Is port 389 on AD in anyway used or required when a new client queries via secure LDAP?

asked 2020-08-14T08:27:36.697+00:00
Vyas Prab 21 Reputation points

I do know port 389 is required on AD for existing user logins, replications etc. so we cannot block port 389 on AD.
But what I would like to clarify is if port 389(incoming) on AD is in any form useful for a new client to query / join AD via LDAPs?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,602 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-08-14T14:20:16.173+00:00
    Dave Patrick 328.8K Reputation points Microsoft MVP

    Besides NLA that I mentioned (uses DC locator);
    389 TCP LDAP Server Local Security Authority
    389 UDP DC Locator Local Security Authority
    389 TCP LDAP Server Distributed File System Namespaces
    389 UDP DC Locator Distributed File System Namespaces
    389 UDP DC Locator Netlogon
    389 UDP DC Locator Kerberos Key Distribution Center
    389 TCP LDAP Server Distributed File System Replication
    389 UDP DC Locator Distributed File System Replication

    --please don't forget to Accept as answer if the reply is helpful--

    No comments

4 additional answers

Sort by: Most helpful
  1. answered 2020-08-14T09:47:26.75+00:00
    Hannah Xiong 6,161 Reputation points

    Hello,

    Thank you so much for posting here.

    According to this official document: Active Directory and Active Directory Domain Services Port Requirements
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

    LDAP TCP and UDP port 389 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts. As you mentioned, we could not block port 389 on AD. For LDAPs (LDAP SSL), TCP 636 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts.

    17636-11.png

    Below are the discussion about the TCP and UDP port 389 and TCP port 636. We could kindly have a check.

    https://social.technet.microsoft.com/Forums/lync/en-US/320777bb-c4f0-4091-82a3-0d86b8809fac/disable-non-secure-ldap-389?forum=winserverDS

    Hope the information is helpful. For any question, please contact us.

    Best regards,
    Hannah Xiong


  2. answered 2020-08-14T12:23:29.437+00:00
    Dave Patrick 328.8K Reputation points Microsoft MVP

    Yes, required. When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
    If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

    --please don't forget to Accept as answer if the reply is helpful--


  3. answered 2020-08-14T15:39:07.887+00:00
    BOURBITA Thameur 11,316 Reputation points Microsoft MVP

    Hi,

    It is not good idea to disable 389 on domain controller. Based on my experience , disable the LDAP protocole , can impact client and member server because netlogon service need the port 389 to communicate with domain controller . Also when you join a new machine to domain netlogon service will need this port.

    Below all required port for Netlogon service:

    Application protocol Protocol Ports
    NetBIOS Datagram Service UDP 138 ³
    NetBIOS Name Resolution UDP 137 ³
    NetBIOS Session Service TCP 139 ³
    SMB TCP 445
    LDAP UDP 389
    RPC¹ TCP 135, random port number between 1024 - 65535
    135, random port number between 49152 - 65535²

    Blocking port 389 is a typical thing to do on an external firewall, but is not something you would do on a domain controller.

    To get more details you can refer to the following links:

    https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

    https://learn.microsoft.com/en-us/archive/blogs/pki/implementing-ldaps-ldap-over-ssl

    Please don't forget to mark this reply as answer if it help you to fix your issue

    No comments

  4. answered 2022-05-13T06:34:35.663+00:00
    Joseph Martin 1 Reputation point

    @BOURBITA Thameur Would I disable port 389 or move it to port 637 if the server only hosts websites?