Active Directory ports form the invisible plumbing of enterprise networks, silently governing how domain controllers communicate with clients, replication partners, and external services. Understanding which channels are open is essential for security, troubleshooting, and compliance, as misconfigured firewall rules can break authentication or expose critical infrastructure. This guide maps the technical landscape of ports used by Microsoft’s directory service, balancing operational clarity with defensive best practices.
Core Protocols and Their Standard Ports
The foundation of Active Directory traffic rests on a small set of well defined protocols, each bound to specific ports. Domain controllers rely on LDAP for directory queries, Kerberos for ticket based authentication, and DNS for service location, while secure variants add encryption and integrity. Administrators must distinguish between legacy clear text and modern encrypted paths to enforce least privilege access.
LDAP and Secure LDAP
Lightweight Directory Access Protocol (LDAP) uses TCP port 389 for unencrypted communication, typically confined to isolated management segments or legacy applications. When encryption is required, LDAP over TLS (LDAPS) binds to TCP port 636, enforcing channel binding and preventing downgrade attacks. Global Catalog queries, which enable forest wide searches, operate on the same ports with an additional port 3268 for clear text and 3269 for secure global catalog access.
Kerberos and DNS
Kerberos authentication relies on UDP and TCP port 88, where ticket granting and renewal requests converge across the domain. DNS, while not exclusive to directory services, is indispensable on UDP and TCP port 53 for service record resolution, particularly for locating domain controllers during logon. Without accurate DNS, clients fail to bind to the correct endpoint, regardless of firewall allowances.
Replication and Flexible Single Master Operations
Behind the user facing protocols lies the machinery of replication, which keeps directory partitions synchronized across sites. The KCC (Knowledge Consistency Checker) dynamically builds connection objects, yet the underlying ports must remain reachable for change notification and partial set replication to function. Missteps here often surface as lingering objects or divergent directory trees.
RPC and SMB for Replication
Directory replication historically depends on remote procedure call (RPC) over TCP, dynamically allocating ports above 1024, which complicates firewall design. To enforce predictability, administrators can configure RPC over IPsec or restrict endpoints using the registry, allowing only specific ranges. Server Message Block (SMB) port 445 becomes the transport for file replication, including the SYSVOL share, making its availability non negotiable for healthy domain joins and group policy application.
Endpoint Protection and Attack Surface Reduction
Every open port expands the attack surface, and directory services are no exception. Credential theft techniques such as ASREP roasting and DCSync abuse legitimate ports, turning seemingly benign services into privilege escalation vectors. Hardening therefore involves more than blocking traffic; it demands protocol enforcement, network segmentation, and continuous monitoring of anomalous patterns.
Securing Administrative Paths
LDAPS and StartTLS should be mandated for domain controllers, retiring clear text LDAP where possible. SMBv1 must be disabled in favor of SMBv3 with encryption, mitigating eavesdropping and tampering on lateral movement paths. Authentication protocols like Kerberos benefit from controlled delegation settings and strong cryptography policies, reducing the risk of ticket forgery across the ports.
Design Considerations for Zero Trust and Hybrid Scenarios
Modern architectures extend Active Directory into cloud identities and remote workforces, requiring careful port mapping for conditional access and federation. Azure AD Connect synchronizes directories over HTTPS, leveraging well defined endpoints while maintaining on premises connectivity. In these hybrid models, ports are governed not only by on premises firewalls but also by reverse proxies, application gateways, and explicit service principals.
