[go: up one dir, main page]
Scribd
Upload
100 views11 pages

Active Directory - Network Ports

The document provides a comprehensive guide on the necessary network ports for Active Directory communication in a Windows environment, detailing connections between Domain Controllers (DC), Read Only Domain Controllers (RODC), and Domain Members. It includes specific port numbers and protocols for various traffic types, as well as additional considerations for Privileged Access Workstations (PAW) and RPC restrictions. Furthermore, it highlights the importance of configuring firewalls and offers links to relevant resources for further assistance.

Uploaded by

sikace2025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100 views11 pages

Active Directory - Network Ports

The document provides a comprehensive guide on the necessary network ports for Active Directory communication in a Windows environment, detailing connections between Domain Controllers (DC), Read Only Domain Controllers (RODC), and Domain Members. It includes specific port numbers and protocols for various traffic types, as well as additional considerations for Privileged Access Workstations (PAW) and RPC restrictions. Furthermore, it highlights the importance of configuring firewalls and offers links to relevant resources for further assistance.

Uploaded by

sikace2025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Ac ve Directory – Network Ports

In environment with Tiering Model

Topics:

1. DC to DC
2. RODC to DC
3. DC to RODC
4. Domain Member to DC
5. Domain Member to RODC
6. PAW to TIER
7. RPC restric ons
8. High Level Design For more details LinkedIn | X
If you like this content, please make sure to follow our LinkedIn
page, as we publish resources like this frequently.

h ps://www.linkedin.com/company/horizon-secured/

Ac ve Directory - Network Ports


This document will guide you through the challenging task of
opening ports in Windows environments. Although there are
many resources available online, it can be difficult to find
comprehensive informa on for all use cases in one place.
Addi onally, some of these resources may contain
inaccuracies. This document demonstrates following network
ports groups:

 DC to DC
 DC to RODC
 RODC to DC
 Domain Member to DC
 Domain Member to RODC
 PAW to TIER

LinkedIn | X
1. DC to DC
This sec on describes ports needed between domain
controllers (DC).

Type of Traffic Protocol Port Number

DNS TCP/UDP 53

Kerberos TCP 88

NTP UDP 123

EPM TCP 135

LDAP TCP/UDP 389

DFS, LsaRpc, NbtSS, TCP 445


NetLogonR, SamR, SMB,
SrvSvc

Kerberos Change/Set TCP/UDP 464


Password

LDAP SSL TCP 636

LDAP GC TCP 3268

LDAP GC SSL TCP 3269

DFS-R TCP 5722

LSASS TCP 49152-65535

LinkedIn | X
2. DC to RODC
This sec on describes ports needed between Domain
Controller (DC) and Read Only Domain Controller (RODC).

Type of Traffic Protocol Port Number

EPM TCP 135

LDAP TCP 389

FrsRpc TCP 53248

If you like this content, please make sure to follow our LinkedIn
page, as we publish resources like this frequently.

h ps://www.linkedin.com/company/horizon-secured/

LinkedIn | X
3. RODC to DC
This sec on describes ports needed between Read Only
Domain Controller (RODC) and Domain Controller (DC).

Type of Traffic Protocol Port Number

DNS TCP/UDP 53

Kerberos TCP 88

NTP UDP 123

EPM TCP 135

LDAP TCP/UDP 389

DFS, LsaRpc, NbtSS, TCP 445


NetLogonR, SamR, SMB,
SrvSvc

Kerberos Change/Set TCP/UDP 464


Password

LDAP SSL TCP 636

LDAP GC TCP 3268

LDAP GC SSL TCP 3269

DFS-R TCP 5722

LSASS TCP 49152-65535

LinkedIn | X
4. Domain Member to DC
This sec on describes ports needed between Domain
Member (SRV or CLNT) and Domain Controller (DC).

Type of Traffic Protocol Port Number

DNS TCP/UDP 53

Kerberos TCP 88

NTP UDP 123

RPC TCP 135

LDAP TCP/UDP 389

SMB/CIFS TCP 445

Kerberos Change/Set TCP/UDP 464


Password

LDAP SSL TCP 636

LDAP GC TCP 3268

LDAP GC SSL TCP 3269

RPC Response TCP 49152-65535

LinkedIn | X
If you like this content, please make sure to follow our LinkedIn
page, as we publish resources like this frequently.

h ps://www.linkedin.com/company/horizon-secured/

5. Domain Member to RODC


This sec on describes ports needed between Domain
Member (SRV or CLNT) and Read Only Domain Controller
(RODC).

Type of Traffic Protocol Port Number

DNS TCP/UDP 53

Kerberos TCP 88

RPC TCP 135

LDAP TCP/UDP 389

SMB/CIFS TCP 445

LDAP SSL TCP 636

RPC Response TCP 49152-65535

LinkedIn | X
6. PAW to TIER
This sec on describes ports needed between Privileged
Access Worksta on (PAW) and target TIER.

Type of Traffic Protocol Port Number

RDP TCP/UDP 3389

WinRM* TCP 5985,5986

AD Web Services* TCP 9389

*This depends on your needs – what do you need to manage remotely?


For example port 9389 is for a remote management of AD (Tier 0 - DC).

7. RPC Restric ons


Some services using RPC can be restricted to just a few
ports, so you do not need to open the whole RPC Dynamic
Range. As I have no experience with it on my own, I provide
just relevant links:
Restrict Ac ve Directory RPC traffic to a specific port -
Windows Server | Microso Learn
Remote Procedure Call (RPC) dynamic port work with
firewalls - Windows Server | Microso Learn

LinkedIn | X
8. High Level Design
This HLD picture demonstrates how you could poten ally
build your network for Windows Environment.

LinkedIn | X
In this demonstra on you can see the rela ons between
DCs, RODC, Servers, Clients and PAWS. You also need to
consider opening ports for:
 Domain Member to WSUS
o TCP 8530, TCP 8531
 Domain Member to FS
o TCP 445
 Domain Member to KMS
o TCP 1688
 Domain Member to CA
o TCP 135, TCP 49152 - 65535
 Domain Member to DHCP
o UDP 67,68
 AADC to “internet”
o TCP 80,443
 DC DNS to “internet”
o TCP/UDP 53
These services are not described here in more detail, as
everybody uses a different set of services in a different
configura on.

LinkedIn | X
Relevant URLs

Configure firewall for AD domain and trusts - Windows Server |


Microso Learn

Designing RODCs in the Perimeter Network | Microso Learn

Enjoyed This Content?

We have courses with similar insights and some of


them are FREE:
h ps://horizon-secured.com/courses/

Stay up to date with Horizon Alert Newsle er:


h ps://horizon-secured.com/newsle er/

We appreciate your support!

LinkedIn | X

You might also like