TCP and UD ports required for communication between Domain Controllers and Windows clients

abraham flores 236 Reputation points
2022-06-24T01:01:33.327+00:00

I need to open ports for the communication between DC and Windows Clients, what I understand from this article: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts I just need to open these ports: 53, 49152-65535,

Is that correct? I am not sure if I need to open ports like LDAP, W32Time, Kerberos and the rest of the ports on the article.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,576 questions
0 comments No comments
{count} vote

Accepted answer
  1. Limitless Technology 39,206 Reputation points
    2022-06-24T14:32:03.013+00:00

    Hello anonymous user,

    Based Upon the information provided.

    You'll find the list of all ports over here:

    Service overview and network port requirements for Windows

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

    How to configure a firewall for Active Directory domains and trusts

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

    Also Below are the commonly required ports to communicate with DCs.

    UDP Port 88 for Kerberos authentication UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.

    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

    TCP and UDP Port 445 for Replication, User and Computer Authentication, Group Policy, TCP and UDP Port 464 for Kerberos Password Change TCP Port 3268 and 3269 for Global Catalog from client to domain controller.

    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

    The ephemeral ports are required:
    •TCP & UDP 1025-5000
    •TCP & UDP 49152-65535

    And see if it helps,

    Thank you

    ------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--


3 additional answers

Sort by: Most helpful
  1. Dave Patrick 426.2K Reputation points MVP
    2022-06-24T01:28:15.047+00:00

    The ports listed here are correct. All domain members should get the domain network firewall profile. No additional ports are required to open for domain controller to member communications.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. GeorgiePorgie 15 Reputation points
    2023-08-30T16:52:22.19+00:00

    The answer is not provided. The question is between DC and client. The answer contains, "TCP Port 139 and UDP 138 for File Replication Service between domain controllers" This invalidates the entire answer as it does not address the question DC to client and not DC to DC which is different.

    0 comments No comments

  3. 2024-02-29T20:10:49.6266667+00:00

    Hi abraham flores, good day. You was can resolve your question about ports? You can specify exactly the required ports from client to domain controllers. Additionally, you can use a packet sniffer such as Wireshark, etc.

    0 comments No comments