Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
SOLVED

LDAPs - Can 389 ever be blocked?

Copper Contributor

Hello,

I'm rolling out removal of LDAP from our network.

I have LDAPS working via a third party certificate integration. Verifying that ldp.exe can bind.

 

Concerning the legacy port 389, my natural reaction would be to block this and expecting LDAPS traffic to go via 636?

However, on doing this operations such as gpupdate then fail, digging into it a bit deeper I see that port 389 is still being used from packet captures.

 

Is it a case that 389 must alwa

4 Replies
best response confirmed by pbrooksuk (Copper Contributor)
Solution

Besides NLA ;
389 TCP LDAP Server Local Security Authority
389 UDP DC Locator Local Security Authority
389 TCP LDAP Server Distributed File System Namespaces
389 UDP DC Locator Distributed File System Namespaces
389 UDP DC Locator Netlogon
389 UDP DC Locator Kerberos Key Distribution Center
389 TCP LDAP Server Distributed File System Replication
389 UDP DC Locator Distributed File System Replication

Service overview and network port requirements - Windows Server | Microsoft Learn    

    

 

@pbrooksuk just checking if there's any progress or updates? please don't forget to mark helpful replies.    

    

 

Hey Dave,
It's good to know that 389 is necessary for an AD client to function.
I may look a bit deeper if I can pin various operations to services, or if the inbuilt ruleset already does this.

Or do all of those services, go via the same executable?

@pbrooksuk sounds good, please don't forget to mark helpful replies.   

    

 

1 best response

Accepted Solutions
best response confirmed by pbrooksuk (Copper Contributor)
Solution

Besides NLA ;
389 TCP LDAP Server Local Security Authority
389 UDP DC Locator Local Security Authority
389 TCP LDAP Server Distributed File System Namespaces
389 UDP DC Locator Distributed File System Namespaces
389 UDP DC Locator Netlogon
389 UDP DC Locator Kerberos Key Distribution Center
389 TCP LDAP Server Distributed File System Replication
389 UDP DC Locator Distributed File System Replication

Service overview and network port requirements - Windows Server | Microsoft Learn    

    

 

View solution in original post