Direct Inward Dialing: +1 408 916 9393
Active Directory (AD) ports are specific network communication endpoints that enable different services to interact so that the entire AD infrastructure functions correctly. These ports are used for a variety of critical tasks, such as replicating data between domain controllers and authenticating users and computers. For example, port 389 enables LDAP to communicate with AD, and port 135 enables communication between clients and domain controllers. Without these ports being open, the network and its services will be inoperable, making their correct configuration essential for the reliable operation, security, and troubleshooting of any Windows-based enterprise environment.
The following are essential ports that must be open in your firewall for proper communication between client devices, domain controllers, and related services. Some ports utilize both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) depending on the service requirements.
These ports are necessary for user logon, password changes, and validation of identities within the domain.
| Port | Protocol | What the port is used for |
|---|---|---|
| 88 | TCP/UDP | Kerberos authentication: Handles Kerberos ticket exchanges, which provide secure, mutual authentication for users and computers within an AD domain. |
| 389 | TCP/UDP | LDAP: Supports directory service queries and updates using the Lightweight Directory Access Protocol (LDAP) without encryption. |
| 636 | TCP | LDAP over SSL (LDAPS): Provides encrypted LDAP communication, enhancing security for directory queries and updates. |
| 464 | TCP/UDP | Kerberos password changes: Secures exchanges involved in changing user or computer passwords within the Kerberos authentication framework. |
| 3268 | TCP | Global catalog (GC): Facilitates fast forest-wide searches, allowing clients to quickly find objects across multiple domains. |
| 3269 | TCP | GC over SSL: The secure (encrypted) counterpart to port 3268, used for protected directory searches across the forest. |
| 123 | UDP | W32Time: Used by the Windows Time service to synchronize clocks across computers in the domain, critical for Kerberos authentication accuracy. |
These ports are required for AD domain controllers to synchronize data and keep directory information consistent throughout the network.
| Port | Protocol | What the port is used for |
|---|---|---|
| 135 | TCP | RPC Endpoint Mapper: Acts as a directory for remote procedure call (RPC) services, directing the client to the correct, dynamically assigned port for that service. |
| 49152-65535 | TCP/UDP | RPC dynamic ports: Allow dynamic allocation of ports for various RPC-based AD services, essential for flexibility in communications. |
| 445 | TCP | SMB: Enables file sharing and domain controller replication using the Server Message Block (SMB) protocol, vital for AD data synchronization. |
| 389/636 | TCP/UDP | LDAP or LDAPS: Used for some replication operations, particularly for replicating directory data using LDAP query modify actions. |
| 3268/3269 | TCP | GC or GC over SSL: Facilitates replication across multiple domains or the entire forest when GC servers are involved. |
| 53 | TCP/UDP | DNS queries: Helps clients and servers locate domain controllers and other services within the network. |
These ports enable the administration, remote management, and extension of AD as well as legacy or web-based access.
| Port | Protocol | What the port is used for |
|---|---|---|
| 9389 | TCP | Active Directory Web Services (ADWS): Supports remote management and administration of AD through web services, including PowerShell cmdlets. |
| 80 | TCP | HTTP: Used for non-encrypted web traffic related to Group Policies, remote server management, and Active Directory Federation Services (AD FS). |
| 443 | TCP | HTTPS: Provides a secure encrypted channel for web-based AD management, federation services, and single sign-on solutions. |
| 49443 | TCP | AD FS: Specific port used by AD FS for secure federation and identity services across an organization. |
| 137-139 | UDP/TCP | NetBIOS services: Legacy ports used for older Windows networking and name resolution. Modern environments generally replace these with the SMB protocol over port 445. |
Anupriya is an IAM expert with deep experience in AD administration, identity automation, and identity governance. She helps organizations build secure, compliant identity strategies through webinars and workshops grounded in real-world enterprise experience.
To keep AD secure and fully functional, focus on correctly configuring firewall ports, especially those required for client to domain controller communications.
Correct configuration of Active Directory ports is vital for a secure and functional Windows network infrastructure.
Ports like 88 (Kerberos) and 389 or 636 (LDAP or LDAPS) are at the heart of user and device authentication within an AD environment. Kerberos provides secure and mutual authentication by issuing tickets for users and computers, while LDAP allows secure directory queries and updates.
AD domain controllers rely heavily on the dynamic RPC port range and the SMB protocol over port 445 to replicate data between servers. This replication process keeps user accounts, group memberships, security settings, and other directory objects consistent and up to date across all sites and branches.
Port 53 is used for the DNS, which is foundational to almost every operation in AD. Domain controllers, client systems, and many network services use the DNS to resolve the names of servers and services to their corresponding IP addresses.
Modern administrative tools and federation features depend on ports like 9389 (ADWS), 80 or 443 (HTTP or HTTPS), and 49443 (AD FS). These ports enable IT admins to manage AD remotely, automate tasks via scripting, and implement single sign-on with other organizations or cloud services.
ADManager Plus, an identity governance and administration solution with comprehensive AD and Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:
Port 389 is used by LDAP in AD. It supports both TCP and UDP, but TCP is more commonly used for standard directory queries and communication. UDP on port 389 is typically used for limited scenarios like simple queries or diagnostics.
AD firewall ports refer to the specific network ports that must be opened on firewalls between domain controllers, clients, and related services to enable proper and secure AD communication and functionality.
Some of the most critical ports include port 53 (TCP/UDP) for the DNS, port 88 (TCP/UDP) for Kerberos authentication, and port 389 (TCP/UDP) for LDAP. Other key ports include TCP port 445 for SMB and a range of dynamic ports for RPC-based services like replication.
For a client to communicate with a domain controller, several firewall ports must be open. The most essential ones are port 53 (TCP/UDP) for DNS name resolution, port 88 (TCP/UDP) for Kerberos authentication, and port 389 (TCP/UDP) for LDAP. Other critical ports include TCP port 445 for SMB, which is used for file sharing and Group Policy updates, and TCP port 135 for the RPC Endpoint Mapper, which helps clients locate various services. Additionally, RPC-based services use a range of dynamic ports, typically in the high port range of 49152-65535, which must also be allowed.
