Is port 389 on AD in anyway used or required when a new client queries via secure LDAP?

Question

I do know port 389 is required on AD for existing user logins, replications etc. so we cannot block port 389 on AD.
But what I would like to clarify is if port 389(incoming) on AD is in any form useful for a new client to query / join AD via LDAPs?

Answer 1

Besides NLA that I mentioned (uses DC locator);
389 TCP LDAP Server Local Security Authority
389 UDP DC Locator Local Security Authority
389 TCP LDAP Server Distributed File System Namespaces
389 UDP DC Locator Distributed File System Namespaces
389 UDP DC Locator Netlogon
389 UDP DC Locator Kerberos Key Distribution Center
389 TCP LDAP Server Distributed File System Replication
389 UDP DC Locator Distributed File System Replication

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Hello,

Thank you so much for posting here.

According to this official document: Active Directory and Active Directory Domain Services Port Requirements
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

LDAP TCP and UDP port 389 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts. As you mentioned, we could not block port 389 on AD. For LDAPs (LDAP SSL), TCP 636 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts.

Below are the discussion about the TCP and UDP port 389 and TCP port 636. We could kindly have a check.

https://social.technet.microsoft.com/Forums/lync/en-US/320777bb-c4f0-4091-82a3-0d86b8809fac/disable-non-secure-ldap-389?forum=winserverDS

Hope the information is helpful. For any question, please contact us.

Best regards,
Hannah Xiong

Answer 3

Yes, required. When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

Hi,

It is not good idea to disable 389 on domain controller. Based on my experience , disable the LDAP protocole , can impact client and member server because netlogon service need the port 389 to communicate with domain controller . Also when you join a new machine to domain netlogon service will need this port.

Below all required port for Netlogon service:

Application protocol Protocol Ports
NetBIOS Datagram Service UDP 138 ³
NetBIOS Name Resolution UDP 137 ³
NetBIOS Session Service TCP 139 ³
SMB TCP 445
LDAP UDP 389
RPC¹ TCP 135, random port number between 1024 - 65535
135, random port number between 49152 - 65535²

Blocking port 389 is a typical thing to do on an external firewall, but is not something you would do on a domain controller.

To get more details you can refer to the following links:

https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

https://learn.microsoft.com/en-us/archive/blogs/pki/implementing-ldaps-ldap-over-ssl

Please don't forget to mark this reply as answer if it help you to fix your issue

Answer 5

@Thameur-BOURBITA Would I disable port 389 or move it to port 637 if the server only hosts websites?