Forum Discussion
LDAPs - Can 389 ever be blocked?
Hello,
I'm rolling out removal of LDAP from our network.
I have LDAPS working via a third party certificate integration. Verifying that ldp.exe can bind.
Concerning the legacy port 389, my natural reaction would be to block this and expecting LDAPS traffic to go via 636?
However, on doing this operations such as gpupdate then fail, digging into it a bit deeper I see that port 389 is still being used from packet captures.
Is it a case that 389 must alwa
Besides NLA ;
389 TCP LDAP Server Local Security Authority
389 UDP DC Locator Local Security Authority
389 TCP LDAP Server Distributed File System Namespaces
389 UDP DC Locator Distributed File System Namespaces
389 UDP DC Locator Netlogon
389 UDP DC Locator Kerberos Key Distribution Center
389 TCP LDAP Server Distributed File System Replication
389 UDP DC Locator Distributed File System ReplicationService overview and network port requirements - Windows Server | Microsoft Learn
4 Replies
Besides NLA ;
389 TCP LDAP Server Local Security Authority
389 UDP DC Locator Local Security Authority
389 TCP LDAP Server Distributed File System Namespaces
389 UDP DC Locator Distributed File System Namespaces
389 UDP DC Locator Netlogon
389 UDP DC Locator Kerberos Key Distribution Center
389 TCP LDAP Server Distributed File System Replication
389 UDP DC Locator Distributed File System ReplicationService overview and network port requirements - Windows Server | Microsoft Learn
pbrooksuk just checking if there's any progress or updates? please don't forget to mark helpful replies.
- Hey Dave,
It's good to know that 389 is necessary for an AD client to function.
I may look a bit deeper if I can pin various operations to services, or if the inbuilt ruleset already does this.
Or do all of those services, go via the same executable?
