RPC Dunamic Ports

We have decided to limit the RPC Ports to 50000 - 50200 and want to out the
registry keys as mentioned in KB154596, however i want to know if adding the
below registry key and values can be automated using Group Policy, so that it
is applied uniformly on all domain controllers.

I want to add the below Key and Values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ - Key
Ports REG_MULTI_SZ - 50000 - 50200 - Value
PortsInternetAvailable REG_SZ Y - Value
UseInternetPorts REG_SZ Y - Value

You didn't mention which o/s you were using so I have to assume 2008, since
2003 and prior didn't provide this option. There should be no reason why
this wouldn't work but I definetly would test it in a lab environment first.
We manually do this and it works great, just remember your dmz machines also
need to know about this.

Check out an artcile I have on Firewall Ports Needed for Replication at:
http://www.pbbergs.com/windows/articles.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Venkat" <Venkat@discussions.microsoft.com> wrote in message
news:A7CDCE01-0519-4384-AE17-4170392495E8@microsoft.com...
> We have decided to limit the RPC Ports to 50000 - 50200 and want to out
> the
> registry keys as mentioned in KB154596, however i want to know if adding
> the
> below registry key and values can be automated using Group Policy, so that
> it
> is applied uniformly on all domain controllers.
>
> I want to add the below Key and Values:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ - Key
> Ports REG_MULTI_SZ - 50000 - 50200 - Value
> PortsInternetAvailable REG_SZ Y - Value
> UseInternetPorts REG_SZ Y - Value
>

All DC's run on Windows Server 2003.

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:%23AHKT8Q5JHA.1716@TK2MSFTNGP03.phx.gbl...
> You didn't mention which o/s you were using so I have to assume 2008,
> since 2003 and prior didn't provide this option. There should be no
> reason why this wouldn't work but I definetly would test it in a lab
> environment first. We manually do this and it works great, just remember
> your dmz machines also need to know about this.
>
> Check out an artcile I have on Firewall Ports Needed for Replication at:
> http://www.pbbergs.com/windows/articles.htm
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Venkat" <Venkat@discussions.microsoft.com> wrote in message
> news:A7CDCE01-0519-4384-AE17-4170392495E8@microsoft.com...
>> We have decided to limit the RPC Ports to 50000 - 50200 and want to out
>> the
>> registry keys as mentioned in KB154596, however i want to know if adding
>> the
>> below registry key and values can be automated using Group Policy, so
>> that it
>> is applied uniformly on all domain controllers.
>>
>> I want to add the below Key and Values:
>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ - Key
>> Ports REG_MULTI_SZ - 50000 - 50200 - Value
>> PortsInternetAvailable REG_SZ Y - Value
>> UseInternetPorts REG_SZ Y - Value
>>
>
>

So how did you plan on pushing this to your dc's? This isn't an option in
2003's gpo settings.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Kerry" <Phanindra@live.com> wrote in message
news:ebSc9wS5JHA.4936@TK2MSFTNGP04.phx.gbl...
> All DC's run on Windows Server 2003.
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:%23AHKT8Q5JHA.1716@TK2MSFTNGP03.phx.gbl...
>> You didn't mention which o/s you were using so I have to assume 2008,
>> since 2003 and prior didn't provide this option. There should be no
>> reason why this wouldn't work but I definetly would test it in a lab
>> environment first. We manually do this and it works great, just remember
>> your dmz machines also need to know about this.
>>
>> Check out an artcile I have on Firewall Ports Needed for Replication at:
>> http://www.pbbergs.com/windows/articles.htm
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Venkat" <Venkat@discussions.microsoft.com> wrote in message
>> news:A7CDCE01-0519-4384-AE17-4170392495E8@microsoft.com...
>>> We have decided to limit the RPC Ports to 50000 - 50200 and want to out
>>> the
>>> registry keys as mentioned in KB154596, however i want to know if adding
>>> the
>>> below registry key and values can be automated using Group Policy, so
>>> that it
>>> is applied uniformly on all domain controllers.
>>>
>>> I want to add the below Key and Values:
>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ - Key
>>> Ports REG_MULTI_SZ - 50000 - 50200 - Value
>>> PortsInternetAvailable REG_SZ Y - Value
>>> UseInternetPorts REG_SZ Y - Value
>>>
>>
>>
>
>

Is there another way of automating this, because i do not want any human errors to happen like people forgetting to put the reg keys etc..right now its part of the build process, however we have seen that it has missed on few DC which have gone into production and we have seen replication failures on these DC's.
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:und9TET5JHA.1716@TK2MSFTNGP03.phx.gbl...
> So how did you plan on pushing this to your dc's? This isn't an option in
> 2003's gpo settings.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Kerry" <Phanindra@live.com> wrote in message
> news:ebSc9wS5JHA.4936@TK2MSFTNGP04.phx.gbl...
>> All DC's run on Windows Server 2003.
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%23AHKT8Q5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>> You didn't mention which o/s you were using so I have to assume 2008,
>>> since 2003 and prior didn't provide this option. There should be no
>>> reason why this wouldn't work but I definetly would test it in a lab
>>> environment first. We manually do this and it works great, just remember
>>> your dmz machines also need to know about this.
>>>
>>> Check out an artcile I have on Firewall Ports Needed for Replication at:
>>> http://www.pbbergs.com/windows/articles.htm
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "Venkat" <Venkat@discussions.microsoft.com> wrote in message
>>> news:A7CDCE01-0519-4384-AE17-4170392495E8@microsoft.com...
>>>> We have decided to limit the RPC Ports to 50000 - 50200 and want to out
>>>> the
>>>> registry keys as mentioned in KB154596, however i want to know if adding
>>>> the
>>>> below registry key and values can be automated using Group Policy, so
>>>> that it
>>>> is applied uniformly on all domain controllers.
>>>>
>>>> I want to add the below Key and Values:
>>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ - Key
>>>> Ports REG_MULTI_SZ - 50000 - 50200 - Value
>>>> PortsInternetAvailable REG_SZ Y - Value
>>>> UseInternetPorts REG_SZ Y - Value
>>>>
>>>
>>>
>>
>>
>
>

In news:und9TET5JHA.1716@TK2MSFTNGP03.phx.gbl,
"Kerry" <Phanindra@live.com> wrote in message
news:Odh9fpW5JHA.2232@TK2MSFTNGP05.phx.gbl... Is there another way of
automating this, because i do not want any human errors to happen like
people forgetting to put the reg keys etc..right now its part of the
build process, however we have seen that it has missed on few DC which
have gone into production and we have seen replication failures on
these DC's.

====

Kerry,

Curious, why use this method? Are your sites connected via VPN, or is there
a DC in a DMZ? How many DCs do you have?

Also, as for pusing it out, have you looked at the RPC config tool mentioned
in that article? I haven't used this yet, but it sounds easier just running
it once on a DC and it's done.
"If you use Windows Server 2003, you can use the RPC Configuration Tool
(RPCCfg.exe) from the Windows Server 2003 Resource Kit to complete the
process that is described in this article. To obtain the RPC Configuration
Tool, visit the following Microsoft Web site: "
http://www.microsoft.com/downloads/d...DisplayLang=en



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Before Microsoft snapped up Softgrid, they offered a freebie that is now within the MDOP that does what you are looking for. It is free but you have to have an Software Assurance (SA) agreement with them. Something you will have to check into to see if you have.

As far as automating you could export the registry keys (Once you applied them against one of yuor servers) and build them into a script that is run at machine start up.

Import or Export Registry keys
http://technet.microsoft.com/en-us/l.../cc736340.aspx

Scriting a Registry key
http://www.microsoft.com/technet/scr....mspx?mfr=true

I would personally say, I would discourage this practice and do it manually. I would NEVER run an update script on my DC. BUt you asked and I will give you the tools and you can make the final decision.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Kerry" <Phanindra@live.com> wrote in message news:Odh9fpW5JHA.2232@TK2MSFTNGP05.phx.gbl...
Is there another way of automating this, because i do not want any human errors to happen like people forgetting to put the reg keys etc..right now its part of the build process, however we have seen that it has missed on few DC which have gone into production and we have seen replication failures on these DC's.
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:und9TET5JHA.1716@TK2MSFTNGP03.phx.gbl...
> So how did you plan on pushing this to your dc's? This isn't an option in
> 2003's gpo settings.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Kerry" <Phanindra@live.com> wrote in message
> news:ebSc9wS5JHA.4936@TK2MSFTNGP04.phx.gbl...
>> All DC's run on Windows Server 2003.
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%23AHKT8Q5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>> You didn't mention which o/s you were using so I have to assume 2008,
>>> since 2003 and prior didn't provide this option. There should be no
>>> reason why this wouldn't work but I definetly would test it in a lab
>>> environment first. We manually do this and it works great, just remember
>>> your dmz machines also need to know about this.
>>>
>>> Check out an artcile I have on Firewall Ports Needed for Replication at:
>>> http://www.pbbergs.com/windows/articles.htm
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "Venkat" <Venkat@discussions.microsoft.com> wrote in message
>>> news:A7CDCE01-0519-4384-AE17-4170392495E8@microsoft.com...
>>>> We have decided to limit the RPC Ports to 50000 - 50200 and want to out
>>>> the
>>>> registry keys as mentioned in KB154596, however i want to know if adding
>>>> the
>>>> below registry key and values can be automated using Group Policy, so
>>>> that it
>>>> is applied uniformly on all domain controllers.
>>>>
>>>> I want to add the below Key and Values:
>>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ - Key
>>>> Ports REG_MULTI_SZ - 50000 - 50200 - Value
>>>> PortsInternetAvailable REG_SZ Y - Value
>>>> UseInternetPorts REG_SZ Y - Value
>>>>
>>>
>>>
>>
>>
>
>

Thanks for that suggestion!

Agreed! I wouldn't like to use it myself either, its for a client who do not have good technical resources and processes. They have run into replication issues may times and in most cases we ended up realising that the registry keys haven' t been put.

Regards
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:%23krI2jd5JHA.4332@TK2MSFTNGP06.phx.gbl...
Before Microsoft snapped up Softgrid, they offered a freebie that is now within the MDOP that does what you are looking for. It is free but you have to have an Software Assurance (SA) agreement with them. Something you will have to check into to see if you have.

As far as automating you could export the registry keys (Once you applied them against one of yuor servers) and build them into a script that is run at machine start up.

Import or Export Registry keys
http://technet.microsoft.com/en-us/l.../cc736340.aspx

Scriting a Registry key
http://www.microsoft.com/technet/scr....mspx?mfr=true

I would personally say, I would discourage this practice and do it manually. I would NEVER run an update script on my DC. BUt you asked and I will give you the tools and you can make the final decision.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Kerry" <Phanindra@live.com> wrote in message news:Odh9fpW5JHA.2232@TK2MSFTNGP05.phx.gbl...
Is there another way of automating this, because i do not want any human errors to happen like people forgetting to put the reg keys etc..right now its part of the build process, however we have seen that it has missed on few DC which have gone into production and we have seen replication failures on these DC's.
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:und9TET5JHA.1716@TK2MSFTNGP03.phx.gbl...
> So how did you plan on pushing this to your dc's? This isn't an option in
> 2003's gpo settings.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Kerry" <Phanindra@live.com> wrote in message
> news:ebSc9wS5JHA.4936@TK2MSFTNGP04.phx.gbl...
>> All DC's run on Windows Server 2003.
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%23AHKT8Q5JHA.1716@TK2MSFTNGP03.phx.gbl...
>>> You didn't mention which o/s you were using so I have to assume 2008,
>>> since 2003 and prior didn't provide this option. There should be no
>>> reason why this wouldn't work but I definetly would test it in a lab
>>> environment first. We manually do this and it works great, just remember
>>> your dmz machines also need to know about this.
>>>
>>> Check out an artcile I have on Firewall Ports Needed for Replication at:
>>> http://www.pbbergs.com/windows/articles.htm
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "Venkat" <Venkat@discussions.microsoft.com> wrote in message
>>> news:A7CDCE01-0519-4384-AE17-4170392495E8@microsoft.com...
>>>> We have decided to limit the RPC Ports to 50000 - 50200 and want to out
>>>> the
>>>> registry keys as mentioned in KB154596, however i want to know if adding
>>>> the
>>>> below registry key and values can be automated using Group Policy, so
>>>> that it
>>>> is applied uniformly on all domain controllers.
>>>>
>>>> I want to add the below Key and Values:
>>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ - Key
>>>> Ports REG_MULTI_SZ - 50000 - 50200 - Value
>>>> PortsInternetAvailable REG_SZ Y - Value
>>>> UseInternetPorts REG_SZ Y - Value
>>>>
>>>
>>>
>>
>>
>
>