Domain controllers play a crucial role in your network. To protect them, ensure that the firewall is enabled and that only the necessary ports for your Domain Controller are open. But which ports are needed?
The primary function of a domain controller is to manage Active Directory (AD). For clients to communicate with AD, specific ports must be open on the firewall.
This article outlines the ports required for a domain controller.
Domain Controller Ports
When you install a new Domain Controller, the Windows firewall is configured automatically, opening all the necessary ports for Active Directory. However, if you need to segment your network with VLANs, you’ll need to manually ensure the correct ports are open between your domain controller and clients.
I would highly recommend to look at my post regarding RPC ports within windows and how to limit the ports to a specific set of ports -> Limit Windows RPC Ports
| Port | Protocol | Service |
|---|---|---|
| 53 | TCP/UDP | DNS |
| 88 | TCP/UDP | Kerberos authentication |
| 123 | UDP | W32Time |
| 135 | TCP | RPC Endpoint Mapper |
| 137/138 * | UDP | NetBIOS |
| 139 * | TCP | NetBIOS |
| 389 | TCP/UDP | LDAP |
| 445 | TCP | SMB |
| 464 | TCP/UDP | Kerberos password change |
| 636 | TCP | LDAP SSL |
| 3268/3269 | TCP | LDAP Global Catalog / LDAP GC SSL |
| 49152-65535 | TCP | RPC Ephemeral Ports (These can be limited) |