Ports Used To Provision Active Directory Endpoints / slow updates into Active Directory
search cancel

Ports Used To Provision Active Directory Endpoints / slow updates into Active Directory


Article ID: 190728


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


We are seeing load updates into Active Directory.   Updates from Identity Manager take 30-60 seconds longer than the same update sent directly from an LDAP application.

Identity Manager's documentation reports that the following ports are required to provision Active Directory endpoints:

Endpoint Ports
389 - Active Directory non-SSL
636 - Active Directory SSL
3268/3269 - Active Directory Global Catalog
139/445 - Active Directory NetBios / microsoft-ds
4104/4105 (UDP/TCP) - Active Directory default Exchange Agent CAM/CAFT

Port 139 (Netbios) is present in the list; however, the customer has plans to shutdown the Netbios in its Active Directory domain controllers.

Is port 139 required?


All Identity Manager


The following ports are required to be opened to the domain controllers:


Regarding port 139, this is for Netbios which is only required in case a trust with Windows 2000 or Windows Server 2003 is necessary


NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Windows Server 2003 when trusts to domains are configured that support only NETBIOS-based communication.   

Additional Information

If you have deployed a PSYNC agent on an Active Directory domain controller the following port also needs to be open to allow password updates to be fed back into Provisioning Manager:

20389 (non-TLS)
20390 (TLS)