1

We have a 100% isolated environment that needs to communicate with our AD infrastructure outside the isolated environment. I need to know all the ports and whether they're incoming or outgoing. These are the ports I've gathered so far. Can anyone help adding any that might be missing and the inbound / outbound direction. Thanks so much! (These are separated via physical firewall).

  • TCP 135 : MS-RPC
  • TCP 1025 & 1026 : AD Login & replication
  • TCP 389 : LDAP
  • TCP & UDP 53 : DNS
  • TCP 445 : SMB , Microsoft-ds
  • TCP 139 : SMB
  • UDP 137 & 138 : NetBIOS related
  • UDP 88 : Kerberos v5
  • TCP 636: Secure LDAP
  • TCP 3269: Secure LDAP
user335185
  • 21
  • 1
  • 3
  • 2
    This should help https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx and http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/ – user2320464 Feb 02 '16 at 03:05
  • Any indication if these ports need to be bi-directional, or how can I convince our networking team to open them? They always want to know inbound or outbound? – user335185 Feb 02 '16 at 10:39

1 Answers1

2

This is the document you are looking for: Active Directory and Active Directory Domain Services Port Requirements

Default dynamic port range

In a domain that consists of Windows Server® 2003–based domain controllers, the default dynamic port range is 1025 through 5000. Windows Server 2008 R2 and Windows Server 2008, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic port range for connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 R2 and Windows Server 2008 server and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535.

When you see “TCP Dynamic” in the Protocol and Port column in the following table, it refers to ports 1025 through 5000, the default port range for Windows Server 2003, and ports 49152 through 65535, the default port range beginning with Windows Server 2008.

.

Communication to Domain Controllers

The following table lists the port requirements for establishing DC to DC communication in all versions of Windows Sever beginning with Windows Server 2003.

Additional ports are required for communication between a read-only domain controller (RODC) and a writeable DC.

Protocol and Port: TCP and UDP 389
AD and AD DS Usage: Directory, Replication, User and Computer Authentication, Group Policy, Trusts
Type of Traffic: LDAP

Protocol and Port: TCP 636
AD and AD DS Usage: Directory, Replication, User and Computer Authentication, Group Policy, Trusts
Type of Traffic: LDAP SSL

Protocol and Port: TCP 3268
AD and AD DS Usage: Directory, Replication, User and Computer Authentication, Group Policy, Trusts
Type of Traffic: LDAP GC

Protocol and Port: TCP 3269
AD and AD DS Usage: Directory, Replication, User and Computer Authentication, Group Policy, Trusts
Type of Traffic: LDAP GC SSL

Protocol and Port: TCP and UDP 88
AD and AD DS Usage: User and Computer Authentication, Forest Level Trusts
Type of Traffic: Kerberos

Protocol and Port: TCP and UDP 53
AD and AD DS Usage: User and Computer Authentication, Name Resolution, Trusts
Type of Traffic: DNS

Protocol and Port: TCP and UDP 445
AD and AD DS Usage: Replication, User and Computer Authentication, Group Policy, Trusts
Type of Traffic: SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc

Protocol and Port: TCP 25
AD and AD DS Usage: Replication
Type of Traffic: SMTP

Protocol and Port: TCP 135
AD and AD DS Usage: Replication
Type of Traffic: RPC, EPM

Protocol and Port: TCP Dynamic
AD and AD DS Usage: Replication, User and Computer Authentication, Group Policy, Trusts
Type of Traffic: RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS

Protocol and Port: TCP 5722
AD and AD DS Usage: File Replication
Type of Traffic: RPC, DFSR (SYSVOL)

Protocol and Port: UDP 123
AD and AD DS Usage: Windows Time, Trusts
Type of Traffic: Windows Time

Protocol and Port: TCP and UDP 464
AD and AD DS Usage: Replication, User and Computer Authentication, Trusts
Type of Traffic: Kerberos change/set password

Protocol and Port: UDP Dynamic
AD and AD DS Usage: Group Policy
Type of Traffic: DCOM, RPC, EPM

Protocol and Port: UDP 138
AD and AD DS Usage: DFS, Group Policy
Type of Traffic: DFSN, NetLogon, NetBIOS Datagram Service

Protocol and Port: TCP 9389
AD and AD DS Usage: AD DS Web Services
Type of Traffic: SOAP

Protocol and Port: UDP 67 and UDP 2535
AD and AD DS Usage: DHCP (DHCP is not a core AD DS service but it is often present in many AD DS deployments.)
Type of Traffic: DHCP, MADCAP

Protocol and Port: UDP 137
AD and AD DS Usage: User and Computer Authentication,
Type of Traffic: NetLogon, NetBIOS Name Resolution

Protocol and Port: TCP 139
AD and AD DS Usage: User and Computer Authentication, Replication
Type of Traffic: DFSN, NetBIOS Session Service, NetLogon

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • 1
    how can i tell if these ports need to be inbound or outbound? sorry if I'm not following. – user335185 Feb 03 '16 at 04:40
  • The firewall guys should know what to do when you send them the article, or they probably look for ways of avoiding to change anything... But packets to those ports must be accepted. The sending host almost always uses a random source port to send data to a destination port. – Daniel Feb 03 '16 at 05:12
  • In my case, they don't want to do anything. They want to know exactly what needs to be inbound and outbound and make my life miserable. – user335185 Feb 03 '16 at 06:56
  • I just told you what is inbound and outbound. If you expect me to got through the list for you and give you a full explanation on every item, then you expect to much. – Daniel Feb 03 '16 at 07:08
  • If you did tell me what was inbound or outbound I don't follow. If you could give me an example, that would be helpful. I have an environment that is currently in an isolated bubble completely blocked with no ports allowed. We need to communicate with AD outside the bubble, so our network admins wants to know the exact ports we need and if they need to be outbound from the bubble, bi-directional, or inbound to the bubble. I really don't think I'm expecting too much, that's why I came here for help. – user335185 Feb 05 '16 at 05:08