know why you want to change the default port? If security is something bothering you, the viable way is to have tight monitoring system in a place.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Amy Wang_ Wednesday, September 4, 2013 1:03 AM
    Monday, September 2, 2013 2:19 AM
  • As others said, it is not highly recommended.

    Have configured any Identity management for UNIX in your environment.?, Just to check why reason to change the default port.


    Devaraj G | Technical solution architect

    Monday, September 2, 2013 11:45 AM
  • Why?
    In general, if you mess around with AD's standard settings, things WILL break

    If you set out your reasons for needing to change the port, maybe a workaround will be possible
    Monday, September 2, 2013 2:55 PM
  • Without the original poster, PK_YAD, responding to our questions, by guess and feeling is that *one* possibility for wanting to change the port is that the he/she is more than likely trying to install a third party LDAP based app or service on a DC, such as Lotus Notes, which has its own built-in LDAP service.

    Otherwise, it may be for a security test or proof of concept for a private, LDAP based solution.

    -

    But we will never know without a response from the original poster. :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 2, 2013 11:06 PM
  • I have the same exact question.

    I am building a POC and so I am using a single machine, to deploy several components.

    I have a Third Party LDAP, which already uses port 389 and 636.

    I am at a point, where I have several components and applications using this configuration but now also need to setup AD.

    One option is to change the ports on the third party LDAP server but it comes with a lot of reconfiguration, at this point.

    So, was wondering if instead AD, can be deployed on different ports.

    Thanks! 

    Wednesday, November 6, 2013 9:54 PM
  • No - it can not if you're talking about Active Directory Domain Services.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 6, 2013 9:59 PM
  • Just leave the third party app on a separate server, and do not make it a DC.

    Create a DC on it's own server keeping the third party app off it.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, November 7, 2013 4:04 AM
  • Thank You Chris and Ace.

    I spun another VM and got the AD setup there.

    I wish, there was at least a twisted way to customize the ports. :)

    Thursday, November 7, 2013 12:24 PM