Summary: Quick reference for ports required between clients, Domain Controllers, and management hosts.
| Port | Protocol | Purpose |
|---|---|---|
| 53 | TCP + UDP | DNS — DC discovery |
| 88 | TCP + UDP | Kerberos authentication |
| 389 | TCP + UDP | LDAP queries + DC Locator |
| 445 | TCP | SMB — SYSVOL / GPO download |
| 135 | TCP | RPC Endpoint Mapper |
| 49152–65535* | TCP | RPC dynamic ports |
| 636 | TCP | LDAPS (if enabled) |
| 3268 | TCP | Global Catalogue |
| 123 | UDP | NTP — clock sync (Kerberos requires ±5 min) |
All client-to-DC ports apply, plus:
| Port | Protocol | Purpose |
|---|---|---|
| 9389 | TCP | AD Web Services (PowerShell AD module) |
All replication rules must be bidirectional.
| Port | Protocol | Purpose |
|---|---|---|
| 135 | TCP | RPC |
| 445 | TCP | SMB — remote admin |
| 49152–65535* | TCP | RPC dynamic ports |
| 9389 | TCP | AD Web Services |
| 3389 | TCP | RDP — restrict to jump hosts only |
| 5985 | TCP | WinRM HTTP |
| 5986 | TCP | WinRM HTTPS |
By default RPC uses 49152–65535. Restrict to a narrower static range on all DCs to simplify firewall rules:
! Not applicable — configure via registry or GPO on Windows
! Recommended range: 50000–50500
! Path: HKLM\SOFTWARE\Microsoft\Rpc\Internet
See KBA-028 - Restricting RPC Dynamic Port Range on Windows for the full procedure.
| Symptom | Likely blocked port |
|---|---|
| "No logon servers available" | UDP 53 or TCP/UDP 88 |
| GPOs not applying | TCP 445 |
| Replication errors between DCs | TCP 135 or RPC range |
| PowerShell AD module fails | TCP 9389 |
| Clock skew / Kerberos errors | UDP 123 |