Firewall Ports Required to Join AD Domain

Refer to the lab below on the testing done to verify Firewall Ports Required to Join AD Domain

Components in this lab

  • Windows 10 Machine – 172.16.1.200
  • Windows 2019 AD Domain Controller – 10.10.10.200
  • Firewall Policy in PfSense
  1. Block Access from 172.16.1.0/24 to 10.10.10.0/24
  2. Block Access from 10.10.10.0/24 to 172.16.1.0/24

The Firewall Ports will be opened one by one from 172.16.1.0/24 to 10.10.10.0/24 to verify the actual ports required

Firewall Ports required to join AD Domain (Minimum)

Windows 10 Client can join to Windows 2019 AD Domain with the following Ports allow in Firewall

  • TCP 88 (Kerberos Key Distribution Center)
  • TCP 135 (Remote Procedure Call)
  • TCP 139 (NetBIOS Session Service)
  • TCP 389 (LDAP)
  • TCP 445 (SMB,Net Logon)
  • UDP 53 (DNS)
  • UDP 389 (LDAP, DC Locator, Net Logon)
  • TCP 49152-65535 (Randomly allocated high TCP ports)

Without TCP High Ports open

The following Message appear even join to domain successfully and there is a lot of TCP high ports are blocked in Firewall

  • Group Policy cannot be applied
  • It take very long time to for computer to startup and login to domain successfully

Optional Ports

  • UDP 123 (NTP)
  • TCP 53 (DNS)
  • TCP 464 ( Kerberos Password V5 – Used when user change their password from desktop)
  • UDP 137 (NetBIOS Name Resolution)
  • UDP 138 (NetBIOS Datagram Service)
  • TCP 636 (LDAP SSL)
  • UDP 636 (LDAP SSL)
  • TCP 3268 (Global Catalog)

Without TCP 464 Open

User can still change their password successfully even thought TCP 464 is blocked in Firewall

Firewall Rules in pfesense Firewall

The following Firewall Rule is created

  1. Traffics from WIN10 (172.16.1.200) to AD Domain Controller (10.10.10.200)

Firewall ports required to join AD Domain

  1. Traffics from AD Domain Controller (10.10.10.200) to WIN10 (172.16.1.200) – All Block

Leave a Comment