Static TCP Port

Do we really need to configure both the registry keys for restricting AD
Replication to specific ports? Wouldn't TCP/IP Port reg key alone wont'
suffice? What is DCTcpipPort used for?

Registry key 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)
Back to the top
Registry key 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: (available port)

Hello Sameer,

You have to use both ports, if you like to predifine them yourself:
http://support.microsoft.com/kb/224196

Why not using the default configuration without modifying the registry?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Do we really need to configure both the registry keys for restricting
> AD Replication to specific ports? Wouldn't TCP/IP Port reg key alone
> wont' suffice? What is DCTcpipPort used for?
>
> Registry key 1
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
> Registry value: TCP/IP Port
> Value type: REG_DWORD
> Value data: (available port)
> Back to the top
> Registry key 2
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Paramete
> rs
> Registry value: DCTcpipPort
> Value type: REG_DWORD
> Value data: (available port)

Are these applicable to Windows NT 4.0 as well, when establishing trusts??

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911dc2538cc61f312cb5051@msnews.microsoft.com...
> Hello Sameer,
>
> You have to use both ports, if you like to predifine them yourself:
> http://support.microsoft.com/kb/224196
>
> Why not using the default configuration without modifying the registry?
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Do we really need to configure both the registry keys for restricting
>> AD Replication to specific ports? Wouldn't TCP/IP Port reg key alone
>> wont' suffice? What is DCTcpipPort used for?
>>
>> Registry key 1
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
>> Registry value: TCP/IP Port
>> Value type: REG_DWORD
>> Value data: (available port)
>> Back to the top
>> Registry key 2
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Paramete
>> rs
>> Registry value: DCTcpipPort
>> Value type: REG_DWORD
>> Value data: (available port)
>
>

"Chris" <Chris@live.com> wrote in message
news:O5iKs2glKHA.5128@TK2MSFTNGP05.phx.gbl...
> Are these applicable to Windows NT 4.0 as well, when establishing trusts??
>


NT4 and Windows 2000, 2003 and 2008 domain to domain NTLM (NetBIOS) based
trusts use similar ports. However 2008 now uses an upper range for the
service ports.

The default dynamic port range for TCP/IP has changed in Windows Vista and
in Windows Server 2008
http://support.microsoft.com/?kbid=929851

Windows 2003 and 2008 forest based trusts also require DNS ports opened. Not
that an NTLM trust requires DNS, but the DNS ports would need to be opened
if DNS is used for name resolution for other than trust NetBIOS based
resolution.

I would think the *best* way to minimize ports across a firewall is to
simply use a VPN between the two locations. It prevents having to modify
multiple registry settings, which makes it difficult to support if there are
issues.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

I wanted to know if the same registry keys can be used in Windows NT 4.0 to
restrict RPC Ports when building trusts. I agree IPSEC would be the best
option to deal with such situations.

Registry key 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)
Back to the top
Registry key 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: (available port)


"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ej1Z$FllKHA.5656@TK2MSFTNGP02.phx.gbl...
> "Chris" <Chris@live.com> wrote in message
> news:O5iKs2glKHA.5128@TK2MSFTNGP05.phx.gbl...
>> Are these applicable to Windows NT 4.0 as well, when establishing
>> trusts??
>>
>
>
> NT4 and Windows 2000, 2003 and 2008 domain to domain NTLM (NetBIOS) based
> trusts use similar ports. However 2008 now uses an upper range for the
> service ports.
>
> The default dynamic port range for TCP/IP has changed in Windows Vista and
> in Windows Server 2008
> http://support.microsoft.com/?kbid=929851
>
> Windows 2003 and 2008 forest based trusts also require DNS ports opened.
> Not that an NTLM trust requires DNS, but the DNS ports would need to be
> opened if DNS is used for name resolution for other than trust NetBIOS
> based resolution.
>
> I would think the *best* way to minimize ports across a firewall is to
> simply use a VPN between the two locations. It prevents having to modify
> multiple registry settings, which makes it difficult to support if there
> are issues.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

Hello chris,

This regkeys are related to AD replication, in NT4 you don't have AD replication.
AD replication is different from creating/using trust.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Are these applicable to Windows NT 4.0 as well, when establishing
> trusts??
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911dc2538cc61f312cb5051@msnews.microsoft.com...
>
>> Hello Sameer,
>>
>> You have to use both ports, if you like to predifine them yourself:
>> http://support.microsoft.com/kb/224196
>>
>> Why not using the default configuration without modifying the
>> registry? Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Do we really need to configure both the registry keys for
>>> restricting AD Replication to specific ports? Wouldn't TCP/IP Port
>>> reg key alone wont' suffice? What is DCTcpipPort used for?
>>>
>>> Registry key 1
>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
>>> Registry value: TCP/IP Port
>>> Value type: REG_DWORD
>>> Value data: (available port)
>>> Back to the top
>>> Registry key 2
>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parame
>>> te
>>> rs
>>> Registry value: DCTcpipPort
>>> Value type: REG_DWORD
>>> Value data: (available port)

"Chris" <Chris@live.com> wrote in message
news:e6FQJUmlKHA.3840@TK2MSFTNGP06.phx.gbl...
>I wanted to know if the same registry keys can be used in Windows NT 4.0 to
>restrict RPC Ports when building trusts. I agree IPSEC would be the best
>option to deal with such situations.
>
> Registry key 1
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
> Registry value: TCP/IP Port
> Value type: REG_DWORD
> Value data: (available port)
> Back to the top
> Registry key 2
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> Registry value: DCTcpipPort
> Value type: REG_DWORD
> Value data: (available port)
>

Still on NT4? What I can tell you, based on the article that Meinolf posted
(http://support.microsoft.com/kb/224196), the registry settings only applies
to Windows 2000 and Windows 2003. If it applied to NT4 or Windows 2008, it
would have been updated to indicate as such. It also indicates (quoted
below) that you still need additional ports opened if going through a
firewall (if that is your intention):

"Note This article does not imply that replication can occur through a
firewall. Additional ports must be opened to make replication work through a
firewall. For example, additional ports must be opened for the Kerberos
protocol. To obtain a complete list of the required ports for services
across a firewall, click the following article number to view the article in
the Microsoft Knowledge Base:
832017 (http://support.microsoft.com/kb/832017/ ) Service overview and
network port requirements for the Windows Server system"

Ace