Skip to main content

Active Directory Firewall Ports

-

DC to DC and DC to client communications Require Numerous ports

There’s no secret to this. That’s the simplest I can put it.
And, the list of ports required is long, to the dismay of network infrastructure engineering teams that must bequest ports to allow AD to communicate, replicate, etc., these ports must be opened. There really isn’t much that can be done otherwise.

Here’s the list with an explanation of each port:

Protocol and Port
AD and AD DS UsageType of traffic 
TCP 25ReplicationSMTP
TCP 42If using WINS in a domain trust scenario offering NetBIOS resolutionWINS
TCP 135ReplicationRPC, EPM
TCP 137NetBIOS Name resolutionNetBIOS Name resolution
TCP 139User and Computer Authentication, ReplicationDFSN, NetBIOS Session Service, NetLogon
TCP and UDP 389Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP
TCP 636Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP SSL
TCP 3268Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC
TCP 3269Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC SSL
TCP and UDP 88User and Computer Authentication, Forest Level TrustsKerberos
TCP and UDP 53User and Computer Authentication, Name Resolution, TrustsDNS
TCP and UDP 445Replication, User and Computer Authentication, Group Policy, TrustsSMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 9389AD DS Web ServicesSOAP
TCP 5722File ReplicationRPC, DFSR (SYSVOL)
TCP and UDP 464Replication, User and Computer Authentication, TrustsKerberos change/set password
   
UDP 123Windows Time, TrustsWindows Time
UDP 137 User and Computer AuthenticationNetLogon, NetBIOS Name Resolution
UDP 138DFS, Group Policy, NetBIOS Netlogon, BrowsingDFSN, NetLogon, NetBIOS Datagram Service
UDP 67 and UDP 2535DHCP (Note: DHCP is not a core AD DS service but these ports may be necessary for other functions besides DHCP, such as WDS)DHCP, MADCAP, PXE

And We Must Never Forget the Ephemeral Ports!!

And most of all, the Ephemeral ports, or also known as the “service response ports,”that are required for communications. These ports are dynamically created for session responses for each client that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well.
See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved, the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux, Unix and other operating systems, as well. See below in the references section to find out more on what ‘ephemeral’ means.

The following chart shows what the ephemeral ports are depending on the OS version, and what they are used for.

Window 2003, Windows XP, and Windows 2000
TCP & UDP
1024-5000Ephemeral Dynamic Service Response Ports
Windows 2008/Vista and newerTCP & UDP 49152-65535Ephemeral Dynamic Service Response Ports
TCP Dynamic EphemeralReplication, User and Computer Authentication, Group Policy, TrustsRPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic EphemeralGroup PolicyDCOM, RPC, EPM

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:

TCP & UDP 1024 – 65535NT4 BDC to Windows 2000 or newer Domain controller PDC-E communicationsRPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB

See, wasn’t that simple?


The Short list without port explanations:

ProtocolPort
TCP25
TCP42
TCP135
TCP137
TCP139
TCP and UDP389
TCP636
TCP3268
TCP3269
TCP and UDP88
TCP and UDP53
TCP and UDP445
TCP9389
TCP5722
TCP and UDP464
UDP123
UDP137
UDP138
UDP67
UDP2535
TCP & UDP1024-5000
TCP & UDP49152-65535

If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDC:

The following Ephemeral ports must be opened (yes, it’s pretty much the whole range):
TCP & UDP1024-65535

*

Restricting Ports Across a Firewall

You also have the ability to restrict DC to DC replication traffic, and DC to client communications, to a specific ports. Keep in mind, it also depends on what ports and services you’ll want to restrict. When choosing this option, you must specify the correct ports for the correct service.
It depends on what ports and services you want to restrict?

1. Method 1

This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.
This is applicable for restriction AD replication to a specific port range.
Procedure:  Modify registry to select a static port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Restricting Active Directory replication traffic and client RPC traffic to a specific port
 http://support.microsoft.com/kb/224196

2. Method 2

This is for configuring the port range(s) in the Windows Firewall.
Netsh – use the following examples to set a starting port range, and number of ports after it to use
netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/929851

3. Modify the registry

This is for Windows services communications. It also affects AD communications.
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
How to configure RPC dynamic port allocation to work with firewalls
 http://support.microsoft.com/kb/154596/en-us


Here are some related links to restricting AD replication ports.

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

RODC – “Read only Domain Controllers” have their own port requirements

Traffic
Type of Traffic
UDP 53 DNSDNS
TCP 53 DNSDNS
TCP 135 RPC, EPM
TCP Static 53248 FRsRpc
TCP 389 LDAP
TCP and UDP Dynamic
1025 – 5000		Windows 2000, Windows 2003, Windows XP Ephemeral Ports
TCP and UDP Dynamic 49152 – 65535Windows 2008, Windows Vista and all newer operating systems Ephemeral Ports
Restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196
Good discussion on RODC and firewall ports required:
http://forums.techarena.in/active-directory/1303925.htm
Further info on how RODC authentication works will help understand the ports:
Understanding “Read Only Domain Controller” authentication
http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx
Ref:http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

Comments

Post a Comment

Popular posts from this blog

Changes in Windows 2008 Active Directory

-
Active Directory Domain Services Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location. Auditing.  Changes made to Active Directory objects can be recorded so that you know what was changed on the object, as well as the previous and current values for the changed attributes. Fine-Grained Passwords.  Password policies can be configured for distinct groups within the domain. No longer does every account have to use the same password policy within the domain. Read-Only Domain Controller.  A domain controller with a read-only version of the Active Directory database can be deployed in environments where the security of
Read more

Windows Server Support Interview Questions and Answers (L1)

-
IIS • Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant process architecture isolates Web sites and applications into self-contained units called application pools • Health Monitoring---- IIS 6.0 periodically checks the status of an application pool with automatic restart on failure of the Web sites and applications within that application pool, increasing application availability. IIS 6.0 protects the server, and other applications, by automatically disabling Web sites and applications that fail too often within a short amount of time • Automatic Process Recycling--- IIS 6.0 automatically stops and restarts faulty Web sites and applications based on a flexible set of criteria, including CPU utilization and memory consumption, while queuing requests • Rapid-fail Protection---- If an application fails too often within a short amount of time, IIS 6.0 will automatically disable it and return a "503 Service Unavailable" error message to any new or queued re
Read more

How to Write a Letter Requesting Sponsorship

-
Write the letter in proper format. Start with the title of the person you are addressing, the address, and date. Begin with a description of the company (if it's a corporate letter) or state who you are (if it's for personal sponsorship) For example, So and So firm is a nonprofit organization committed to rehabilitation... whatever. State the event and the purpose in lucid terms. "We are holding a ---- event on ----- for raising money/making a video/whatever the reason." Request sponsorship by saying "We would be grateful if you helped in sponsoring our event...". Try to give a plan, for example do you want a banner? An announcement? If it's a banner or the sort you could quote sizes and prices. This makes it easier for companies to select a sponsorship plan instead of trying to figure out what exactly you want and how much. Give details. For example, how many people are attending? Who will be the Chief Guest/guests, whether your event will be
Read more