You are on page 1of 8

Active Directory and Active Directory Domain Services Port Requirements

Updated: June 18, 2009


Applies To: Windows Server 2000,Windows Server 2003,Windows Server 2003 R2,Windows Server 2003 with SP1,Windows Server 2003 with
SP2,Windows Server 2008,Windows Server 2008 Foundation,Windows Server 2008 R2,Windows Vista
This guide contains port requirements for various Active Directory and Active Directory Domain Services (AD DS) components.
Default dynamic port range
In a mixed-mode domain that consists of Windows Server 2003based domain controllers, Microsoft Windows 2000 Serverbased domain
controllers, or early-version client computers, the default dynamic port range is 1025 through 5000. Windows Server 2008 and Windows Vista,
in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic client port range for outgoing
connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call
(RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 server, allow traffic through
ports 1025 through 5000 and 49152 through 65535.
When you see TCP Dynamic in the Port columns in the following tables, it refers to ports 1025 through 5000, the default port range for
Windows Server 2003 and earlier versions of the client operating system, and ports 49152 through 65535 for Windows Server 2008 and
Windows Vista.
Note
For more information about the change in the dynamic port range in Windows Server 2008, see article 929851 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=153117).
You can find additional information about this change on the Ask the Directory Services Team blog. See the blog entry Dynamic Client Ports in
Windows Server 2008 and Windows Vista (http://go.microsoft.com/fwlink/?LinkId=153113).
Restricting RPC to a specific port
RPC traffic is used over a dynamic port range as described in the previous section, Default dynamic port range. To restrict RPC traffic to a
specific port, see article 224196 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133489).
Operating systems
In the tables in this document, the port requirements are for Windows 2000 Server, Windows Server 2003, and Windows Server 2008 unless
otherwise noted in the section heading or table.
Replication
The following table lists the port assignments for Active Directory and AD DS replication.

Port

Type of traffic

TCP and
UDP 389

LDAP

TCP 636

LDAP SSL

TCP 3268

GC

TCP and

Kerberos

UDP 88

TCP and
UDP 53

DNS

TCP and
UDP 445

SMB over IP

TCP 25

SMTP

RPC, ECM
TCP 135,
Dynamic

Note
Replication of SYSVOL requires File Replication Service (FRS) or Distributed File System (DFS) Replication over a dynamic
RPC port. If you want to configure FRS or DFS Replication to use a particular port, see article 832017 in the Microsoft Knowledge
Base (http://go.microsoft.com/fwlink/?LinkID=22498).

Trusts
The following tables list the port requirements for establishing trusts in the following environments:

Microsoft Windows NT

Microsoft Windows 2000 Server and Windows Server 2003

Windows Server 2008

Windows NT
The following table lists the port assignments for establishing a trust with a Windows NT 4.0 domain. In this environment, one side of the trust is
a Windows NT 4.0 trust or the trust was created by using the NetBIOS names.

Client port

Server port

Type of traffic

UDP 137

UDP 137

NetBIOS Name Resolution

UDP 138

UDP 138

NetBIOS Datagram Service

TCP Dynamic

TCP 139

NetBIOS Session Service

Windows 2000 Server and Windows Server 2003

For a mixed-mode domain that uses either Windows NT domain controllers or early-version client computers, trust relationships between
Windows 2000 Serverbased domain controllers and Windows Server 2003based domain controllers may necessitate that all the ports for
Windows NT that are listed in the previous table be opened, in addition to the ports in the following table.
Note
The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest apart from one another. Also,
the trusts in the forest are Windows Server 2003 trusts or Windows Server 2008 trusts.

Client port

Server port

Type of traffic

TCP Dynamic

TCP 135

RPC, EPM

TCP Dynamic

TCP
Dynamic

Local Security Authority (LSA) RPC Services

TCP and UDP


Dynamic

TCP389

LDAP

TCP Dynamic

TCP 636

LDAP SSL

TCP Dynamic

TCP 3268

GC

TCP Dynamic

TCP 3269

GC SSL

TCP and UDP 53, TCP and


Dynamic
UDP 53

DNS

TCP and UDP


Dynamic

Kerberos

TCP and
UDP 88

SMB, DFS, LsaRPC, Nbtss, NetLogonR, SamR, SrvSvc


TCP Dynamic

TCP 445

Note
To define RPC server ports that the LSA RPC services use, see article 832017 in the Microsoft Knowledge
Base (http://go.microsoft.com/fwlink/?LinkID=22498).

Windows Server 2008


In a mixed domain environment, you have to open the ports in the following table as well as the ports in the Windows NT, Windows 2000 Server,
and Windows Server 2003 tables in the Trusts section of this document.
Note
See the previous section Default dynamic port range for a description of the new dynamic port range that Windows Server 2008 uses.

Client port

Server port

Type of traffic

TCP Dynamic

TCP 135, 4915265535

RPC, EPM

TCP and UDP Dynamic

TCP and UDP 389

LDAP

TCP Dynamic

TCP 636

LDAP SSL

TCP Dynamic

TCP 3268

GC

TCP Dynamic

TCP 3269

GC SSL

TCP and UDP 53, Dynamic

TCP and UDP 53

DNS

TCP and UDP Dynamic

TCP and UDP 88

Kerberos

TCP and UDP Dynamic

TCP-NP and UDP-NP 445

Security Accounts Manager (SAM), LSA

TCP Dynamic

UDP 138

NetBIOS Datagram Service

Global catalog
The following table lists the ports that global catalog servers use.

Port

Type of traffic

TCP 3268

GC

TCP 3269

GC SSL

Read-only domain controllers


The following table lists the ports that you must open on the firewall to allow communication from a writeable domain controller in a corporate
network to a read-only domain controller (RODC) in a perimeter network.

Port

Type of traffic

TCP 135

RPC, EPM

TCP Static 53248

FRsRpc

TCP 389

LDAP

Note
For more information about configuring file replication through a specific static port, see article 319553 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=149419).
The following table lists the ports that you must open on the firewall to allow communication from an RODC in a perimeter network to a
writeable domain controller in a corporate network.

Port

Type of traffic

TCP 57344

DRSUAPI, LsaRpc, NeLogonR

TCP Static 53248

FRsRpc

TCP and UDP 389

LDAP

TCP 3268

GC

TCP 445

DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc

TCP and UDP 53

DNS

TCP 88

Kerberos

UDP 123

Windows Time service (W32time)

TCP and UDP 464

Kerberos Change/Set Password

Note
For more information about configuring Active Directory replication through a specific port, see article 224196 in the Microsoft Knowledge
Base (http://go.microsoft.com/fwlink/?LinkID=133489).

The following table lists the ports that you must open on the firewall to allow communication between the member servers in a perimeter network
and an RODC in the perimeter network. You must open these ports only if there is an internal firewall that separates the member servers in the
perimeter network from the RODC in the perimeter network.

Port

Type of traffic

TCP 135

RPC, EPM

TCP and UDP 389

LDAP

TCP 445

DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc

UDP 53

DNS

TCP 88

Kerberos

TCP and UDP 464

Kerberos Change/Set Password

TCP Dynamic

DNS, DRSUAPI, NetLogonR, SamR

Note
If you are using Windows Server 2003 in the perimeter network, you must also open UDP port 88 for Kerberos communication. In contrast, by
default Windows Server 2008 uses only TCP port 88 for Kerberos communication.
DNS
The following table lists the port requirements for Domain Name System (DNS).

Port

Type of traffic

TCP and UDP 53

DNS

DHCP
The following table lists the port requirements for Dynamic Host Configuration Protocol (DHCP).

Port
UDP 67

Type of traffic
DHCP

UDP 2535

MADCAP

Windows Internet Name Service


The following table lists the port requirements for Windows Internet Name Service (WINS).

Port

Type of traffic

TCP and UDP 42

WINS Replication

UDP 137

NetBIOS Name Resolution

User and computer authentication


The following table lists the port requirements for user and computer authentication.

Port

Type of traffic

TCP and UDP


SMB/CIFS/SMB2
445

TCP and UDP


Kerberos
88

UDP 389

LDAP

TCP and UDP


DNS
53

RPC
TCP Dynamic

Note
For information about how to restrict RPC traffic to a specific port, see article 224196 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=133489).

Group Policy
The following table lists the port requirements for Group Policy. In addition to the ports in the following table, a client computer must also be
able to contact a domain controller over Internet Control Message Protocol (ICMP). ICMP is used for slow link detection.

Port

Type of traffic

TCP and UDP Dynamic

DCOM, RPC, EPM

TCP 389

LDAP

TCP 445

SMB

Active Directory Web Services


The following table lists the port requirement for Active Directory Web Services (ADWS).
Note
ADWS is used only in Windows Server 2008 R2.

Port
TCP 9389

Type of traffic
SOAP

You might also like