Please document the ports that AD Connect health agent could use if installed on an onpremise domain controller. #36049
Comments
|
@mhunter77 |
|
This came from a support case where a customer requested documentation that explains why the AD Connect Health Agent reaches out to other domain controllers and ports 1501 and 1502 to gather data for the agent. Do we have some text that can be added to the documentation for this? |
|
Tagging @RobdeJong as well to see if there is some existing text that could be added. |
|
If we need to update this doc, my suggestion is a line like, "The Azure AD Connect Health Agent may contact other domain controllers and reach out to lower ports that use 1501 and 1502. This is in order to monitor connectivity, CPU, and data consistency." |
|
@mhunter77 Thank you for the feedback. I would say send me an email internally and we can start a thread with the PM. We would need to verify this before adding this to the documentation. Thanks! Bill #please-close |
An Azure Rapid Response customer opened a case 119071222001469 in service desk. He was looking for documentation on the ports that the Azure AD connect health agent would use when installed on a on-premise domain controller.
The customer was looking for documentation to provide to his networking and security team on why Azure AD Connect Health Agent (Microsoft.Identity.Health.Adds.InsightsService.exe) that was install on a domain controller was using ports 1501 and 1502. There is no documentation in this article "Azure AD Connect Health Agent Installation"
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install#test-connectivity-to-azure-ad-connect-health-service
Can you provide documentation on this in the above article?
### QUESTION – 119071222001469 – Port Used for Azure AD Connect Health
Customer has the azure ad connect health agent installed on his domain controllers and he is concerned about the ports being used. Is there documentation for why the service “Microsoft.Identity.Health.Adds.InsightsService.exe”is using port 1501 and 1501?
NOTE - Microsoft.Identity.Health.Adds.InsightsService.exe is one of the services for Azure AD Connect Health for AD DS
I can provide a screenshot of nbtstat that shows the results running of netstat command on the onprem domain controller. In the results of netstat, you see that the Microsoft.Identity.Health.Adds.InsightsService.exe is connecting with ports 1501 and 1502
Is that because of the scenarios and alert conditions that are monitored by Azure AD Connect Health for AD DS?
The Azure AD Connect Health for AD DS agent may be querying other domain controllers because of the scenarios and alert conditions that are monitored by Azure AD Connect Health for AD DS?
DETAILS
The AD Connect health agent installed on his onpremise domain controllers. He ran netstat on a domain controller and he sees that the Microsoft.Identity.Health.Adds.InsightsService.exe is using port 1501 and 1502 connecting to other domain controllers.
I told the customer that these ports may be necessary for Active Directory on a domain controller
The following is a list of scenarios and alert conditions that is monitored by Azure AD Connect Health for AD DS:
The below article describes how a domain controller may use the lower ports that use 1501 and 1502
Service overview and network port requirements for Windows
System services ports
https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows
This section provides a description of each system service, includes the logical name that corresponds to the system service, and displays the ports and the protocols that each service requires.
Click the name of a system service in the following list to see the description:
Active Directory runs under the Lsass.exe process and includes the authentication and replication engines for Windows domain controllers. Domain controllers, client computers and application servers require network connectivity to Active Directory over specific hard-coded ports. Additionally, unless a tunneling protocol is used to encapsulate traffic to Active Directory, a range of ephemeral TCP ports between 1024 to 5000 and 49152 to 65535 are required.
Note
· If your computer network environment uses only Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista, you must enable connectivity over the high port range of 49152 through 65535.
· If your computer network environment uses Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over both port ranges:
· High port range of 49152 through 65535
· Low port range of 1025 through 5000
· If your computer network environment uses only versions of Windows earlier than Windows Server 2008 and Windows Vista, you must enable connectivity over the low port range of 1025 through 5000.
However, the following article does not state that the ports 1501 and 1502 are required for the Azure AD Connect Health Agent Installation.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: