Wednesday, November 7, 2012

Required Active Directory Ports

AD-Related Ports
Active Directory communications involve a number of ports, some of which are more familiar to network and security administrators than others. These were outlined in the Active Directory Replication over Firewalls article by Steve Riley:
·         RPC endpoint mapper: port 135 TCP, UDP
·         NetBIOS name service: port 137 TCP, UDP
·         NetBIOS datagram service: port 138 UDP
·         NetBIOS session service: port 139 TCP
·         SMB over IP (Microsoft-DS): port 445 TCP, UDP
·         LDAP: port 389 TCP, UDP
·         LDAP over SSL: port 636 TCP
·         Global catalog LDAP: port 3268 TCP
·         Global catalog LDAP over SSL: port 3269 TCP
·         Kerberos: port 88 TCP, UDP
·         DNS: port 53 TCP, UDP
·         WINS resolution: port 1512 TCP, UDP
·         WINS replication: 42 TCP, UDP
·         RPC: Dynamically-assigned ports TCP, unless restricted
For a full listing of AD-related services, see Microsoft's support article 832017 Service Overview and Network Port Requirements for the Windows Server System.
Which of these ports actually need to be allowed through the firewall depends on the scenario you're implementing and on your environment. For instance, support for NetBIOS services may unnecessary in situations where you have newer Windows systems supporting the SMB over IP protocol. Similarly, newer Windows environments make use DNS, instead of Windows for name resolution.
AD Replication
The ports that need to be open to facilitate cross-firewall AD replication differ, depending on the versions of Microsoft Windows in your environment. Microsoft provides OS-specific guidelines in its Active Directory and Active Directory Domain Services Port Requirements article. For instance, replication between servers that use Windows 2000 or 2003 require the following ports open bidirectionally on the firewall that's between the servers:
·         RPC endpoint mapper: port 135 TCP
·         LDAP: port 389 TCP, UDP
·         LDAP over SSL: port 636 TCP
·         Global catalog LDAP: port 3268 TCP
·         Global catalog LDAP over SSL: port 3269 TCP
·         DNS: port 53 TCP, UDP
·         Kerberos: port 88 TCP, UDP
·         SMB over IP (Microsoft-DS): port 445 TCP
·         RPC: Dynamically-assigned ports TCP, unless restricted  
To restrict the use of RPC ports, follow instructions in Microsoft's support article 224196 Restricting Active Directory Replication Traffic and Client RPC Traffic to a Specific Port and a TechNet blog entry Dynamic Client Ports in Windows Server 2008 and Windows Vista.
Authentication to AD
AD uses the following ports to support user and computer authentication, according to the Active Directory and Active Directory Domain Services Port Requirements article:
·         SMB over IP (Microsoft-DS): port 445 TCP, UDP
·         Kerberos: port 88 TCP, UDP
·         LDAP: port 389 UDP
·         DNS: port 53 TCP, UDP

·         RPC: Dynamically-assigned ports TCP, unless restricted  


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)