none
Required ports to communicate with Domain controller.

    Question

  • Please tell me the required ports to communicate with Domain controller mean to login a user to domain or join a machine to domain,

    Do I must required the RPC randomly allocated high TCP ports  1024 – 65535

    Thursday, July 21, 2011 5:08 AM

Answers

  • Hi,

    Below are the commonly required ports.. 

    UDP Port 88 for Kerberos authentication

    UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.

    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

    TCP and UDP Port 445 for File Replication Service

    TCP and UDP Port 464 for Kerberos Password Change

    TCP Port 3268 and 3269 for Global Catalog from client to domain controller.

    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

    also, take a look at the below article.. http://support.microsoft.com/kb/832017#4 

     


    Regards, Mohan R Sr. Administrator - Server Support
    • Proposed as answer by Mr XMVP Thursday, July 21, 2011 6:31 AM
    • Marked as answer by VLCC Thursday, July 21, 2011 8:44 AM
    Thursday, July 21, 2011 5:40 AM
  • Yes, the ephemeral ports are required. They are:
    •TCP & UDP 1025-5000
    •TCP & UDP 49152-65535

    In addition, there are about 25 or more additional ports that AD communications require:

    Active Directory Replication over Firewalls, Jan 31, 2006. (includes older pre-Windows Vista/2008 ephemeral ports)
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Active Directory and Active Directory Domain Services Port Requirements, Updated: June 18, 2009 (includes updated new ephemeral ports for Windows Vista/2008 and newer)
    This also discusses RODC port requirements.
    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    Restricting Active Directory replication traffic and client RPC traffic to a specific port
    http://support.microsoft.com/kb/224196

     

    Additonal links:

    Windows 2008, 2008 R2, Vista and Windows 7 Ephermeral Port range has changed from the ports used by Windows 2003 Windows XP, and Windows 2000. Default ephemeral (Random service ports) are UDP 1024 - 65535 (See KB179442 below), but for Vista and Windows 2008 it's different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

    Quoted from KB929851 (link posted below): "To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000."

    Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports) have changed.
    http://support.microsoft.com/?kbid=929851

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Mr XMVP Thursday, July 21, 2011 6:32 AM
    • Marked as answer by VLCC Thursday, July 21, 2011 8:45 AM
    Thursday, July 21, 2011 5:45 AM

All replies

  • Hi,

    Below are the commonly required ports.. 

    UDP Port 88 for Kerberos authentication

    UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.

    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

    TCP and UDP Port 445 for File Replication Service

    TCP and UDP Port 464 for Kerberos Password Change

    TCP Port 3268 and 3269 for Global Catalog from client to domain controller.

    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

    also, take a look at the below article.. http://support.microsoft.com/kb/832017#4 

     


    Regards, Mohan R Sr. Administrator - Server Support
    • Proposed as answer by Mr XMVP Thursday, July 21, 2011 6:31 AM
    • Marked as answer by VLCC Thursday, July 21, 2011 8:44 AM
    Thursday, July 21, 2011 5:40 AM
  • Yes, the ephemeral ports are required. They are:
    •TCP & UDP 1025-5000
    •TCP & UDP 49152-65535

    In addition, there are about 25 or more additional ports that AD communications require:

    Active Directory Replication over Firewalls, Jan 31, 2006. (includes older pre-Windows Vista/2008 ephemeral ports)
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Active Directory and Active Directory Domain Services Port Requirements, Updated: June 18, 2009 (includes updated new ephemeral ports for Windows Vista/2008 and newer)
    This also discusses RODC port requirements.
    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    Restricting Active Directory replication traffic and client RPC traffic to a specific port
    http://support.microsoft.com/kb/224196

     

    Additonal links:

    Windows 2008, 2008 R2, Vista and Windows 7 Ephermeral Port range has changed from the ports used by Windows 2003 Windows XP, and Windows 2000. Default ephemeral (Random service ports) are UDP 1024 - 65535 (See KB179442 below), but for Vista and Windows 2008 it's different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

    Quoted from KB929851 (link posted below): "To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000."

    Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports) have changed.
    http://support.microsoft.com/?kbid=929851

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Mr XMVP Thursday, July 21, 2011 6:32 AM
    • Marked as answer by VLCC Thursday, July 21, 2011 8:45 AM
    Thursday, July 21, 2011 5:45 AM
  • Just to add: to check that the wanted ports are opened. Use PortQry v2.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Thursday, July 21, 2011 6:32 AM
  • This has been discussed in the past & yes, RPC port can be restricted.

    Restricting AD replication ports in windows 2008

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/c108f740-9546-4057-9fe1-fcca8cd936fe/

     

    Regards  


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, July 21, 2011 7:35 AM
    Moderator
  • Thanks Mohan,
    Thursday, July 21, 2011 8:45 AM
  • Thanks Ace,
    Thursday, July 21, 2011 8:45 AM
  • Thanks Ace,

    You are welcome!

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, July 21, 2011 3:23 PM
  • The ports mentioned on the below link must be opened in one direction or Bidirectional ?

    please, could you send me an article when it's specified in one diection our bidirectional?


    CDOTA

    Thursday, January 31, 2013 9:25 PM
  • The required  ports must be opened in one direction or Bidirectional ?


    CDOTA

    Thursday, January 31, 2013 9:26 PM
  • Bidirectional for DCs.

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Friday, February 1, 2013 3:54 AM
  • Unidirectional for client to DC ?

    Anoop C Nair - @anoopmannur :: MY Site:  www.AnoopCNair.com :: FaceBook:  ConfigMgr(SCCM) Page :: Linkedin:  Linkedin<

    Tuesday, April 29, 2014 8:33 AM
  • Unidirectional for client to DC ?

    Anoop C Nair - @anoopmannur :: MY Site:  www.AnoopCNair.com :: FaceBook:  ConfigMgr(SCCM) Page :: Linkedin:  Linkedin<

    As I responded to your other post in the other thread, DC-client communications are bidirectional.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, May 1, 2014 2:42 AM