RPC Ports

I need some clarification on the RPC ports used by AD/FRS/DFSR. My
understanding is that in Windows 2000 & 2003 AD/FRS uses ports in the range
of 1024-5000 and in Windows 2008 & 2008 R2 AD/FRS/DFSR use ports in the range
of 49152-65535.

Now i would like to know how would these domain controllers communicate in a
mixed environment? So considering the example below:

Consider DC1 (W2k3) & DC2 (W2k8) are from the same domain and are on either
sides of a firewall.

For DC1 to communicate with DC2, the firewall should have 135 & 49152-65535
ports opened (while there are many other ports, i am talking only from RPC
standpoint) and for DC2 to talk to DC1, the firewall should have 135 &
1024-5000 ports opened. Is this true??

In Windows 2000/2003 can the AD/FRS be restricted to ports in the range of
49152-65535 ? that way we will have an identical range ports to be opened on
the firewall.

At the moment IPSEC is not an option, but we are considering it 1 year down.

Thanks

"Venkat" <Venkat@discussions.microsoft.com> wrote in message
news:D27B4BDD-ED91-46CE-961E-667E500C4302@microsoft.com...
>I need some clarification on the RPC ports used by AD/FRS/DFSR. My
> understanding is that in Windows 2000 & 2003 AD/FRS uses ports in the
> range
> of 1024-5000 and in Windows 2008 & 2008 R2 AD/FRS/DFSR use ports in the
> range
> of 49152-65535.
>
> Now i would like to know how would these domain controllers communicate in
> a
> mixed environment? So considering the example below:
>
> Consider DC1 (W2k3) & DC2 (W2k8) are from the same domain and are on
> either
> sides of a firewall.
>
> For DC1 to communicate with DC2, the firewall should have 135 &
> 49152-65535
> ports opened (while there are many other ports, i am talking only from RPC
> standpoint) and for DC2 to talk to DC1, the firewall should have 135 &
> 1024-5000 ports opened. Is this true??
>
> In Windows 2000/2003 can the AD/FRS be restricted to ports in the range of
> 49152-65535 ? that way we will have an identical range ports to be opened
> on
> the firewall.
>
> At the moment IPSEC is not an option, but we are considering it 1 year
> down.
>
> Thanks

I think you may have the ports rules backwards. Remember, these are "service
response" ports, so if 2008 responds on 52987, that has to be opened to go
to 2003.

Basically, it is easier to just open the whole range with all the ports
required. Many suggest this, and in a private network, there shouldn't be
any issues. If between two locations, yes, VPN (L2TP/IPSec) would be a
better solution between locations, if these two DCs are truly in different
locations. If not, can you describe the environment?

Here are some related links to restricting ports.

Restricting Active Directory replication traffic and client RPC
....Restricting Active Directory replication traffic and client RPC traffic
to a ... unique port, and you restart the Netlogon service on the domain
controller. ...
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port - How to
restrict FRS replication traffic to a specific static port ... Windows
2000-based domain controllers and servers use FRS to replicate system policy
....
http://support.microsoft.com/kb/319553

Network Ports Used by Key Microsoft Server Products - You can also restrict
the range of ports that RPC dynamically assigns to a small range, .....
Windows domain controllers use the SMTP service for intersite ...
http://www.microsoft.com/.../support...s_ms_prod.mspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

This can be very simple, just lock down the ports to a specific port and/or
range. All handle this the same way and is what we do.

Check out an article i have on Firewall Ports Needed for Replication
http://www.pbbergs.com/windows/articles.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Venkat" <Venkat@discussions.microsoft.com> wrote in message
news:D27B4BDD-ED91-46CE-961E-667E500C4302@microsoft.com...
>I need some clarification on the RPC ports used by AD/FRS/DFSR. My
> understanding is that in Windows 2000 & 2003 AD/FRS uses ports in the
> range
> of 1024-5000 and in Windows 2008 & 2008 R2 AD/FRS/DFSR use ports in the
> range
> of 49152-65535.
>
> Now i would like to know how would these domain controllers communicate in
> a
> mixed environment? So considering the example below:
>
> Consider DC1 (W2k3) & DC2 (W2k8) are from the same domain and are on
> either
> sides of a firewall.
>
> For DC1 to communicate with DC2, the firewall should have 135 &
> 49152-65535
> ports opened (while there are many other ports, i am talking only from RPC
> standpoint) and for DC2 to talk to DC1, the firewall should have 135 &
> 1024-5000 ports opened. Is this true??
>
> In Windows 2000/2003 can the AD/FRS be restricted to ports in the range of
> 49152-65535 ? that way we will have an identical range ports to be opened
> on
> the firewall.
>
> At the moment IPSEC is not an option, but we are considering it 1 year
> down.
>
> Thanks

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:uAG8irQmKHA.1648@TK2MSFTNGP05.phx.gbl...
> This can be very simple, just lock down the ports to a specific port
> and/or range. All handle this the same way and is what we do.
>
> Check out an article i have on Firewall Ports Needed for Replication
> http://www.pbbergs.com/windows/articles.htm
>
> --

I meant to bookmark that in my notes in the past, but I keep forgetting to.
I made sure I did this time. :-)

Ace

Hi
I vote in L2TP/IPSec. This is really cool if you don't want to promote your
FW to a Swiss cheese.


--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Venkat" <Venkat@discussions.microsoft.com> wrote in message
news:D27B4BDD-ED91-46CE-961E-667E500C4302@microsoft.com...
> I need some clarification on the RPC ports used by AD/FRS/DFSR. My
> understanding is that in Windows 2000 & 2003 AD/FRS uses ports in the
> range
> of 1024-5000 and in Windows 2008 & 2008 R2 AD/FRS/DFSR use ports in the
> range
> of 49152-65535.
>
> Now i would like to know how would these domain controllers communicate in
> a
> mixed environment? So considering the example below:
>
> Consider DC1 (W2k3) & DC2 (W2k8) are from the same domain and are on
> either
> sides of a firewall.
>
> For DC1 to communicate with DC2, the firewall should have 135 &
> 49152-65535
> ports opened (while there are many other ports, i am talking only from RPC
> standpoint) and for DC2 to talk to DC1, the firewall should have 135 &
> 1024-5000 ports opened. Is this true??
>
> In Windows 2000/2003 can the AD/FRS be restricted to ports in the range of
> 49152-65535 ? that way we will have an identical range ports to be opened
> on
> the firewall.
>
> At the moment IPSEC is not an option, but we are considering it 1 year
> down.
>
> Thanks

Paul,

You mean configure all domain controllers, irrespective of their OS
(2000/2003/2008) to use a common range of ports (49152-65535) instead of
allowing two different ranges of ports to be opened on the firewall.

So setting this registry key on all domain controllers would restrict all
the DC's to communicate on ports within this range
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\Ports Value 49152 - 65535

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:uAG8irQmKHA.1648@TK2MSFTNGP05.phx.gbl...
> This can be very simple, just lock down the ports to a specific port
> and/or range. All handle this the same way and is what we do.
>
> Check out an article i have on Firewall Ports Needed for Replication
> http://www.pbbergs.com/windows/articles.htm
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Venkat" <Venkat@discussions.microsoft.com> wrote in message
> news:D27B4BDD-ED91-46CE-961E-667E500C4302@microsoft.com...
>>I need some clarification on the RPC ports used by AD/FRS/DFSR. My
>> understanding is that in Windows 2000 & 2003 AD/FRS uses ports in the
>> range
>> of 1024-5000 and in Windows 2008 & 2008 R2 AD/FRS/DFSR use ports in the
>> range
>> of 49152-65535.
>>
>> Now i would like to know how would these domain controllers communicate
>> in a
>> mixed environment? So considering the example below:
>>
>> Consider DC1 (W2k3) & DC2 (W2k8) are from the same domain and are on
>> either
>> sides of a firewall.
>>
>> For DC1 to communicate with DC2, the firewall should have 135 &
>> 49152-65535
>> ports opened (while there are many other ports, i am talking only from
>> RPC
>> standpoint) and for DC2 to talk to DC1, the firewall should have 135 &
>> 1024-5000 ports opened. Is this true??
>>
>> In Windows 2000/2003 can the AD/FRS be restricted to ports in the range
>> of
>> 49152-65535 ? that way we will have an identical range ports to be opened
>> on
>> the firewall.
>>
>> At the moment IPSEC is not an option, but we are considering it 1 year
>> down.
>>
>> Thanks
>
>

No. You lock down the services to a specific port with the exception of the
high ports. We open like 50 high ports and only from dmz server to dc.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Venkat" <Venkat@live.com> wrote in message
news:e4yIaCTmKHA.1652@TK2MSFTNGP05.phx.gbl...
> Paul,
>
> You mean configure all domain controllers, irrespective of their OS
> (2000/2003/2008) to use a common range of ports (49152-65535) instead of
> allowing two different ranges of ports to be opened on the firewall.
>
> So setting this registry key on all domain controllers would restrict all
> the DC's to communicate on ports within this range
> HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\Ports Value 49152 -
> 65535
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:uAG8irQmKHA.1648@TK2MSFTNGP05.phx.gbl...
>> This can be very simple, just lock down the ports to a specific port
>> and/or range. All handle this the same way and is what we do.
>>
>> Check out an article i have on Firewall Ports Needed for Replication
>> http://www.pbbergs.com/windows/articles.htm
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Venkat" <Venkat@discussions.microsoft.com> wrote in message
>> news:D27B4BDD-ED91-46CE-961E-667E500C4302@microsoft.com...
>>>I need some clarification on the RPC ports used by AD/FRS/DFSR. My
>>> understanding is that in Windows 2000 & 2003 AD/FRS uses ports in the
>>> range
>>> of 1024-5000 and in Windows 2008 & 2008 R2 AD/FRS/DFSR use ports in the
>>> range
>>> of 49152-65535.
>>>
>>> Now i would like to know how would these domain controllers communicate
>>> in a
>>> mixed environment? So considering the example below:
>>>
>>> Consider DC1 (W2k3) & DC2 (W2k8) are from the same domain and are on
>>> either
>>> sides of a firewall.
>>>
>>> For DC1 to communicate with DC2, the firewall should have 135 &
>>> 49152-65535
>>> ports opened (while there are many other ports, i am talking only from
>>> RPC
>>> standpoint) and for DC2 to talk to DC1, the firewall should have 135 &
>>> 1024-5000 ports opened. Is this true??
>>>
>>> In Windows 2000/2003 can the AD/FRS be restricted to ports in the range
>>> of
>>> 49152-65535 ? that way we will have an identical range ports to be
>>> opened on
>>> the firewall.
>>>
>>> At the moment IPSEC is not an option, but we are considering it 1 year
>>> down.
>>>
>>> Thanks
>>
>>
>
>

This article is very much useful as I think. The description is too good. I was looking for such article. I have read a similar article here which is very helpful also.