question

VyasPrab-8284 avatar image
0 Votes"
VyasPrab-8284 asked GaryReynolds commented

Is port 389 on AD in anyway used or required when a new client queries via secure LDAP?

I do know port 389 is required on AD for existing user logins, replications etc. so we cannot block port 389 on AD.
But what I would like to clarify is if port 389(incoming) on AD is in any form useful for a new client to query / join AD via LDAPs?

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered

Besides NLA that I mentioned (uses DC locator);
389 TCP LDAP Server Local Security Authority
389 UDP DC Locator Local Security Authority
389 TCP LDAP Server Distributed File System Namespaces
389 UDP DC Locator Distributed File System Namespaces
389 UDP DC Locator Netlogon
389 UDP DC Locator Kerberos Key Distribution Center
389 TCP LDAP Server Distributed File System Replication
389 UDP DC Locator Distributed File System Replication


--please don't forget to Accept as answer if the reply is helpful--






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered VyasPrab-8284 commented

Hello,

Thank you so much for posting here.

According to this official document: Active Directory and Active Directory Domain Services Port Requirements
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

LDAP TCP and UDP port 389 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts. As you mentioned, we could not block port 389 on AD. For LDAPs (LDAP SSL), TCP 636 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts.


17636-11.png

Below are the discussion about the TCP and UDP port 389 and TCP port 636. We could kindly have a check.

https://social.technet.microsoft.com/Forums/lync/en-US/320777bb-c4f0-4091-82a3-0d86b8809fac/disable-non-secure-ldap-389?forum=winserverDS

Hope the information is helpful. For any question, please contact us.


Best regards,
Hannah Xiong



11.png (12.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for that information.
I am aware that port 389 is required for those operations you listed in AD.

My question is, if there is any importance of port 389 on the AD server "when a client is querying and joining domain via secure LDAP".

Is there any sort of incoming requests that need to come from the client to port 389 on the AD , which is required for the LDAPs ( LDAP SSL ) joining to complete?

Or a new client requires to communicate only with port 636 on the AD to join via LDAPs

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered VyasPrab-8284 commented

Yes, required. When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.


--please don't forget to Accept as answer if the reply is helpful--






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks DSPatrick. But isn't NLA only required for RDP ? Or it is required for LDAP(s) configuration as well?

And , will disabling port 389 on an external firewall also result in failing to configure LDAPs for a client ?

0 Votes 0 ·
Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,

It is not good idea to disable 389 on domain controller. Based on my experience , disable the LDAP protocole , can impact client and member server because netlogon service need the port 389 to communicate with domain controller . Also when you join a new machine to domain netlogon service will need this port.

Below all required port for Netlogon service:


Application protocol Protocol Ports
NetBIOS Datagram Service UDP 138 ³
NetBIOS Name Resolution UDP 137 ³
NetBIOS Session Service TCP 139 ³
SMB TCP 445
LDAP UDP 389
RPC¹ TCP 135, random port number between 1024 - 65535
135, random port number between 49152 - 65535²

Blocking port 389 is a typical thing to do on an external firewall, but is not something you would do on a domain controller.

To get more details you can refer to the following links:

https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

https://docs.microsoft.com/en-us/archive/blogs/pki/implementing-ldaps-ldap-over-ssl


Please don't forget to mark this reply as answer if it help you to fix your issue

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JosephMartin-1397 avatar image
0 Votes"
JosephMartin-1397 answered GaryReynolds commented

@Thameur-BOURBITA Would I disable port 389 or move it to port 637 if the server only hosts websites?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


The 389 port is only active if the Active Directory role is installed and DCpromo has been performed. If the server only has the website role, then you don't need to block 389.

Gary.

0 Votes 0 ·