List of Active Directory ports | ADManager Plus
What are Active Directory ports?
Active Directory (AD) ports are specific network communication endpoints that enable different services to interact so that the entire AD infrastructure functions correctly. These ports are used for a variety of critical tasks, such as replicating data between domain controllers and authenticating users and computers. For example, port 389 enables LDAP to communicate with AD, and port 135 enables communication between clients and domain controllers. Without these ports being open, the network and its services will be inoperable, making their correct configuration essential for the reliable operation, security, and troubleshooting of any Windows-based enterprise environment.
Ports required for Active Directory communication
The following are essential ports that must be open in your firewall for proper communication between client devices, domain controllers, and related services. Some ports utilize both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) depending on the service requirements.
Active Directory authentication ports
These ports are necessary for user logon, password changes, and validation of identities within the domain.
| Port | Protocol | What the port is used for |
|---|---|---|
| 88 | TCP/UDP | Kerberos authentication: Handles Kerberos ticket exchanges, which provide secure, mutual authentication for users and computers within an AD domain. |
| 389 | TCP/UDP | LDAP: Supports directory service queries and updates using the Lightweight Directory Access Protocol (LDAP) without encryption. |
| 636 | TCP | LDAP over SSL (LDAPS): Provides encrypted LDAP communication, enhancing security for directory queries and updates. |
| 464 | TCP/UDP | Kerberos password changes: Secures exchanges involved in changing user or computer passwords within the Kerberos authentication framework. |
| 3268 | TCP | Global catalog (GC): Facilitates fast forest-wide searches, allowing clients to quickly find objects across multiple domains. |
| 3269 | TCP | GC over SSL: The secure (encrypted) counterpart to port 3268, used for protected directory searches across the forest. |
| 123 | UDP | W32Time: Used by the Windows Time service to synchronize clocks across computers in the domain, critical for Kerberos authentication accuracy. |
Active Directory replication ports
These ports are required for AD domain controllers to synchronize data and keep directory information consistent throughout the network.
| Port | Protocol | What the port is used for |
|---|---|---|
| 135 | TCP | RPC Endpoint Mapper: Acts as a directory for remote procedure call (RPC) services, directing the client to the correct, dynamically assigned port for that service. |
| 49152-65535 | TCP/UDP | RPC dynamic ports: Allow dynamic allocation of ports for various RPC-based AD services, essential for flexibility in communications. |
| 445 | TCP | SMB: Enables file sharing and domain controller replication using the Server Message Block (SMB) protocol, vital for AD data synchronization. |
| 389/636 | TCP/UDP | LDAP or LDAPS: Used for some replication operations, particularly for replicating directory data using LDAP query modify actions. |
| 3268/3269 | TCP | GC or GC over SSL: Facilitates replication across multiple domains or the entire forest when GC servers are involved. |
| 53 | TCP/UDP | DNS queries: Helps clients and servers locate domain controllers and other services within the network. |
Management and directory services ports
These ports enable the administration, remote management, and extension of AD as well as legacy or web-based access.
| Port | Protocol | What the port is used for |
|---|---|---|
| 9389 | TCP | Active Directory Web Services (ADWS): Supports remote management and administration of AD through web services, including PowerShell cmdlets. |
| 80 | TCP | HTTP: Used for non-encrypted web traffic related to Group Policies, remote server management, and Active Directory Federation Services (AD FS). |
| 443 | TCP | HTTPS: Provides a secure encrypted channel for web-based AD management, federation services, and single sign-on solutions. |
| 49443 | TCP | AD FS: Specific port used by AD FS for secure federation and identity services across an organization. |
| 137-139 | UDP/TCP | NetBIOS services: Legacy ports used for older Windows networking and name resolution. Modern environments generally replace these with the SMB protocol over port 445. |
Expert tips: Best practices for securing AD firewall ports
Anupriya is an IAM expert with deep experience in AD administration, identity automation, and identity governance. She helps organizations build secure, compliant identity strategies through webinars and workshops grounded in real-world enterprise experience.
To keep AD secure and fully functional, focus on correctly configuring firewall ports, especially those required for client to domain controller communications.
- Know what's needed: Understand required ports and their purpose—authentication, replication, or management.
- Limit access: Apply the principle of least privilege so only trusted systems can utilize these ports.
- Protect replication traffic: Restrict high-value ports, like 445 and RPC dynamic range (49152-65535), to trusted endpoints.
- Review regularly: Audit firewall rules periodically to ensure only essential ports stay open.
Why enabling these ports is crucial for your AD environment
Correct configuration of Active Directory ports is vital for a secure and functional Windows network infrastructure.
Authentication and security
Ports like 88 (Kerberos) and 389 or 636 (LDAP or LDAPS) are at the heart of user and device authentication within an AD environment. Kerberos provides secure and mutual authentication by issuing tickets for users and computers, while LDAP allows secure directory queries and updates.
Replication
AD domain controllers rely heavily on the dynamic RPC port range and the SMB protocol over port 445 to replicate data between servers. This replication process keeps user accounts, group memberships, security settings, and other directory objects consistent and up to date across all sites and branches.
Name resolution
Port 53 is used for the DNS, which is foundational to almost every operation in AD. Domain controllers, client systems, and many network services use the DNS to resolve the names of servers and services to their corresponding IP addresses.
Management and federation
Modern administrative tools and federation features depend on ports like 9389 (ADWS), 80 or 443 (HTTP or HTTPS), and 49443 (AD FS). These ports enable IT admins to manage AD remotely, automate tasks via scripting, and implement single sign-on with other organizations or cloud services.
How ADManager Plus helps you manage Active Directory
ADManager Plus, an identity governance and administration solution with comprehensive AD and Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:
- Manage users, contacts, groups, licenses, and other AD objects with a script-free, centralized console.
- Reduce human error by automating user provisioning and deprovisioning, and orchestrating tasks across various platforms.
- Keep a watchful eye on your IT environment with more than 200 prepackaged reports.
- Delegate AD and Microsoft Entra ID attributes to technicians so they can perform tasks like resetting passwords, creating groups, and managing OUs.
- Streamline task execution and ensure delegated activities are monitored with smart workflows.
- Ensure business continuity with AD, Microsoft Entra ID, and Google Workspace backup and recovery.
Manage and report on your AD environment with ADManager Plus
FAQ
1. Does Active Directory use port 389 for TCP or UDP?
Port 389 is used by LDAP in AD. It supports both TCP and UDP, but TCP is more commonly used for standard directory queries and communication. UDP on port 389 is typically used for limited scenarios like simple queries or diagnostics.
2. What are Active Directory firewall ports?
AD firewall ports refer to the specific network ports that must be opened on firewalls between domain controllers, clients, and related services to enable proper and secure AD communication and functionality.
Some of the most critical ports include port 53 (TCP/UDP) for the DNS, port 88 (TCP/UDP) for Kerberos authentication, and port 389 (TCP/UDP) for LDAP. Other key ports include TCP port 445 for SMB and a range of dynamic ports for RPC-based services like replication.
3. Which Active Directory firewall ports are used for client to domain controller communication?
For a client to communicate with a domain controller, several firewall ports must be open. The most essential ones are port 53 (TCP/UDP) for DNS name resolution, port 88 (TCP/UDP) for Kerberos authentication, and port 389 (TCP/UDP) for LDAP. Other critical ports include TCP port 445 for SMB, which is used for file sharing and Group Policy updates, and TCP port 135 for the RPC Endpoint Mapper, which helps clients locate various services. Additionally, RPC-based services use a range of dynamic ports, typically in the high port range of 49152-65535, which must also be allowed.