Domain Controller Firewall Ports

Udp port 389 ldap to handle normal queries from client computers to the domain controllers.

Domain controller firewall ports. Tcp port 3268 and 3269 global catalog from client to domain controller. Udp port 88 is required for authentication purposes. These ports are required by both client computers and domain controllers. As an example when a client computer tries to find a domain controller it always sends a dns query over port 53 to find the name of the domain controller in the domain.

Tcp and udp port 445 file replication service. Each approach has its pros and cons. Ten immutable laws of security version 2 0 domain controllers provide the physical storage for the ad ds. The following information helps you understand the active directory firewall ports you should open from your dmz to your internal network to allow communication from a dmz machine to an internal active directory domain controller.

Windows 2019 ad domain controller 10 10 10 200. Both udp and tcp port 135 are required for communication between domain controllers and clients to domain controllers. Tcp port 139 and udp 138 file replication service between domain controllers. 9 minutes to read 5.

Active directory using several ports to communication between domain controllers to clients. Block access from 10 10 10 0 24 to 172 16 1 0 24. Encapsulate domain controller dc to dc traffic inside the ip security protocol ipsec and open the firewall for that. Tcp and udp port 53 dns from client to domain controller and domain controller to domain controller.

Udp 123 for time synchronization as in a domain by default the w32time of a domain controller synchronizes with other domain controllers or the pdce fsmo role of the top domain of the forest. The new default start port is 49152 and the default end port is 65535. Limit rpc s use of tcp ports and open the firewall just a little bit. In general there are more cons than pros at the top of the list and more pros than cons at the bottom.

Udp port 88 is used by clients and domain controllers to authenticate with each other. These ports relate to active directory and you should only need to open them if you do not have a global catalog gc or domain controller dc in your dmz. This differs from a mixed mode domain that consists of windows server 2003 domain controllers windows 2000 server based domain. Securing domain controllers against attack.

Tcp 464 and udp 464 for joining and regularly changing passwords. Firewall policy in pfsense. If a bad guy has unrestricted physical access to your computer it s not your computer anymore. Windows server 2008 newer versions of windows server have increased the dynamic client port range for outgoing connections.

So although this document describes how to do all three most. Block access from 172 16 1 0 24 to 10 10 10 0 24. Tcp and udp port 464 kerberos password change. Windows server 2016 windows server 2012 r2 windows server 2012.

The firewall ports will be opened one by one from 172 16 1 0 24 to 10 10 10 0 24 to verify the actual ports required. Therefore you must increase the rpc port range in your firewalls.