We are seeing load updates into Active Directory.   Updates from Identity Manager take 30-60 seconds longer than the same update sent directly from an LDAP application.

Identity Manager's documentation reports that the following ports are required to provision Active Directory endpoints:

Endpoint Ports
389 - Active Directory non-SSL
636 - Active Directory SSL
3268/3269 - Active Directory Global Catalog
139/445 - Active Directory NetBios / microsoft-ds
4104/4105 (UDP/TCP) - Active Directory default Exchange Agent CAM/CAFT


Port 139 (Netbios) is present in the list; however, the customer has plans to shutdown the Netbios in its Active Directory domain controllers.


Is port 139 required?

All Identity Manager

The following ports are required to be opened to the domain controllers:

389
636
3268
3269
445

Regarding port 139, this is for Netbios which is only required in case a trust with Windows 2000 or Windows Server 2003 is necessary

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

NETBIOS ports as listed for Windows NT are also required for Windows 2000 and Windows Server 2003 when trusts to domains are configured that support only NETBIOS-based communication.   

If you have deployed a PSYNC agent on an Active Directory domain controller the following port also needs to be open to allow password updates to be fed back into Provisioning Manager:

20389 (non-TLS)
20390 (TLS)