This guide contains port requirements for various Active Directory® and Active Directory Domain Services (AD DS) components.
Default dynamic port range
In a mixed-mode domain that consists of Windows Server® 2003–based domain controllers, Microsoft® Windows® 2000 Server–based domain controllers, or early-version client computers, the default dynamic port range is 1025 through 5000. Windows Server 2008 and Windows Vista®, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 server, allow traffic through ports 1025 through 5000 and 49152 through 65535.
When you see “TCP Dynamic” in the Port columns in the following tables, it refers to ports 1025 through 5000, the default port range for Windows Server 2003 and earlier versions of the client operating system, and ports 49152 through 65535 for Windows Server 2008 and Windows Vista.
.gif) Note |
| For more information about the change in the dynamic port range in Windows Server 2008, see article 929851 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=153117). You can find additional information about this change on the Ask the Directory Services Team blog. See the blog entry Dynamic Client Ports in Windows Server 2008 and Windows Vista (http://go.microsoft.com/fwlink/?LinkId=153113). |
Restricting RPC to a specific port
RPC traffic is used over a dynamic port range as described in the previous section, “Default dynamic port range.” To restrict RPC traffic to a specific port, see article 224196 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133489).
Operating systems
In the tables in this document, the port requirements are for Windows 2000 Server, Windows Server 2003, and Windows Server 2008 unless otherwise noted in the section heading or table.
Replication
The following table lists the port assignments for Active Directory and AD DS replication.
| Port |
Type of traffic |
|
TCP and UDP 389
|
LDAP
|
|
TCP 636
|
LDAP SSL
|
|
TCP 3268
|
GC
|
|
TCP and UDP 88
|
Kerberos
|
|
TCP and UDP 53
|
DNS
|
|
TCP and UDP 445
|
SMB over IP
|
|
TCP 25
|
SMTP
|
|
TCP 135, Dynamic
|
RPC, ECM
|
Note |
| Replication of SYSVOL requires File Replication Service (FRS) or Distributed File System (DFS) Replication over a dynamic RPC port. If you want to configure FRS or DFS Replication to use a particular port, see article 832017 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=22498). |
|
Trusts
The following tables list the port requirements for establishing trusts in the following environments:
- Microsoft Windows NT®
- Microsoft Windows 2000 Server and Windows Server 2003
- Windows Server 2008
Windows NT
The following table lists the port assignments for establishing a trust with a Windows NT 4.0 domain. In this environment, one side of the trust is a Windows NT 4.0 trust or the trust was created by using the NetBIOS names.
| Client port |
Server port |
Type of traffic |
|
UDP 137
|
UDP 137
|
NetBIOS Name Resolution
|
|
UDP 138
|
UDP 138
|
NetBIOS Datagram Service
|
|
TCP Dynamic
|
TCP 139
|
NetBIOS Session Service
|
Windows 2000 Server and Windows Server 2003
For a mixed-mode domain that uses either Windows NT domain controllers or early-version client computers, trust relationships between Windows 2000 Server–based domain controllers and Windows Server 2003–based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened, in addition to the ports in the following table.
|
Note |
| The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest apart from one another. Also, the trusts in the forest are Windows Server 2003 trusts or Windows Server 2008 trusts. |
| Client port |
Server port |
Type of traffic |
|
TCP Dynamic
|
TCP 135
|
RPC, EPM
|
|
TCP Dynamic
|
TCP Dynamic
|
Local Security Authority (LSA) RPC Services
|
|
TCP and UDP Dynamic
|
TCP389
|
LDAP
|
|
TCP Dynamic
|
TCP 636
|
LDAP SSL
|
|
TCP Dynamic
|
TCP 3268
|
GC
|
|
TCP Dynamic
|
TCP 3269
|
GC SSL
|
|
TCP and UDP 53, Dynamic
|
TCP and UDP 53
|
DNS
|
|
TCP and UDP Dynamic
|
TCP and UDP 88
|
Kerberos
|
|
TCP Dynamic
|
TCP 445
|
SMB, DFS, LsaRPC, Nbtss, NetLogonR, SamR, SrvSvc
|
Note |
| To define RPC server ports that the LSA RPC services use, see article 832017 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=22498). |
|
Windows Server 2008
In a mixed domain environment, you have to open the ports in the following table as well as the ports in the Windows NT, Windows 2000 Server, and Windows Server 2003 tables in the “Trusts” section of this document.
|
Note |
| See the previous section “Default dynamic port range” for a description of the new dynamic port range that Windows Server 2008 uses. |
| Client port |
Server port |
Type of traffic |
|
TCP Dynamic
|
TCP 135, 49152–65535
|
RPC, EPM
|
|
TCP and UDP Dynamic
|
TCP and UDP 389
|
LDAP
|
|
TCP Dynamic
|
TCP 636
|
LDAP SSL
|
|
TCP Dynamic
|
TCP 3268
|
GC
|
|
TCP Dynamic
|
TCP 3269
|
GC SSL
|
|
TCP and UDP 53, Dynamic
|
TCP and UDP 53
|
DNS
|
|
TCP and UDP Dynamic
|
TCP and UDP 88
|
Kerberos
|
|
TCP and UDP Dynamic
|
TCP-NP and UDP-NP 445
|
Security Accounts Manager (SAM), LSA
|
|
TCP Dynamic
|
UDP 138
|
NetBIOS Datagram Service
|
Global catalog
The following table lists the ports that global catalog servers use.
| Port |
Type of traffic |
|
TCP 3268
|
GC
|
|
TCP 3269
|
GC SSL
|
Read-only domain controllers
The following table lists the ports that you must open on the firewall to allow communication from a writeable domain controller in a corporate network to a read-only domain controller (RODC) in a perimeter network.
| Port |
Type of traffic |
|
TCP 135
|
RPC, EPM
|
|
TCP Static 53248
|
FRsRpc
|
|
TCP 389
|
LDAP
|
|
Note |
| For more information about configuring file replication through a specific static port, see article 319553 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=149419). |
The following table lists the ports that you must open on the firewall to allow communication from an RODC in a perimeter network to a writeable domain controller in a corporate network.
| Port |
Type of traffic |
|
TCP 57344
|
DRSUAPI, LsaRpc, NeLogonR
|
|
TCP Static 53248
|
FRsRpc
|
|
TCP and UDP 389
|
LDAP
|
|
TCP 3268
|
GC
|
|
TCP 445
|
DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
|
|
TCP and UDP 53
|
DNS
|
|
TCP 88
|
Kerberos
|
|
UDP 123
|
Windows Time service (W32time)
|
|
TCP and UDP 464
|
Kerberos Change/Set Password
|
|
Note |
| For more information about configuring Active Directory replication through a specific port, see article 224196 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133489). |
The following table lists the ports that you must open on the firewall to allow communication between the member servers in a perimeter network and an RODC in the perimeter network. You must open these ports only if there is an internal firewall that separates the member servers in the perimeter network from the RODC in the perimeter network.
| Port |
Type of traffic |
|
TCP 135
|
RPC, EPM
|
|
TCP and UDP 389
|
LDAP
|
|
TCP 445
|
DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
|
|
UDP 53
|
DNS
|
|
TCP 88
|
Kerberos
|
|
TCP and UDP 464
|
Kerberos Change/Set Password
|
|
TCP Dynamic
|
DNS, DRSUAPI, NetLogonR, SamR
|
|
Note |
| If you are using Windows Server 2003 in the perimeter network, you must also open UDP port 88 for Kerberos communication. In contrast, by default Windows Server 2008 uses only TCP port 88 for Kerberos communication. |
DNS
The following table lists the port requirements for Domain Name System (DNS).
| Port |
Type of traffic |
|
TCP and UDP 53
|
DNS
|
DHCP
The following table lists the port requirements for Dynamic Host Configuration Protocol (DHCP).
| Port |
Type of traffic |
|
UDP 67
|
DHCP
|
|
UDP 2535
|
MADCAP
|
Windows Internet Name Service
The following table lists the port requirements for Windows Internet Name Service (WINS).
| Port |
Type of traffic |
|
TCP and UDP 42
|
WINS Replication
|
|
UDP 137
|
NetBIOS Name Resolution
|
User and computer authentication
The following table lists the port requirements for user and computer authentication.
| Port |
Type of traffic |
|
TCP and UDP 445
|
SMB/CIFS/SMB2
|
|
TCP and UDP 88
|
Kerberos
|
|
UDP 389
|
LDAP
|
|
TCP and UDP 53
|
DNS
|
|
TCP Dynamic
|
RPC
|
Note |
| For information about how to restrict RPC traffic to a specific port, see article 224196 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133489). |
|
Group Policy
The following table lists the port requirements for Group Policy. In addition to the ports in the following table, a client computer must also be able to contact a domain controller over Internet Control Message Protocol (ICMP). ICMP is used for slow link detection.
| Port |
Type of traffic |
|
TCP and UDP Dynamic
|
DCOM, RPC, EPM
|
|
TCP 389
|
LDAP
|
|
TCP 445
|
SMB
|
Active Directory Web Services
The following table lists the port requirement for Active Directory Web Services (ADWS).
|
Note |
| ADWS is used only in Windows Server 2008 R2. |
| Port |
Type of traffic |
|
TCP 9389
|
SOAP
|