Area controllers are a significant a part of your community. To guard them you must ensure that the firewall is enabled and solely the required ports on your Area Controller are opened. However which ports are these?
The first perform of the area controller is in fact the Lively Listing. For the purchasers to have the ability to talk with the AD, some ports should be opened within the firewall.
On this article, we are going to take a look at which ports are required for the area controller.
Area Controller Ports
The Home windows firewall is configured mechanically whenever you set up a brand new Area Controller. All of the required ports on your Lively Listing are added mechanically. However whenever you for instance need to section your community with VLANs, then you’ll need to ensure that the proper ports are open between your area controller and purchasers.
Let’s first check out the ports that you have to open in your area controller:
| Port | Protocol | Service |
|---|---|---|
| 53 | TCP/UPD | DNS |
| 88 | TCP/UPD | Kerberos authentication |
| 123 | UPD | W32Time |
| 135 | TCP | RPC Endpoint Mapper |
| 137/138 * | UDP | NetBIOS |
| 139 * | TCP | NetBIOS |
| 389 | TCP/UPD | LDAP |
| 445 | TCP | SMB |
| 464 | TCP/UPD | Kerberos password change |
| 636 | TCP | LDAP SSL |
| 3268/3269 | TCP | LDAP World Catalog / LDAP GC SSL |
| 49152-65535 | TCP | RPC Ephemeral Ports |
* In case you are operating Home windows 2012 or increased, then the NetBIOS ports usually are not required anymore. Netbios is changed with SMB (Samba).
When you plan to make use of the Lively Listing PowerShell module or the Lively Listing Administrative Middle, then you’ll need to ensure that port 9389 is opened as nicely.
Tip
Be sure to checkout my Area Controller Well being reporting script as nicely.
The RPC Port vary of 49152-65535 is required for the communication between the purchasers and the area controller. The port quantity is randomly assigned to the shopper. It’s attainable to restrict the vary by a registry key, however it’s actually not advisable to do that as a result of it would break greater than you need.
Port 53 – DNS
Area Title System (DNS) communication takes place over TCP and UDP port 53. DNS decision is crucial for area controller location and title decision.
Port 88 – Kerberos
Kerberos is an authentication protocol utilized by Home windows. It operates on TCP and UDP port 88. It’s important for safe authentication throughout the area.
Port 123 -W32Time
Whereas in a roundabout way associated to area controller operations, port 123 performs a vital position in sustaining the synchronization of time throughout a community. Correct timekeeping is crucial in IT environments, particularly in Lively Listing, because it ensures constant and safe authentication and entry management.
Port 135 – RPC Endpoint Mapper
Port 135 is a crucial shopper/server port utilized by quite a few Microsoft providers. On this course of, the shopper initially connects to the RPC mapper service on port 135 to find out the dynamic port vary on which the specified service is listening. The RPC mapper then responds with the port info, permitting the shopper to ascertain a connection.
Port 389 – LDAP
Light-weight Listing Entry Protocol (LDAP) operates on TCP and UDP port 389. It’s used for primary LDAP queries and listing updates. LDAP is the spine of Lively Listing, facilitating consumer authentication and listing lookups.
Port 445 – SMB
Port 445 is used for the SMB Protocol. It’s utilized by the Lively Listing to get GPO info. In addition to that, the protocol can be used for file and printer sharing.
Port 636 – LDAP
For enhanced safety, LDAPS (LDAP over SSL) operates on TCP port 636. LDAPS encrypts the info transmitted between area controllers, safeguarding delicate info.
Port 3268/3269 – LDAP World Catalog
The ports 3268 and the safe model 3269 (which makes use of SSL) are used for querying the LDAP World Catalog.
Port 49152-65535 – RPC Ephemeral Ports
A port on this vary is allotted to the shopper after the preliminary contact with the RPC Mapper on port 135.
ADFS Ports
In case you are utilizing Lively Listing Federations Companies (ADFS), then you’ll need to ensure that the next ports are open as nicely:
| Port | Protocol | Service |
|---|---|---|
| 80 | TCP/UDP | HTTP |
| 443 | TCP/UDP | HTTPS |
| 5985 | TCP/UDP | WinRM Listener |
| 49443 | TCP | Lively Listing Federations Companies (ADFS) |
Port 5985 is required when utilizing Azure AD Join or Federation/WAP servers. Port 49443 is required for ADFS when utilizing certificate-based authentication.
Wrapping Up
The Home windows Firewall in your area controller is configured appropriately by default whenever you set up the Lively Listing providers. In case you are utilizing a third-party firewall in your area controller, or planning to make use of VLANs, then you’ll need to ensure that the listed ports are opened.
As talked about, NetBIOS ports usually are not actually wanted anymore, so it’s higher to dam them should you don’t have any apps that use them.
I hope you discovered this text useful, in case you have any questions, simply drop a remark beneath.
