One of the things that every system administrator needs to know is how to secure your domain controllers. This in some way alongside with other techniques involves knowing the ports used by Domain Controllers on your network. Every admin needs to know Domain Controller required ports and not only. So, I decided to write it down and keep it for my own reference, If anyone finds it useful please take it and share it.
In perfect world you would have all your domain controllers residing in separate subnet and have only those needed ports open for all needed services to operate. In other cases you can utilize group policy to configure windows firewall behavior and ports that are open or blocked and target your domain controllers. In any case you need to be very careful because missing a single setting can bring your whole domain to crawl.
Also, note that dynamic ports used with 2003 Domain Controllers start at 1025 and ends at 5000, dynamic ports used by Domain Controllers 2008 and up use ports in range of 49152 and 65535.
|Protocol and Port||AD and AD DS Usage||Type of traffic|
|TCP and UDP 389||Directory, Replication, User and Computer Authentication, Group Policy, Trusts||LDAP|
|TCP 636||Directory, Replication, User and Computer Authentication, Group Policy, Trusts||LDAP SSL
|TCP 3268||Directory, Replication, User and Computer Authentication, Group Policy, Trust||LDAP GC|
|TCP 3269||Directory, Replication, User and Computer Authentication, Group Policy, Trusts||LDAP GC SSL
|TCP and UDP 88||User and Computer Authentication, Forest Level Trusts||Kerberos|
|TCP and UDP 53||User and Computer Authentication, Name Resolution, Trusts||DNS|
|TCP and UDP 445||Replication, User and Computer Authentication, Group Policy, Trusts||SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc|
|TCP 135||Replication||RPC, EPM|
|TCP Dynamic *||Replication, User and Computer Authentication, Group Policy, Trusts||RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS|
|TCP 5722||File Replication||RPC, DFSR (SYSVOL)|
|UDP 123||Windows Time, Trusts||Windows Time|
|UDP Dynamic **||Group Policy||DCOM, RPC, EPM|
|UDP 138||DFS, Group Policy||DFSN, NetLogon, NetBIOS Datagram Service|
|TCP 9389||AD DS Web Services||SOAP|
|UDP 67 and UDP 2535||DHCP||DHCP, MADCAP|
|UDP 137||User and Computer Authentication||NetLogon, NetBIOS Name Resolution|
|TCP 139||User and Computer Authentication, Replication||DFSN, NetBIOS Session Service, NetLogon|
|TCP & UDP 1025-5000||remote procedure call (RPC) port||2003 Domain Controllers|
|TCP & UDP 49152-65535||remote procedure call (RPC) port||2008 Domain Controllers & UP|
|TCP 42||If using WINS in a domain trust scenario offering NetBIOS resolution||WINS|
|TCP and UDP 464||Replication, User and Computer Authentication, Trusts||Kerberos change/set password|
*TCP Dynamic – 1025-5000 2003 Domain Controllers | 49152-65535 2008 Domain Controllers & UP
**UDP Dynamic – 1025-5000 2003 Domain Controllers | 49152-65535 2008 Domain Controllers & UP
*** Clients use any of the Ephemeral ports 49152-65535 to connect to server side ports
And there is a comprehensive review of Domain Controller required ports from Ace Fekay here.