Ports Used To Provision Active Directory Endpoints / slow updates into Active Directory
search cancel

Ports Used To Provision Active Directory Endpoints / slow updates into Active Directory

book

Article ID: 190728

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

We are seeing load updates into Active Directory.   Updates from Identity Manager take 30-60 seconds longer than the same update sent directly from an LDAP application.

Identity Manager's documentation reports that the following ports are required to provision Active Directory endpoints:

Endpoint Ports
389 - Active Directory non-SSL
636 - Active Directory SSL
3268/3269 - Active Directory Global Catalog
139/445 - Active Directory NetBios / microsoft-ds
4104/4105 (UDP/TCP) - Active Directory default Exchange Agent CAM/CAFT


Port 139 (Netbios) is present in the list; however, the customer has plans to shutdown the Netbios in its Active Directory domain controllers.


Is port 139 required?

Environment

All Identity Manager

Resolution

The following ports are required to be opened to the domain controllers:

389
636
3268
3269
445

Regarding port 139, this is for Netbios which is only required in case a trust with Windows 2000 or Windows Server 2003 is necessary

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Windows Server 2003 when trusts to domains are configured that support only NETBIOS-based communication.   

Additional Information

If you have deployed a PSYNC agent on an Active Directory domain controller the following port also needs to be open to allow password updates to be fed back into Provisioning Manager:

20389 (non-TLS)
20390 (TLS)