Overview of Windows Communication Ports
Understanding Windows communication ports is essential for system administrators and IT professionals. This guide provides an overview of the most commonly used ports in Windows environments, their purposes, and best practices for managing them.
This guide contains port requirements for various Active Directory® and Active Directory Domain Services (AD DS) components. Both writable domain controllers and read-only domain controllers (RODCs) have the same port requirements.
For a complete list of ports used by Active Directory Domain Services, refer to the official Microsoft documentation.
Active Directory and Windows Communication Ports
| Port | Protocol | AD and AD DS Usage | Type of Traffic |
|---|---|---|---|
| 25 | TCP | Replication | SMTP |
| 53 | Both | User and Computer Authentication, Name Resolution, Trusts | DNS |
| 88 | Both | User and Computer Authentication, Forest Level Trusts | Kerberos |
| 123 | UDP | Windows Time, Trusts | Windows Time |
| 135 | TCP | Replication, Windows Management Instrumentation (WMI) | RPC, EPM, WMI |
| 137 | UDP | User and Computer Authentication | NetLogon, RPC, NetBIOS Name Resolution |
| 138 | UDP | DFS, Group Policy | NetLogon, RPC, DFSN, NetBIOS Datagram Service |
| 139 | TCP | User and Computer Authentication, Replication, Performance Logs & Alerts | NetLogon, RPC, DFSN, NetBIOS Session Service |
| 389 | Both | Directory, Replication, User and Computer Authentication, Group Policy, Trusts, DClocator | LDAP, NetLogon |
| 443 | TCP | SSL authentication | SSL |
| 445 | Both | Replication, User and Computer Authentication, Group Policy, Trusts | SMB, CIFS, SMB2, SMB3, DFSN, LSARPC, NbtSS, NetLogonR, RPC, SamR, SrvSvc |
| 464 | Both | Replication, User and Computer Authentication, Trusts | Kerberos change/set password |
| 500 | UDP | IPSec ISKAMP | IP Sec |
| 636 | TCP | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP SSL |
| 67 and 2535 | UDP | DHCP | DHCP, MADCAP |
| Note: DHCP is not a core AD DS service but it is often present in many AD DS deployments. | |||
| 3268 | TCP | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC |
| 3269 | TCP | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC SSL |
| 5722 | TCP | File Replication | RPC, DFSR (SYSVOL) |
| Used on Windows Server 2008 and 2008 R2 | |||
| 5985 | TCP | WinRM | Windows Remote Management |
| 5986 | TCP | WinRM secure | Secure Windows Remote Management |
| 9389 | TCP | AD DS Web Services, Active Directory Management Gateway Service | SOAP |
| 33535–49151 | Both | CommVault AD plugin | |
| Dynamic (Ephemeral) (49152–65535) | TCP | Replication, User and Computer Authentication, Group Policy, Trusts | RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS |
| Dynamic (Ephemeral) (49152–65535) | UDP | Group Policy | DCOM, RPC, EPM |
Above is the list of common ports used by Active Directory and Active Directory Domain Services. Properly configuring and managing these ports is crucial for maintaining a secure and efficient Windows environment.
Domain Controllers replication ports
Domain controllers use several ports for replication purposes. Ensuring these ports are open and properly configured is vital for the health of your Active Directory environment.
Below is a diagram illustrating the key ports used for domain controller replication:
The primary ports used for domain controller replication include:
- TCP/UDP 53: Used for naming resolution (DNS).
- TCP/UDP 88: Used for Kerberos authentication.
- TCP/UDP 135: Used for RPC endpoint mapping.
- TCP 389: LDAP port for directory services.
- TCP 636: Secure LDAP (LDAPS) port.
- TCP 445: SMB port for file sharing and replication.
- TCP 3268: LDAP Global Catalog port.
- TCP 3269: Secure LDAP Global Catalog port.
- Ephemeral Ports (49152-65535): Used for various replication tasks.
Active Directory Authentication Ports
Active Directory authentication relies on several key ports to facilitate secure communication between clients and domain controllers. Proper configuration of these ports is essential for ensuring reliable authentication services.
The main ports used for Active Directory authentication include:
- TCP/UDP 53: Used for naming resolution (DNS).
- TCP/UDP 88: Kerberos authentication.
- TCP/UDP 389: LDAP for directory services.
- TCP 445: SMB port for file sharing and replication.
- TCP/UDP 464: Kerberos password change.
- TCP 636: Secure LDAP (LDAPS).
- Ephemeral Ports (49152-65535): Used for various authentication tasks.
Active Directory Distributed File System (DFS) Ports
Active Directory DFS relies on several key ports to facilitate file replication and access across the network. Proper configuration of these ports is essential for ensuring reliable DFS services.
The main ports used for Active Directory DFS include:
- TCP 135: Used for RPC endpoint mapping.
- TCP 138: Datagram service mapping (DFSN).
- TCP 139: ADWS (Active Directory Web Services).
- TCP/UDP 389: LDAP for directory services.
- TCP 445: SMB port for file sharing and replication.
- TCP 636: Secure LDAP (LDAPS).
- Ephemeral Ports (49152-65535): Used for various DFS tasks.
Active Directory Event Logs Ports
Active Directory event logs rely on several key ports to facilitate logging and monitoring across the network. Proper configuration of these ports is essential for ensuring reliable event logging services.
The main ports used for Active Directory Event Logs include:
- TCP 137: Used for NETLOGON.
- TCP 138: Datagram service mapping (DFSN).
- TCP 139: ADWS (Active Directory Web Services).
- TCP 445: SMB port for file sharing and replication.
Active Directory Group Policy Ports
Active Directory Group Policy relies on several key ports to facilitate policy application and management across the network. Proper configuration of these ports is essential for ensuring reliable Group Policy services.
The main ports used for Active Directory Group Policy include:
- TCP 135: Used for RPC endpoint mapping.
- TCP/UDP 389: LDAP for directory services.
- TCP 445: SMB port for file sharing and replication.
- TCP 636: Secure LDAP (LDAPS).
- Ephemeral Ports (49152-65535): Used for various Group Policy tasks.
Active Directory Kerberos Key Distribution Center (KDC) Ports
Active Directory Kerberos KDC relies on several key ports to facilitate secure authentication across the network. Proper configuration of these ports is essential for ensuring reliable Kerberos services.
The main ports used for Active Directory Kerberos KDC include:
- TCP 88: Kerberos authentication.
- TCP/UDP 389: LDAP for directory services.
- TCP 464: Kerberos password change.
- TCP 636: Secure LDAP (LDAPS).
Active Directory NetLogon Ports
Active Directory NetLogon relies on several key ports to facilitate secure authentication and logon services across the network. Proper configuration of these ports is essential for ensuring reliable NetLogon services.
The main ports used for Active Directory NetLogon include:
- TCP/UDP 135: Used for RPC endpoint mapping.
- TCP/UDP 389: LDAP for directory services.
- TCP 445: SMB port for file sharing and replication.
- TCP 636: Secure LDAP (LDAPS).
- Ephemeral Ports (49152-65535): Used for various NetLogon tasks.
Active Directory Remote Procedure Call (RPC) Ports
Active Directory RPC relies on several key ports to facilitate remote communication and management services across the network. Proper configuration of these ports is essential for ensuring reliable RPC services.
The main ports used for Active Directory RPC include:
- TCP/UDP 135: Used for RPC endpoint mapping.
- TCP 137: Used for NETLOGON.
- TCP 138: Datagram service mapping (DFSN).
- TCP 139: ADWS (Active Directory Web Services).
- TCP 445: SMB port for file sharing and replication.
Active Directory Certificate Ports
Active Directory Certificate relies on several key ports to facilitate secure certificate usage across the network. Proper configuration of these ports is essential for ensuring reliable certificate usage.
The main ports used for Active Directory Certificate include:
- TCP/UDP 135: Used for RPC endpoint mapping.
- TCP 139: ADWS (Active Directory Web Services).
- TCP 445: SMB port for file sharing and replication.
- Ephemeral Ports (49152-65535): Used for various tasks.
Comprehensive Port List for Domain Controllers and RODCs
For a detailed and comprehensive list of ports used by Domain Controllers and Read-Only Domain Controllers (RODCs), please refer to the official Microsoft documentation or trusted IT resources. Properly managing these ports is crucial for maintaining a secure and efficient Active Directory environment.
The following table provides a comprehensive overview of port requirements for Domain Controllers and Read-Only Domain Controllers (RODC), showing which protocols (TCP/UDP) are used by each service.
| Service | Port | Domain Controller | RODC | ||
|---|---|---|---|---|---|
| TCP | UDP | TCP | UDP | ||
| DNS | 53 | ||||
| DHCP | 67 | - | - | - | |
| Kerberos | 88 | ||||
| Time, trust | 123 | - | - | ||
| RPC, WMI | 135 | - | - | ||
| Netlogon | 137 | - | - | ||
| Netlogon, RPC, DFSN, NetBIOS Datagram Service | 138 | - | - | ||
| Netlogon, RPC, DFSN, NetBIOS Session Service | 139 | - | - | ||
| SNMP | 161 | - | - | ||
| LDAP, Netlogon | 389 | ||||
| SSL | 443 | - | - | ||
| SMB, Netlogon, RPC | 445 | ||||
| Kerberos Set-Change PWD | 464 | ||||
| IPsec ISAKMP | 500 | - | - | ||
| LDAPs | 636 | - | - | ||
| Legacy RADIUS | 1645-1646 | - | - | - | |
| RADIUS Accounting | 1812 | - | - | - | |
| RADIUS Authentication | 1813 | - | - | - | |
| DHCP MADCAP | 2535 | - | - | - | |
| LDAP GC | 3268 | - | - | ||
| LDAP GC ssl | 3269 | - | - | ||
| RDP | 3389 | - | - | ||
| File Replication (Win2008 only) | 5722 | - | - | ||
| WinRM | 5985 | - | - | ||
| WinRM secure | 5986 | - | - | ||
| AD Web Services | 9389 | - | - | ||
| FrsRpc | 53284 | - | - | ||
| CommVault AD Plugin | 33535-49151 | - | - | ||
| Ephemeral ports (Dynamic) | 49152-65535 | ||||
Ephemeral Ports (Dynamic Ports)
Ephemeral ports, also known as dynamic ports, are temporary ports assigned by the operating system to client applications when they initiate a connection. These ports are typically used for the duration of a single session and are released back to the pool of available ports when the session ends.
The following table shows the Client-Server Port Communication ephemeral port ranges used by clients when communicating with specific server ports and services:
| Client Port(s) | Server Port | Service |
|---|---|---|
| 49152-65535/UDP | 123/UDP | W32Time |
| 49152-65535/TCP | 135/TCP | RPC Endpoint Mapper |
| 49152-65535/TCP | 464/TCP/UDP | Kerberos password change |
| 49152-65535/TCP | 49152-65535/TCP | RPC for LSA, SAM, Netlogon (*) |
| 49152-65535/TCP/UDP | 389/TCP/UDP | LDAP |
| 49152-65535/TCP | 636/TCP | LDAP SSL |
| 49152-65535/TCP | 3268/TCP | LDAP GC |
| 49152-65535/TCP | 3269/TCP | LDAP GC SSL |
| 53, 49152-65535/TCP/UDP | 53/TCP/UDP | DNS |
| 49152-65535/TCP | 49152-65535/TCP | FRS RPC (*) |
| 49152-65535/TCP/UDP | 88/TCP/UDP | Kerberos |
| 49152-65535/TCP/UDP | 445/TCP | SMB |
| 49152-65535/TCP | 49152-65535/TCP | DFSR RPC (*) |
Management and other ports
In addition to the core Active Directory ports, there are several management and auxiliary ports that are important for maintaining and administering Active Directory environments. These ports facilitate various management tasks, remote administration, and additional services that support Active Directory operations.
| Port | Protocol | AD and AD DS Usage |
|---|---|---|
| 135 | TCP | Windows Management Instrumentation (WMI) |
| 161 | UDP | Simple Network Management Protocol (SNMP) |
| 443 | TCP | Certificate-Based Authentication |
| 500 | UDP | IPsec ISAKMP |
| 593 | TCP | RPC over HTTPS |
| 1812 | UDP | RADIUS Authentication |
| 1813 | UDP | RADIUS Accounting |
| 1900 | UDP | SSDP (Discovery Service) |
| 2869 | TCP | SSDP Event Notification (Discovery Service) |
| 2869 | TCP | UPNP |
| 3343 | UDP and DTLS | Cluster Service |
| 3343 | TCP | Cluster Service, Hyper-V Cluster Server Traffic |
| 3389 | TCP | Terminal Services / Remote Desktop Protocol |
| 4011 | UDP | BINL Remote Instalation |
| 5000 | TCP | SSDP legacy event notification (Discovery Service) |
| 5985 | TCP | WinRM 2.0 HTTP (WSMan) |
| 5986 | TCP | WinRM 2.0 HTTPS (WSMan) |
| 6600 | TCP | Hyper-V Live Migration |
| 9389 | TCP | Active Directory Web Services (ADWS), Active Directory Management Gateway Service |
| 42424 | TCP | ASP.NET Session State |
| 1645-1646 | UDP | Legacy RADIUS |
| 8530-8531 | TCP | WSUS |
References
The following official resources provide detailed guidance on Windows port requirements, RPC dynamic ports, and Active Directory firewall considerations.
- Service overview and network port requirements for Windows
- How to configure a firewall for Active Directory domains and trusts
- Active Directory and Active Directory Domain Services Port Requirements (previous versions)
- How to configure RPC dynamic port allocation to work with firewalls
- Restrict Active Directory RPC traffic to a specific port
- The default dynamic port range for TCP/IP has changed (KB 929851)
- Remote Procedure Call (RPC) errors troubleshooting guidance
- Installation and Configuration for Windows Remote Management (WinRM)
- IANA Service Name and Port Number Registry