Ports required for Active Directory

The Geek — Mon, 06 Apr 2009 23:44:01 +0000

During a recent Active Directory implementation project, I went through the hassle of finding out which ports are needed to allow proper AD traffic to pass through a firewall. There are a few lists out there, but none of them totally conclusive. While I am not giving an absolute guarantee, my list started small opening a bare minimum of ports, and then through monitoring what requests were being blocked by the firewall, one by one opened up a few additional ports. Eventually we found what we needed and had no more blocked requests getting caught by the firewall.

NTP

123/udp

RPC Endpoint Mapper

NetBIOS

SMB

LDAP

Global Catalog LDAP

Kerberos

DNS

ICMP

Opening these ports allowed us to properly communicate and authenticate between a host and the primary Domain Controller. While there may be other ports you will open, such as 161 for SNMP traffic, this is not required for AD communication, but rather something extra you will open up on your network. I have included both another good list, granted with a few differences, such as WINS, which while required for older systems, is not required for AD working with newer hosts. The other link, goes to a Microsoft support article that talks in-depth about different ports to open, and describes different network services such as DHCP that again may be part of your installation, but are not required for for AD servers to communicate and authenticate with a host.

Additional AD Port Links

Geeks With Blogs AD Ports Article

Microsoft AD Ports Article

Geek Junk » active directory ports

Ports required for Active Directory