Geek Junk – The musings of just another Geek and his Junk



Random Futurama Quote

Bender: Oh cruel fate, to be thusly boned. Ask not for whom the bone bones… it bones for thee.

Ports required for Active Directory

06.04.2009 (6:44 pm) – Filed under: How To Guides

During a recent Active Directory implementation project, I went through the hassle of finding out which ports are needed to allow proper AD traffic to pass through a firewall. There are a few lists out there, but none of them totally conclusive. While I am not giving an absolute guarantee, my list started small opening a bare minimum of ports, and then through monitoring what requests were being blocked by the firewall, one by one opened up a few additional ports. Eventually we found what we needed and had no more blocked requests getting caught by the firewall.

NTP

    123/udp

RPC Endpoint Mapper

    135/tcp
    135/udp
    1024-65535/tcp (TCP high ports are needed for a few things, this just happens to be the first one on the list that required them so I placed them here)

NetBIOS

    137/tcp
    137/udp
    139/tcp

SMB

    445/tcp
    445/udp

LDAP

    389/tcp
    636/tcp (SSL)

Global Catalog LDAP

    3268/tcp
    3269/tcp (SSL)

Kerberos

    88/tcp
    88/udp

DNS

    53/tcp
    53/udp

ICMP

    8
    13
    15
    17

Opening these ports allowed us to properly communicate and authenticate between a host and the primary Domain Controller. While there may be other ports you will open, such as 161 for SNMP traffic, this is not required for AD communication, but rather something extra you will open up on your network. I have included both another good list, granted with a few differences, such as WINS, which while required for older systems, is not required for AD working with newer hosts. The other link, goes to a Microsoft support article that talks in-depth about different ports to open, and describes different network services such as DHCP that again may be part of your installation, but are not required for for AD servers to communicate and authenticate with a host.

Additional AD Port Links

Comments are closed.