Understanding the network architecture for a Microsoft Active Directory environment requires precise knowledge of the ports required for active directory communication. This protocol suite relies on a specific set of TCP and UDP endpoints to handle everything from user authentication to domain replication. Without the correct ports open and routed between domain controllers and client machines, the directory service fails silently, leaving organizations unable to log in or access centralized resources. This guide details the essential ports for domain join, user authentication, and inter-DC communication.
Core Protocols and Their Ports
The foundation of Active Directory is built on LDAP, Kerberos, and DNS, each demanding specific ports to function correctly. LDAP is the primary interface for querying and modifying directory data, while Kerberos handles the authentication ticket process. DNS is not merely supportive; it is mandatory for locating domain controllers through SRV records. Misconfiguring these ports is a common source of connectivity issues, so administrators must verify firewall rules against the standard assignments. Below is a breakdown of the core protocols and the ports required for active directory traffic.
LDAP and Global Catalog
LDAP (Lightweight Directory Access Protocol) operates on port 389 for standard communication and port 636 for LDAP over SSL (LDAPS). The Global Catalog, a special role for partial directory queries, uses port 3268 for LDAP and port 3269 for LDAPS. These ports handle the bulk of user authentication and resource lookup requests. Securing LDAP traffic with SSL/TLS is highly recommended to prevent credentials from traversing the network in plaintext.
Kerberos Authentication
Kerberos authentication relies on port 88 for both TCP and UDP. When a user logs in, the client contacts the Key Distribution Center (KDC) on this port to obtain a Ticket-Granting Ticket (TGT). Without this port available, no interactive login is possible. It is crucial to ensure that UDP traffic is not blocked, as the initial authentication request uses this protocol before switching to TCP for the ticket exchange.
DNS and Dynamic Updates
While DNS is an external service to the directory protocol itself, Active Directory requires specific DNS ports to locate domain controllers. DNS uses port 53 for both TCP and UDP. Domain controllers constantly register their SRV records via UDP 53 to advertise their availability for Kerberos and LDAP. Additionally, dynamic DNS updates, which allow clients to register their IP addresses, often use port 53 as well. Blocking this port will result in clients being unable to find domain services, effectively breaking the logon process.
Additional Infrastructure Ports
Beyond the core authentication, several auxiliary services require attention for a fully functional environment. These ports support remote administration, file replication, and secure channel establishment. Administrators often overlook these less critical paths, leading to strange errors in replication or group policy processing. Ensuring these endpoints are available helps maintain a healthy and resilient infrastructure.
RPC and NetBIOS Name Service
The Microsoft RPC (Remote Procedure Call) endpoint mapper listens on port 135 for TCP and UDP. This port acts as a directory for dynamic RPC services, including the Netlogon and Samr services used during logon. Furthermore, NetBIOS Name Service over UDP 137 is used for legacy name resolution, particularly for Windows browsing and older authentication protocols. While modern clients rely heavily on DNS, maintaining access to these ports ensures backward compatibility with legacy systems.
Replication and Time Services
For domain controllers to stay in sync, they require specific ports for replication. The Microsoft-DS port, which is TCP 445 and UDP 445, handles the SMB traffic used for file sharing and direct replication links. Additionally, the Time Service, crucial for Kerberos ticket validity, uses UDP 123. If the clocks between domain controllers drift significantly due to blocked NTP traffic, authentication tickets will fail validation, causing widespread login issues.
