Is port 389 on AD in anyway used or required when a new client queries via secure LDAP?

Vyas Prab 21 Reputation points
2020-08-14T08:27:36.697+00:00

I do know port 389 is required on AD for existing user logins, replications etc. so we cannot block port 389 on AD.
But what I would like to clarify is if port 389(incoming) on AD is in any form useful for a new client to query / join AD via LDAPs?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,713 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2020-08-14T14:20:16.173+00:00

    Besides NLA that I mentioned (uses DC locator);
    389 TCP LDAP Server Local Security Authority
    389 UDP DC Locator Local Security Authority
    389 TCP LDAP Server Distributed File System Namespaces
    389 UDP DC Locator Distributed File System Namespaces
    389 UDP DC Locator Netlogon
    389 UDP DC Locator Kerberos Key Distribution Center
    389 TCP LDAP Server Distributed File System Replication
    389 UDP DC Locator Distributed File System Replication

    --please don't forget to Accept as answer if the reply is helpful--

    1 person found this answer helpful.
    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Hannah Xiong 6,276 Reputation points
    2020-08-14T09:47:26.75+00:00

    Hello,

    Thank you so much for posting here.

    According to this official document: Active Directory and Active Directory Domain Services Port Requirements
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

    LDAP TCP and UDP port 389 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts. As you mentioned, we could not block port 389 on AD. For LDAPs (LDAP SSL), TCP 636 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts.

    17636-11.png

    Below are the discussion about the TCP and UDP port 389 and TCP port 636. We could kindly have a check.

    https://social.technet.microsoft.com/Forums/lync/en-US/320777bb-c4f0-4091-82a3-0d86b8809fac/disable-non-secure-ldap-389?forum=winserverDS

    Hope the information is helpful. For any question, please contact us.

    Best regards,
    Hannah Xiong


  2. Anonymous
    2020-08-14T12:23:29.437+00:00

    Yes, required. When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
    If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

    --please don't forget to Accept as answer if the reply is helpful--


  3. Thameur-BOURBITA 33,971 Reputation points
    2020-08-14T15:39:07.887+00:00

    Hi,

    It is not good idea to disable 389 on domain controller. Based on my experience , disable the LDAP protocole , can impact client and member server because netlogon service need the port 389 to communicate with domain controller . Also when you join a new machine to domain netlogon service will need this port.

    Below all required port for Netlogon service:

    Application protocol Protocol Ports
    NetBIOS Datagram Service UDP 138 ³
    NetBIOS Name Resolution UDP 137 ³
    NetBIOS Session Service TCP 139 ³
    SMB TCP 445
    LDAP UDP 389
    RPC¹ TCP 135, random port number between 1024 - 65535
    135, random port number between 49152 - 65535²

    Blocking port 389 is a typical thing to do on an external firewall, but is not something you would do on a domain controller.

    To get more details you can refer to the following links:

    https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

    https://learn.microsoft.com/en-us/archive/blogs/pki/implementing-ldaps-ldap-over-ssl

    Please don't forget to mark this reply as answer if it help you to fix your issue

    0 comments No comments

  4. Joseph Martin 1 Reputation point
    2022-05-13T06:34:35.663+00:00

    @Thameur-BOURBITA Would I disable port 389 or move it to port 637 if the server only hosts websites?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.