Skip to main content

Active Directory Firewall Ports

DC to DC and DC to client communications Require Numerous ports

There’s no secret to this. That’s the simplest I can put it.
And, the list of ports required is long, to the dismay of network infrastructure engineering teams that must bequest ports to allow AD to communicate, replicate, etc., these ports must be opened. There really isn’t much that can be done otherwise.

Here’s the list with an explanation of each port:

Protocol and Port
AD and AD DS UsageType of traffic 
TCP 25ReplicationSMTP
TCP 42If using WINS in a domain trust scenario offering NetBIOS resolutionWINS
TCP 135ReplicationRPC, EPM
TCP 137NetBIOS Name resolutionNetBIOS Name resolution
TCP 139User and Computer Authentication, ReplicationDFSN, NetBIOS Session Service, NetLogon
TCP and UDP 389Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP
TCP 636Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP SSL
TCP 3268Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC
TCP 3269Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC SSL
TCP and UDP 88User and Computer Authentication, Forest Level TrustsKerberos
TCP and UDP 53User and Computer Authentication, Name Resolution, TrustsDNS
TCP and UDP 445Replication, User and Computer Authentication, Group Policy, TrustsSMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 9389AD DS Web ServicesSOAP
TCP 5722File ReplicationRPC, DFSR (SYSVOL)
TCP and UDP 464Replication, User and Computer Authentication, TrustsKerberos change/set password
   
UDP 123Windows Time, TrustsWindows Time
UDP 137 User and Computer AuthenticationNetLogon, NetBIOS Name Resolution
UDP 138DFS, Group Policy, NetBIOS Netlogon, BrowsingDFSN, NetLogon, NetBIOS Datagram Service
UDP 67 and UDP 2535DHCP (Note: DHCP is not a core AD DS service but these ports may be necessary for other functions besides DHCP, such as WDS)DHCP, MADCAP, PXE

And We Must Never Forget the Ephemeral Ports!!

And most of all, the Ephemeral ports, or also known as the “service response ports,”that are required for communications. These ports are dynamically created for session responses for each client that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well.
See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved, the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux, Unix and other operating systems, as well. See below in the references section to find out more on what ‘ephemeral’ means.

The following chart shows what the ephemeral ports are depending on the OS version, and what they are used for.

Window 2003, Windows XP, and Windows 2000
TCP & UDP
1024-5000Ephemeral Dynamic Service Response Ports
Windows 2008/Vista and newerTCP & UDP 49152-65535Ephemeral Dynamic Service Response Ports
TCP Dynamic EphemeralReplication, User and Computer Authentication, Group Policy, TrustsRPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic EphemeralGroup PolicyDCOM, RPC, EPM

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:

TCP & UDP 1024 – 65535NT4 BDC to Windows 2000 or newer Domain controller PDC-E communicationsRPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB

See, wasn’t that simple?


The Short list without port explanations:

ProtocolPort
TCP25
TCP42
TCP135
TCP137
TCP139
TCP and UDP389
TCP636
TCP3268
TCP3269
TCP and UDP88
TCP and UDP53
TCP and UDP445
TCP9389
TCP5722
TCP and UDP464
UDP123
UDP137
UDP138
UDP67
UDP2535
TCP & UDP1024-5000
TCP & UDP49152-65535

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDC:

The following Ephemeral ports must be opened (yes, it’s pretty much the whole range):
TCP & UDP1024-65535

*

Restricting Ports Across a Firewall

You also have the ability to restrict DC to DC replication traffic, and DC to client communications, to a specific ports. Keep in mind, it also depends on what ports and services you’ll want to restrict. When choosing this option, you must specify the correct ports for the correct service.
It depends on what ports and services you want to restrict?

1. Method 1

This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.
This is applicable for restriction AD replication to a specific port range.
Procedure:  Modify registry to select a static port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Restricting Active Directory replication traffic and client RPC traffic to a specific port
 http://support.microsoft.com/kb/224196

2. Method 2

This is for configuring the port range(s) in the Windows Firewall.
Netsh – use the following examples to set a starting port range, and number of ports after it to use
netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/929851

3. Modify the registry

This is for Windows services communications. It also affects AD communications.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
How to configure RPC dynamic port allocation to work with firewalls
 http://support.microsoft.com/kb/154596/en-us


Here are some related links to restricting AD replication ports.

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

RODC – “Read only Domain Controllers” have their own port requirements

Traffic
Type of Traffic
UDP 53 DNSDNS
TCP 53 DNSDNS
TCP 135 RPC, EPM
TCP Static 53248 FRsRpc
TCP 389 LDAP
TCP and UDP Dynamic
1025 – 5000
Windows 2000, Windows 2003, Windows XP Ephemeral Ports
TCP and UDP Dynamic 49152 – 65535Windows 2008, Windows Vista and all newer operating systems Ephemeral Ports
Restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196
Good discussion on RODC and firewall ports required:
http://forums.techarena.in/active-directory/1303925.htm
Further info on how RODC authentication works will help understand the ports:
Understanding “Read Only Domain Controller” authentication
http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx
Ref:http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

Comments

Popular posts from this blog

Changes in Windows 2008 Active Directory

Windows Server Support Interview Questions and Answers (L1)

How to Write a Letter Requesting Sponsorship