Securing an enterprise network begins with understanding how directory services communicate across segmented boundaries. Active Directory ports firewall rules dictate whether domain controllers can share critical authentication data or whether attackers might exploit a misconfigured endpoint. Establishing a hardened network perimeter requires precise knowledge of the protocols in use and the specific TCP and UDP numbers that must remain open or closed.
Core Active Directory Traffic and Port Requirements
Microsoft Active Directory relies on several well-known ports to handle authentication, replication, and administrative tasks. Domain controllers expect LDAP communication on port 389 for standard queries and on port 636 for LDAP over SSL. Global Catalog queries use port 3268 for partial directory searches, while port 3269 handles encrypted global catalog traffic for sensitive environments.
Kerberos and Authentication Protocols
Kerberos is the foundation of Active Directory authentication, relying on port 88 for both TCP and UDP traffic. This protocol enables ticket-based validation so users can access resources without repeatedly entering credentials. DNS port 53 is also essential because domain controllers register service location records, and clients must resolve domain names to locate controllers on the network.
Replication, Group Policy, and Secure Channel Ports
Active Directory replication, which keeps objects synchronized across domain controllers, requires remote procedure call (RPC) endpoints. The dynamic RPC port range, typically 49152 to 65535 on modern Windows Server versions, must traverse the firewall in both directions for replication to succeed. Administrators can reduce complexity by defining explicit RPC port rules or by restricting dynamic port allocation to a narrower range.
Group Policy and Netlogon Services
Group Policy processing depends on RPC and the Server Message Block protocol, commonly associated with ports 139 and 445. These ports allow domain controllers to deliver policy objects and logon scripts to clients during startup and user sign-in. The Netlogon service uses dynamic RPC communication to register secure channel bindings, making consistent firewall configuration crucial for domain trust and policy enforcement.
