Firewall Ports Required to Join AD Domain

Leave a Comment / By /

Refer to the lab below on the testing done to verify Firewall Ports Required to Join AD Domain

Components in this lab

  • Windows 10 Machine – 172.16.1.200
  • Windows 2019 AD Domain Controller – 10.10.10.200
  • Firewall Policy in PfSense
  1. Block Access from 172.16.1.0/24 to 10.10.10.0/24
  2. Block Access from 10.10.10.0/24 to 172.16.1.0/24

The Firewall Ports will be opened one by one from 172.16.1.0/24 to 10.10.10.0/24 to verify the actual ports required

Firewall Ports required to join AD Domain (Minimum)

Windows 10 Client can join to Windows 2019 AD Domain with the following Ports allow in Firewall

Without TCP High Ports open

The following Message appear even join to domain successfully and there is a lot of TCP high ports are blocked in Firewall

  • Group Policy cannot be applied
  • It take very long time to for computer to startup and login to domain successfully

Optional Ports

Without TCP 464 Open

User can still change their password successfully even thought TCP 464 is blocked in Firewall

Firewall Rules in pfesense Firewall

The following Firewall Rule is created

  1. Traffics from WIN10 (172.16.1.200) to AD Domain Controller (10.10.10.200)

Firewall ports required to join AD Domain

  1. Traffics from AD Domain Controller (10.10.10.200) to WIN10 (172.16.1.200) – All Block

Reference Links

https://support.microsoft.com/en-us/kb/832017

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top