We help IT Professionals succeed at work.

Port 3268/tcp  used for the msft-gc service

dano992 used Ask the Experts™
is it safe to open up this port in my network
i have 2 vlans
server vlans (where active directory resides)
worksation VLan (users)
im having issues using active directory users and computers tool from my worksation
due to not being able to contact the global catalog server efficiently
all traffic (VLANs) flow through out firewall
if i opened up this port on the firewall so that it was opened between the 2 vlans would solve my issue

do i need to open this both incomming and outgoing?
is it safe to open this port on the firewall between the 2 vlans?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Yes it is safe it is on your internal network and 3268 is how you communicate with a GC, common port that is open and needed if DCs were in different segments/locations(common)   http://technet.microsoft.com/en-us/library/bb727063.aspx


Technical Lead
Top Expert 2011
Yes you need to open the port 3268 as Global Catalog queries are directed to port 3268 .

Below are the other ports required for Active Directory.

Service Name     UDP       TCP

LDAP                   389       389

LDAP                    636

LDAP                    3268

Kerboros              88        88

DNS                      53        53
smb over IP          445      445

Note:Importannce of GC refer this KB article- http://technet.microsoft.com/en-us/library/cc728188(WS.10).aspx


do i need to open both incoming and outgoing from the worksations vlan?
Sandesh DubeyTechnical Lead
Top Expert 2011

You should enable the same on vlan.