Complete List Of Ports For Domain Controllers

network-wallpapers_orange

One of the things that every system administrator needs to know is how to secure your domain controllers. This in some way alongside with other techniques involves knowing the ports used by Domain Controllers on your network. Every admin needs to know Domain Controller required ports and not only. So, I decided to write it down and keep it for my own reference, If anyone finds it useful please take it and share it.

In perfect world you would have all your domain controllers residing in separate subnet and have only those needed ports open for all needed services to operate. In other cases you can utilize group policy to configure windows firewall behavior and ports that are open or blocked and target your domain controllers. In any case you need to be very careful because missing a single setting can bring your whole domain to crawl.

Also, note that dynamic ports used with 2003 Domain Controllers start at 1025 and ends at 5000, dynamic ports used by Domain Controllers 2008 and up use ports in range of 49152 and 65535.

Protocol and Port AD and AD DS Usage Type of traffic
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL

 

TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trust LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL

 

TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic * Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
UDP Dynamic ** Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389 AD DS Web Services SOAP
UDP 67 and UDP 2535 DHCP DHCP, MADCAP
UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon
TCP & UDP 1025-5000 remote procedure call (RPC) port 2003 Domain Controllers
TCP & UDP 49152-65535 remote procedure call (RPC) port 2008 Domain Controllers & UP
TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password

*TCP Dynamic – 1025-5000 2003 Domain Controllers | 49152-65535 2008 Domain Controllers & UP
**UDP Dynamic – 1025-5000 2003 Domain Controllers | 49152-65535 2008 Domain Controllers & UP
*** Clients use any of the Ephemeral ports 49152-65535 to connect to server side ports

And there is a comprehensive review of Domain Controller required ports from Ace Fekay here.

Leave a Reply

Your email address will not be published. Required fields are marked *