What ports does Active Directory use?
The full list of ports a domain controller needs — Kerberos, LDAP, SMB, RPC, Global Catalog — plus why none of them should ever face the internet.
Active Directory is one of the chattiest services on a Windows network. A single domain controller listens on more than a dozen ports across TCP and UDP, and member servers, workstations and applications all need predictable paths to reach it. Getting the firewall rules right is essential — both so that authentication actually works and so that none of these ports leak onto the public internet. This post lists every port a domain controller uses, explains the role of each, and covers the segmentation and attack angles. You can look up any of these on ProtocolPorts or browse all ports.
The Active Directory port reference
| Port | Protocol / Service | Role |
|---|---|---|
| 53 | DNS (TCP/UDP) | Name resolution and SRV-record location of domain controllers |
| 88 | Kerberos (TCP/UDP) | Authentication — ticket-granting for users and computers |
| 123 | NTP (UDP) | Time sync; Kerberos fails if clocks drift more than 5 minutes |
| 135 | RPC Endpoint Mapper (TCP) | Locates dynamic RPC services for replication and management |
| 137 | NetBIOS Name Service (UDP) | Legacy name resolution |
| 139 | NetBIOS Session (TCP) | Legacy SMB-over-NetBIOS file and authentication traffic |
| 389 | LDAP (TCP/UDP) | Directory queries and authentication against one domain |
| 445 | SMB (TCP) | Group Policy delivery, SYSVOL/NETLOGON shares, RPC over SMB |
| 636 | LDAPS (TCP) | LDAP encrypted with TLS |
| 3268 | Global Catalog (TCP) | Forest-wide directory searches |
| 3269 | Global Catalog over TLS (TCP) | Encrypted forest-wide searches |
| 5985 | WinRM / HTTP (TCP) | Remote management and PowerShell remoting |
| 5986 | WinRM / HTTPS (TCP) | Encrypted remote management |
| 9389 | AD Web Services (TCP) | ADWS — used by the AD PowerShell module and admin tools |
Authentication and directory ports
Kerberos — port 88
Kerberos is the primary authentication protocol in a modern domain. When a user logs on, the domain controller's Key Distribution Center issues tickets over port 88, on both TCP and UDP. Without this port open between clients and DCs, logons fall back or fail outright.
LDAP and LDAPS — port 389 and port 636
LDAP on port 389 is how applications and clients query the directory and perform simple-bind authentication. Because plain LDAP can carry credentials, you should prefer LDAPS on port 636, which wraps the same protocol in TLS.
Global Catalog — port 3268 and port 3269
In a multi-domain forest, the Global Catalog provides a partial replica of every domain. Applications such as Exchange query port 3268 (or its TLS twin port 3269) to search the whole forest at once.
DNS and NTP — port 53 and port 123
Active Directory is built on DNS. Clients use port 53 to find SRV records that point to domain controllers. Time matters too: Kerberos rejects tickets when clocks differ by more than five minutes, so NTP on port 123 keeps the domain in sync.
File, RPC and management ports
SMB — port 445
SMB on port 445 carries Group Policy, the SYSVOL and NETLOGON shares, and a large amount of RPC traffic. Every domain-joined machine talks to a DC over this port at boot and at policy refresh.
RPC endpoint mapper — port 135
Replication between domain controllers and many management calls use RPC. Clients first contact the endpoint mapper on port 135, which then redirects them to a dynamically assigned high port. In tightly firewalled environments you can restrict that dynamic range.
Legacy NetBIOS — port 137 and port 139
Port 137 (name service) and port 139 (session service) are NetBIOS leftovers. Modern domains run fine on SMB over port 445, and NetBIOS is best disabled — it is the protocol abused by NBT-NS poisoning.
WinRM and AD Web Services — port 5985, port 5986, port 9389
Remote administration runs over WinRM on port 5985 (HTTP) and port 5986 (HTTPS). The AD PowerShell module and several admin consoles talk to AD Web Services on port 9389.
Firewall and segmentation: keep AD off the internet
None of these ports belong on the public internet. A domain controller reachable from outside is an open invitation to password spraying, Kerberoasting (requesting service tickets to crack offline), and credential theft. Place DCs in a tightly segmented tier and allow only the ports above from trusted subnets.
Watch for the classic LAN attacks too. LLMNR and NBT-NS poisoning let an attacker answer broadcast name-resolution requests and harvest NTLM hashes — disable LLMNR and NetBIOS to shut it down. Those hashes feed SMB relay attacks against port 445, so enforce SMB signing on all domain controllers. If remote staff need AD, front it with a VPN rather than opening any of these ports.
Conclusion
A domain controller is a busy listener: Kerberos on port 88, LDAP on port 389, the Global Catalog on port 3268, SMB on port 445 and RPC on port 135 form the core, with DNS, NTP, WinRM and ADWS rounding it out. Open exactly these ports between clients and DCs, disable legacy NetBIOS, enforce SMB signing and LDAPS, and never let any of it touch the internet. Use ProtocolPorts to confirm any port's purpose, or browse all ports.