ADAM LDAP Port Identified

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2009-01-21

The Microsoft Exchange Best Practices Analyzer reads the following registry entries to determine the ports that are used by the Active Directory Application Mode (ADAM) directory service on the Edge Transport server:



ADAM is a Lightweight Directory Access Protocol (LDAP) directory service that is designed specifically for use with directory-enabled applications. ADAM stores and replicates only application-specific information and does not require deployment on a domain controller or depend on the Active Directory directory service. ADAM does not provide network operating system authentication or authorization.

In Microsoft Exchange Server 2007, the Edge Transport server role uses ADAM to store configuration information and recipient data for content filtering. When ADAM is synchronized with Active Directory, it can also be used to perform recipient lookup for message security.

When data is sent to ADAM from Active Directory, it is sent by using an LDAP connection through the following nondefault ports:

  • LDAP: Port 50389/TCP

  • Secure LDAP: Port 50636/TCP

When the Exchange Analyzer identifies the ports that are used by ADAM, the Analyzer generates a best practices message.

As a best practice, we recommend blocking all nonessential ports to outside access.

To address this issue, check that the ports that are identified by the Exchange Analyzer as used for ADAM are not open to outside access.

Port 50636/TCP is used for the Exchange EdgeSync service and should remain open if EdgeSync functionality is desired.
To block the identified ADAM ports to outside access using Windows Firewall
  1. Click Start, Run, type firewall.cpl, and then click OK.

  2. Click the Exceptions tab.

  3. Select each Program or Service listed in the Name box and then click Edit to review the ports that are open.

  4. Verify that the ports reported by the Exchange Analyzer as used for ADAM are not listed.

  5. If the identified ports are listed, make sure that they are not used for other necessary communication, and close them by deselecting them in the Edit a Service window.

  6. Click OK two times to exit Windows Firewall configuration.

For more information about ports, authentication and encryption for all data paths used by Exchange 2007, see Data Path Security Reference.