Reference

Ports and protocols required for AD replication, Kerberos, WinRM, and W32Time troubleshooting.

Keep this page open during network, identity, and remote-management troubleshooting so transport assumptions remain explicit while you test. It is designed as a practical operator reference, not a complete protocol encyclopedia.

Search ProtocolsOpen Networking Domain
Core Ports

Keep the dependency chain visible.

  • DNS: UDP/TCP 53
  • Kerberos: TCP/UDP 88
  • LDAP/LDAPS: TCP/UDP 389, TCP 636
  • SMB/SYSVOL: TCP 445
  • RPC endpoint mapper: TCP 135 plus dynamic RPC ranges
  • WinRM: TCP 5985 (HTTP), TCP 5986 (HTTPS)
  • W32Time/NTP: UDP 123
Use This Page When

Transport is part of the uncertainty.

  • AD replication and Kerberos fail after firewall or segmentation changes.
  • WinRM works locally but not from the intended admin subnet.
  • Time sync drifts and the team needs to prove whether UDP 123 is actually permitted.
  • RPC-dependent operations fail because static assumptions ignore dynamic ranges.