Managing network security for Microsoft Active Directory requires a precise understanding of how traffic flows between domain controllers and clients. The default ports used by Active Directory are well documented, but the interaction between these ports and a firewall is often the source of intermittent failures or authentication errors. A properly configured firewall protects the infrastructure without breaking essential services like Group Policy updates or LDAP queries.
Core Active Directory Ports and Protocols
The foundation of Active Directory connectivity relies on a specific set of ports that must be allowed through any intervening firewall. Unlike modern applications that use a single port, directory services utilize both TCP and UDP, depending on the protocol. Blocking these specific numbers will immediately result in clients being unable to locate domain controllers or authenticate successfully.
LDAP and Kerberos Communication
Lightweight Directory Access Protocol (LDAP) is the primary mechanism for querying and updating the directory database. For LDAP traffic, port 389 is used for unencrypted communication, while port 636 handles LDAP over SSL (LDAPS). Kerberos, the authentication protocol, relies heavily on port 88 for ticket granting and validation. Both protocols require bidirectional traffic to function, meaning inbound and outbound rules must be configured accordingly.
DNS and Global Catalog Requirements
Domain Name System (DNS) is not merely a supporting service for Active Directory; it is a mandatory dependency for locating domain controllers. DNS queries primarily use port 53, and it is crucial to allow both TCP and UDP for this port. If a domain controller hosts the Global Catalog, port 3268 (or 3269 for SSL) must also be open to facilitate searches across the entire forest for universal group membership.
RPC and NetBIOS Traffic Considerations
Remote Procedure Call (RPC) is a complex protocol that dynamic port allocation for tasks such as replication and user logon. While specific ports like 135 are used to initially locate RPC endpoints, the subsequent data transfer occurs over a dynamic range. This dynamic nature often confuses firewalls, leading to blocked replication traffic between domain controllers.
NetBIOS and SMB for Legacy Systems
Although modern Windows environments rely heavily on Kerberos, NetBIOS over TCP (ports 137–139) and the Server Message Block (SMB) protocol (port 445) remain essential for certain operations. These ports handle file sharing, printer access, and older authentication methods. Maintaining access to port 445 is critical for SYSVOL replication and ensuring compatibility with legacy network devices that still depend on NetBIOS naming.
Securing the Infrastructure with Firewall Design
Deploying a firewall for an Active Directory environment demands a strategic approach that balances security with availability. The goal is to minimize the attack surface by restricting source IP addresses and limiting protocols only to what is necessary for the business function. A common best practice is to segregate domain controllers into a dedicated security zone, isolating them from general user subnets.
Designing Rules for High Availability
To prevent a single point of failure, Active Directory environments should be designed with redundancy. Firewall rules must be applied consistently across all perimeter and internal firewalls to ensure a client can reach a domain controller regardless of its location. Rules should specify the exact protocol, port, and source IP range to avoid opening the network to unnecessary traffic from unknown origins.
Monitoring and Troubleshooting Connectivity
Even with a perfectly configured rule set, verifying connectivity is essential to ensure the policies are working as intended. Tools like PortQry and Test-NetConnection are invaluable for checking if a specific port is open, listening, and filtering correctly. Regular audits of the firewall logs can reveal patterns of blocked authentication attempts, which may indicate a misconfigured client or a malicious scanning event.
