As most of you know trying to find what domain controller ports you need to open between a server/pc and a DC can be a nightmare. Especially if you want to be more specific and include traffic direction. Most of the posts out there give you a bunch of ports and that’s it, no explanation on direction and which once you really need. With this post i am aiming to help anyone one out there who is lost or confused.
With the introduction of Network Security Groups in Azure more and more organization are using them to secure the communications between there Azure subnets, this is a very good practice but can sometimes prove difficult when it comes to complex applications like Active Directory (AD) and it’s port requirements. The firewall rules below will give clients the ability to communicate with a domain controller and fulfill all the required AD functions like login in, joining a computer to the domain, obtaining group policy and so on. Note that these rules are all one way outbound rules from Client to DC, this is always the case with active directory as the client connects to the DC and not the other way around. While these rules are for Azure NSG you can modify and use them with any firewall. Also please note that you would also need to created identical inbound rules on the Domain Controller subnet if you have NSG enabled, it’s also worth noting that azure NSG are stateful.
| Name | Priority | Source IP | Source Port | Destination IP | Destination Port | Protocol | Access |
|---|---|---|---|---|---|---|---|
| Outbound Rules | |||||||
| NTP Sync Primary Domain Controller | 100 | Local Subnet Range | * | Primary AD site Subnet | 123 | UDP | Allow |
| AD RPC Primary DC | 101 | Local Subnet Range | * | Primary AD site Subnet | 135 | TCP | Allow |
| AD Kerberos change Primary DC | 102 | Local Subnet Range | * | Primary AD site Subnet | 464 | * | Allow |
| AD LDAP Primary DC | 103 | Local Subnet Range | * | Primary AD site Subnet | 389 | * | Allow |
| AD LDAP GC Primary DC | 104 | Local Subnet Range | * | Primary AD site Subnet | 3268 | TCP | Allow |
| AD DNS Primary DC | 105 | Local Subnet Range | * | Primary AD site Subnet | 53 | * | Allow |
| AD Kerberos Primary DC | 106 | Local Subnet Range | * | Primary AD site Subnet | 88 | * | Allow |
| AD SMB Primary DC | 107 | Local Subnet Range | * | Primary AD site Subnet | 445 | TCP | Allow |
| AD DYN Primary DC | 108 | Local Subnet Range | * | Primary AD site Subnet | 49152-65535 | TCP | Allow |
I have set my Domain controllers as NTP servers as per the article here : http://setspn.blogspot.co.uk/2015/06/synchronizing-time-on-azure-virtual.html. If you have not done this step you will need to open a port to what ever NTP server you are using and omit the first rule above.
If you are using SSL for your AD you will also need to add two more rules to the table the LDAP GC SSL on TCP 3269 and LDAP SSL TCP 636. If you are not using SSL you don’t need to include them.
If you are looking to make things more secure and easier to manage you could also restrict RPC traffic to a single port. there is an article on the Microsoft support website https://support.microsoft.com/en-us/kb/224196. Please note that this needs to be applied on all domain controllers, it applies both to replication and client communication. Once implemented you will need to modify the last rule port range from 49152-65535 to what ever port you have chosen like “51515”.
Thanks Luben for posting this.
I have got the all above rules enabled (Inbound/outbound) on an NSG that is associated with an AD subnet.
When i add a new VM on another Subnet. The VM gets added to Active directory and when i restart the VM to login with a domain user credentials the VM stuck on the “Please Wait” page until i dissociate the NSG for the AD subnet.
This happens only for the first login attempt after adding the VM to domain.
are you using ldaps ?