Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Locking down AD ports

Active Directory


Reply
 
Thread Tools Search this Thread
  #1  
Old 28-03-2012
Member
 
Join Date: May 2008
Posts: 49
Locking down AD ports

Hi guys,

Our company is currently planning to deploy RODC in our branch offices. So the end result is that we will have two sites, HQ and branch office. The communications between the RODC and Writeable DC will also pass through our firewall.

We are looking to reduce the no of ports needed to open on the firewall level especially the RPC ports used for AD communtications. We read some of Microsoft articles and they recommend us to restrict the following ports to a fixed ports on our DCs.

1) Netlogon
2) NTFRS / DRS
3) NTDS

But a few articles included the mean of reducing the RPC port range as well. Hence, I would like to check with you guys if restricting the ports for the 3 services above is enough or we should reduce the RPC port range as well?

Regards

Reply With Quote
  #2  
Old 28-03-2012
Member
 
Join Date: Dec 2007
Posts: 2,240
Re: Locking down AD ports

You can checkout the link of the kb article for restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196. This will cause AD replication traffic to use the port you specify. Keep in mind the endpoint mapper still needs to be available (so 135 is a must regardless) but instead of it randomly negotiating a port after 135, it will use the one you configure.
Reply With Quote
  #3  
Old 29-03-2012
Member
 
Join Date: May 2008
Posts: 49
Re: Locking down AD ports

Hi EINSTEIN_007,

Thanks for the advise. Will check it out. Probably I will also test out the rules in our developlement servers.

Regards
Reply With Quote
  #4  
Old 15-04-2012
Member
 
Join Date: May 2008
Posts: 49
Re: Locking down AD ports

Hi EINSTEIN_007,

I did some testing on our development setup. We setup one writable DC (in site 1) and a RODC (in site 2). We also simulate a firewall between them using ISA server 2006. In ISA server, we also setup access rules to allow the ports required be DC stated in the given article (TCP 135, 445 etc) and also fixed the NTFRS, NTDS and NETLOGON ports to a fixed one. They are also allowed in ISA server. But we didn't allow the dynamic RPC range.

Not sure if we ISA rules is setup wrongly, we have been seeing replication errors between the DCs. Hence, we would like clarify with you if dynamic RPC ranges are required for replication to works even we have fixed the AD ports to specific ports.

Regards
Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Tags: , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Locking down AD ports"
Thread Thread Starter Forum Replies Last Post
USB ports and Mobo USB ports on PC Case Eta!! Motherboard Processor & RAM 7 12-09-2011 10:34 PM
What is locking in SQL? Tynan Software Development 3 10-01-2011 03:25 AM
mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results _Gentoo_Nile_ Operating Systems 3 20-08-2009 10:46 PM
how to forward ports to different internal ports Abshir Networking & Security 2 30-06-2009 10:26 PM
Serial Ports, Com Ports and USB Russell Vista Hardware Devices 2 28-01-2009 04:33 PM


All times are GMT +5.5. The time now is 01:59 AM.