Ports required for Active Directory
During a recent Active Directory implementation project, I went through the hassle of finding out which ports are needed to allow proper AD traffic to pass through a firewall. There are a few lists out there, but none of them totally conclusive. While I am not giving an absolute guarantee, my list started small opening a bare minimum of ports, and then through monitoring what requests were being blocked by the firewall, one by one opened up a few additional ports. Eventually we found what we needed and had no more blocked requests getting caught by the firewall.
NTP
- 123/udp
RPC Endpoint Mapper
- 135/tcp
135/udp
1024-65535/tcp (TCP high ports are needed for a few things, this just happens to be the first one on the list that required them so I placed them here)
NetBIOS
- 137/tcp
137/udp
139/tcp
SMB
- 445/tcp
445/udp
LDAP
- 389/tcp
636/tcp (SSL)
Global Catalog LDAP
- 3268/tcp
3269/tcp (SSL)
Kerberos
- 88/tcp
88/udp
DNS
- 53/tcp
53/udp
ICMP
- 8
13
15
17
Opening these ports allowed us to properly communicate and authenticate between a host and the primary Domain Controller. While there may be other ports you will open, such as 161 for SNMP traffic, this is not required for AD communication, but rather something extra you will open up on your network. I have included both another good list, granted with a few differences, such as WINS, which while required for older systems, is not required for AD working with newer hosts. The other link, goes to a Microsoft support article that talks in-depth about different ports to open, and describes different network services such as DHCP that again may be part of your installation, but are not required for for AD servers to communicate and authenticate with a host.
Additional AD Port Links