Which Ports need to be accessible on a Domain Controller for Clients to logon?

networking active-directory firewall port domain-controller
11,867

Solution 1

tcp/53 DNS  
tcp/88 Kerberos  
tcp/135 RPC  
tcp/445 sysvol share  
tcp/389 LDAP  
tcp/464 Kerberos password (Max/Unix clients)  
tcp/636 LDAP SSL  (if the domain controllers have/need/use certificates)   
tcp/1688 KMS (if KMS is used.  Not necessarily AD, but the SRV record is in AD and clients need to communicate with the KMS).  
tcp/3268 LDAP GC
tcp/3269 LDAP GC SSL (if the domain controllers have/need/use certificates)   
tcp/49152 through 65535 (Windows Vista/2008 and higher) aka “high ports”  

udp/53 DNS
udp/88 Kerberos
udp/123 time  
udp/135 RPC  
udp/389 LDAP  
udp/445 sysvol share

You can minimize the high-port range by configuring a static RPC port for Active Directory.

Restricting Active Directory RPC traffic to a specific port
https://support.microsoft.com/en-us/kb/224196

It's usually a good idea to force Kerberos to use only tcp/ip, particularly if you have a large, complex network, or accounts are members of large number of groups/large token size.

How to force Kerberos to use TCP instead of UDP in Windows
https://support.microsoft.com/en-us/kb/244474

Solution 2

The client will need to access Kerberos so that's TCP 88 Then there is the Global Catalogue service so that's TCP 3268 There is the KPassword service TCP 464 (this allows password changes) Then there is LDAP port TCP 389, clients still need to access this to help locate domain controllers.

There are also UDP ports for Kerberos (88) and KPassword (464) I am not sure if these are needed or not. try without them first.

Share:
11,867

Related videos on Youtube

davidb
Author by

davidb

I'm an IT-specialist from germany who's generally doing Debian Linux/Win2012/Win2016 server administration and Ruby On Rails development for a research institute at the university of Bremen. Im also very interested in security related topics especial in network, wireless and web application security.

Updated on September 18, 2022

Comments

  • davidb
    davidb almost 2 years

    We are currently segmenting our network. We will move the servers in another subnet than the clients. Of course the clients still need access to the domain controller to authenticate against it.

    I found various articles about the ports that need to be accessible between the domain controllers to allow replication but none about the ports that are important for the clients. I'm pretty sure the client won't directly access the LDAP database for example and I want to reduce the attack surface as much as possible.

    So which ports are needed for a client to be able to work with a domain controller?

  • Pep
    Pep about 8 years
    What about DNS ports TCP and UDP 53? DCs are often the DNS for domain joined machines.
  • Michael Brown
    Michael Brown about 8 years
    Sorry I was just thinking of AD but yes if the DC is the DNS server as well then you would need UDP port 53. that's the port clients send queries on. TCP 53 is for DNS to DNS comms, Zone transfer etc.
  • davidb
    davidb about 8 years
    Thank you for your excellent answer! This does spare me some time in front of wireshark.^^

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Microsoft Active Directory Port
Allowing port access on Windows
Some confusion about listening and open ports, difference between listening, open and blocked
Open multiple firewall ports in CentOS7
Testing a Firewall against outgoing UDP ports
Detect what outgoing ports are bypassed by firewall
How to detect if a network is blocking outgoing ports?
Is there a simple way to detect ISP port blocking?
How to access NodeJS server on LAN?
Cant open port on Windows 2012R2