Windows Active Directory relies on a specific set of network ports to handle everything from user authentication to domain replication. Understanding these ports is essential for any administrator responsible for maintaining a secure and reliable infrastructure. Traffic between clients, domain controllers, and global catalog servers must pass through firewalls, and each protocol requires a deliberate allowance to function correctly.
Core Protocols and Their Functions
The foundation of Windows AD communication is built upon well-defined protocols that map directly to specific ports. Lightweight Directory Access Protocol (LDAP) handles the majority of directory queries and modifications, while Kerberos is responsible for secure authentication. Administrators often focus on LDAP because it is the workhorse for searching and managing objects, but neglecting the underlying transport security of Kerberos can lead to significant vulnerabilities.
LDAP and Global Catalog Ports
Unencrypted and Encrypted LDAP
LDAP traffic typically uses port 389 for unencrypted communication and port 636 for LDAP over SSL (LDAPS). While port 389 is convenient for troubleshooting, transmitting credentials and data in clear text is not acceptable in modern environments. Port 636 ensures that the entire session is encrypted, protecting sensitive information from network sniffing.
Global Catalog Considerations
For applications that require partial directory searches across multiple domains, the Global Catalog is indispensable. It listens on port 3268 for unencrypted queries and port 3269 for encrypted LDAP queries. These ports are critical for large environments where users need to find resources without knowing the specific domain they belong to.
Kerberos and DNS Operations
Authentication Ticketing
Kerberos authentication relies on port 88 to issue ticket-granting tickets (TGTs). This port must be open for clients to validate against the domain controller. Unlike LDAP, which can sometimes be tunneled through VPNs with difficulty, Kerberos traffic requires low latency to prevent timeouts during the login process.
Domain Name System Integration
Dynamic DNS updates are handled via port 53, which is the standard for DNS traffic. Active Directory uses DNS to locate domain controllers through service records (SRV records). If port 53 is blocked, clients may fail to discover authentication services, effectively breaking the login experience even if the LDAP ports are open.
Additional Infrastructure Services
Several auxiliary services rely on their own specific ports to function. The Key Distribution Center (KDC) for Kerberos, the Netlogon service for group policy processing, and the SMB protocol for file sharing all require careful consideration to ensure seamless operation.
