Active Directory Firewall Ports
DC to DC and DC to client communications Require Numerous ports
There’s no secret to this. That’s the simplest I can put it.
And, the list of ports required is long, to the dismay of network infrastructure engineering teams that must bequest ports to allow AD to communicate, replicate, etc., these ports must be opened. There really isn’t much that can be done otherwise.
Here’s the list with an explanation of each port:
Protocol and Port
| AD and AD DS Usage | Type of traffic |
TCP 25 | Replication | SMTP |
TCP 42 | If using WINS in a domain trust scenario offering NetBIOS resolution | WINS |
TCP 135 | Replication | RPC, EPM |
TCP 137 | NetBIOS Name resolution | NetBIOS Name resolution |
TCP 139 | User and Computer Authentication, Replication | DFSN, NetBIOS Session Service, NetLogon |
TCP and UDP 389 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP |
TCP 636 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP SSL |
TCP 3268 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC |
TCP 3269 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC SSL |
TCP and UDP 88 | User and Computer Authentication, Forest Level Trusts | Kerberos |
TCP and UDP 53 | User and Computer Authentication, Name Resolution, Trusts | DNS |
TCP and UDP 445 | Replication, User and Computer Authentication, Group Policy, Trusts | SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc |
TCP 9389 | AD DS Web Services | SOAP |
TCP 5722 | File Replication | RPC, DFSR (SYSVOL) |
TCP and UDP 464 | Replication, User and Computer Authentication, Trusts | Kerberos change/set password |
UDP 123 | Windows Time, Trusts | Windows Time |
UDP 137 | User and Computer Authentication | NetLogon, NetBIOS Name Resolution |
UDP 138 | DFS, Group Policy, NetBIOS Netlogon, Browsing | DFSN, NetLogon, NetBIOS Datagram Service |
UDP 67 and UDP 2535 | DHCP (Note: DHCP is not a core AD DS service but these ports may be necessary for other functions besides DHCP, such as WDS) | DHCP, MADCAP, PXE |
And We Must Never Forget the Ephemeral Ports!!
And most of all, the Ephemeral ports, or also known as the “service response ports,”that are required for communications. These ports are dynamically created for session responses for each client that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well.
See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved, the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux, Unix and other operating systems, as well. See below in the references section to find out more on what ‘ephemeral’ means.
The following chart shows what the ephemeral ports are depending on the OS version, and what they are used for.
Window 2003, Windows XP, and Windows 2000 |
TCP & UDP
| 1024-5000 | Ephemeral Dynamic Service Response Ports |
Windows 2008/Vista and newer | TCP & UDP 49152-65535 | Ephemeral Dynamic Service Response Ports | |
TCP Dynamic Ephemeral | Replication, User and Computer Authentication, Group Policy, Trusts | RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS | |
UDP Dynamic Ephemeral | Group Policy | DCOM, RPC, EPM |
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
TCP & UDP 1024 – 65535 | NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications | RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB |
See, wasn’t that simple?
The Short list without port explanations:
Protocol | Port |
TCP | 25 |
TCP | 42 |
TCP | 135 |
TCP | 137 |
TCP | 139 |
TCP and UDP | 389 |
TCP | 636 |
TCP | 3268 |
TCP | 3269 |
TCP and UDP | 88 |
TCP and UDP | 53 |
TCP and UDP | 445 |
TCP | 9389 |
TCP | 5722 |
TCP and UDP | 464 |
UDP | 123 |
UDP | 137 |
UDP | 138 |
UDP | 67 |
UDP | 2535 |
TCP & UDP | 1024-5000 |
TCP & UDP | 49152-65535 |
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDC:
The following Ephemeral ports must be opened (yes, it’s pretty much the whole range):
TCP & UDP | 1024-65535 |
*
Restricting Ports Across a Firewall
You also have the ability to restrict DC to DC replication traffic, and DC to client communications, to a specific ports. Keep in mind, it also depends on what ports and services you’ll want to restrict. When choosing this option, you must specify the correct ports for the correct service.
It depends on what ports and services you want to restrict?
1. Method 1
This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.
This is applicable for restriction AD replication to a specific port range.
Procedure: Modify registry to select a static port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196
http://support.microsoft.com/kb/224196
2. Method 2
This is for configuring the port range(s) in the Windows Firewall.
Netsh – use the following examples to set a starting port range, and number of ports after it to use
netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/929851
http://support.microsoft.com/kb/929851
3. Modify the registry
This is for Windows services communications. It also affects AD communications.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
How to configure RPC dynamic port allocation to work with firewalls
http://support.microsoft.com/kb/154596/en-us
http://support.microsoft.com/kb/154596/en-us
Here are some related links to restricting AD replication ports.
Reference thread:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/
RODC Firewall Port Requirements
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx
http://technet.microsoft.com/en-us/library/bb727063.aspx
RODC – “Read only Domain Controllers” have their own port requirements
Traffic
| Type of Traffic |
UDP 53 DNS | DNS |
TCP 53 DNS | DNS |
TCP 135 | RPC, EPM |
TCP Static 53248 | FRsRpc |
TCP 389 | LDAP |
TCP and UDP Dynamic 1025 – 5000 | Windows 2000, Windows 2003, Windows XP Ephemeral Ports |
TCP and UDP Dynamic 49152 – 65535 | Windows 2008, Windows Vista and all newer operating systems Ephemeral Ports |
Designing RODCs in the Perimeter Network
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx
Restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196
http://support.microsoft.com/kb/224196
Good discussion on RODC and firewall ports required:
http://forums.techarena.in/active-directory/1303925.htm
http://forums.techarena.in/active-directory/1303925.htm
Further info on how RODC authentication works will help understand the ports:
Understanding “Read Only Domain Controller” authentication
http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx
Understanding “Read Only Domain Controller” authentication
http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx
Ref:http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
Comments