By default, the first domain controller in a domain is a global catalog server. Global catalog servers listen on port 3268 (using LDAP) for queries, as well as on the standard LDAP port 389.
Table of Contents
What is global catalog port number?
By default, the first domain controller in a domain is a global catalog server. Global catalog servers listen on port 3268 (using LDAP) for queries, as well as on the standard LDAP port 389.
What port is 389 used for?
ldap
| Name: | ldap |
|---|---|
| Purpose: | Lightweight Directory Access Protocol |
| Description: | LDAP (which is what people call it) is a modern and popular Internet directory access protocol used by many systems and services. Most Windows users will encounter it because Microsoft’s NetMeeting uses and opens the LDAP port 389 while it is running. |
How do I find global catalog in Active Directory?
To find the global catalog servers, expand each domain controller, right-click on NTDS Settings , and select Properties. Global catalog servers will have the box checked beside Global Catalog.
What ports does Active Directory?
AD uses the following ports to support user and computer authentication, according to the Active Directory and Active Directory Domain Services Port Requirements article:
- SMB over IP (Microsoft-DS): port 445 TCP, UDP.
- Kerberos: port 88 TCP, UDP.
- LDAP: port 389 UDP.
- DNS: port 53 TCP, UDP.
What is LDAP global catalog?
Global Catalog (GC) role is an LDAP-compliant directory consisting of a partial representation of every object from every domain within the forest. This LDAP directory can be accessed on port 3268, with LDAPS on port 3269. LDAPS and the default LDAP ports’ certificate requirements are the same.
Can I block port 389?
It is however possible for external parties to abuse the LDAP-service by performing a so called ‘reflection attack’. This is done via an UDP-connection on port 389. To prevent these sort of outgoing attacks you can block UDP connections on port 389 in your VPS’s firewall.
Is port 389 insecure?
TCP and UDP 389 For LDAP We can use this port for unsecured and unencrypted LDAP transmission. This means if the LDAP traffic for port 389 is sniffed it can create security problems and expose information like username, password, hash, certificates, and other critical information.
Can you block port 389?
How do I know if my global catalog is working?
Using the graphical user interface (GUI) Expand the Sites container until you find the DC you want to check. Right-click NTDS Settings and then click Properties. Here, on the General tab, you can see if the Domain Controller has enabled the Global Catalog role or not.
What ports does LDAP use?
LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.