Appendix. Prerequisites for SMB file systems
To create an SMB file system and integrate it with Active Directory, the required environment, permissions, and network conditions must be met in advance. This document describes the required components and network requirements to check before creating an SMB file system.
If the prerequisites are not met, SMB file system creation or Active Directory integration can fail.
Active Directory domain controller requirements
- The domain functional level must be Windows Server 2008 R2 or later.
- A writable domain controller (Writable DC) is required. Read-only domain controllers (RODCs) cannot be used.
- The target Active Directory forest must include at least one domain controller with the Global Catalog role.
- The SMB file system requires Global Catalog to query user and group information.
DNS server lookup requirements
The DNS server must be able to resolve the following domain names correctly.
- Domain that the file system joins, such as
corp.example.com - Root domain of the forest, such as
example.com
Required permissions delegated to service account
To join an SMB file system to Active Directory, the service account used for domain join must have delegated create and modify permissions for the target OU or domain. For reference, see Active Directory domain join permissions.
- Create Computer Objects
- Read All Properties
- Write All Properties or Validated Write for SPN/DNS Host Name
- Reset Password
- (Optional) Delete Computer Objects
Subnet mapping in multi-site environments
If Active Directory is configured with multiple sites, make sure that the IP subnet where the file system belongs is mapped to the correct AD site.
Network and port requirements
The following ports must be allowed in security group policies to communicate with Active Directory domain controllers and DNS servers.
| Direction | Protocol | Port | Description |
|---|---|---|---|
| Inbound | TCP | 445 | Used when an AD server or client opens a session to the SMB server |
| Inbound | TCP | 135 | Used in environments where AD RPC responses must return to the server |
| Inbound | TCP | 49152-65535 | Used when callbacks are required during RPC communication |
| Outbound | TCP/UDP | 53 | Domain controller lookup and AD domain name resolution |
| Outbound | TCP/UDP | 88 | Kerberos-based authentication |
| Outbound | TCP | 135 | RPC endpoint mapping during AD join |
| Outbound | TCP/UDP | 389 | User, group, and OU lookup, and machine account creation |
| Outbound | TCP | 445 | SMB over TCP communication and session exchange with AD |
| Outbound | TCP/UDP | 464 | Machine account password creation and renewal |
| Outbound | TCP | 49152-65535 | AD RPC calls required during the join process |
| Outbound | TCP | 3268 | Forest-wide user and group search (recommended) |
| Outbound | TCP | 3269 | SSL-based GC search (optional) |
| Outbound | UDP | 123 | NTP (Network Time Protocol) |