Results 1 to 4 of 4

Thread: Locking down AD ports

  1. #1
    Join Date
    May 2008
    Posts
    49

    Locking down AD ports

    Hi guys,

    Our company is currently planning to deploy RODC in our branch offices. So the end result is that we will have two sites, HQ and branch office. The communications between the RODC and Writeable DC will also pass through our firewall.

    We are looking to reduce the no of ports needed to open on the firewall level especially the RPC ports used for AD communtications. We read some of Microsoft articles and they recommend us to restrict the following ports to a fixed ports on our DCs.

    1) Netlogon
    2) NTFRS / DRS
    3) NTDS

    But a few articles included the mean of reducing the RPC port range as well. Hence, I would like to check with you guys if restricting the ports for the 3 services above is enough or we should reduce the RPC port range as well?

    Regards

  2. #2
    Join Date
    Dec 2007
    Posts
    2,297

    Re: Locking down AD ports

    You can checkout the link of the kb article for restricting Active Directory replication traffic and client RPC traffic to a specific port
    http://support.microsoft.com/kb/224196. This will cause AD replication traffic to use the port you specify. Keep in mind the endpoint mapper still needs to be available (so 135 is a must regardless) but instead of it randomly negotiating a port after 135, it will use the one you configure.

  3. #3
    Join Date
    May 2008
    Posts
    49

    Re: Locking down AD ports

    Hi EINSTEIN_007,

    Thanks for the advise. Will check it out. Probably I will also test out the rules in our developlement servers.

    Regards

  4. #4
    Join Date
    May 2008
    Posts
    49

    Re: Locking down AD ports

    Hi EINSTEIN_007,

    I did some testing on our development setup. We setup one writable DC (in site 1) and a RODC (in site 2). We also simulate a firewall between them using ISA server 2006. In ISA server, we also setup access rules to allow the ports required be DC stated in the given article (TCP 135, 445 etc) and also fixed the NTFRS, NTDS and NETLOGON ports to a fixed one. They are also allowed in ISA server. But we didn't allow the dynamic RPC range.

    Not sure if we ISA rules is setup wrongly, we have been seeing replication errors between the DCs. Hence, we would like clarify with you if dynamic RPC ranges are required for replication to works even we have fixed the AD ports to specific ports.

    Regards

Similar Threads

  1. USB ports and Mobo USB ports on PC Case
    By Eta!! in forum Motherboard Processor & RAM
    Replies: 7
    Last Post: 12-09-2011, 10:34 PM
  2. What is locking in SQL?
    By Tynan in forum Software Development
    Replies: 3
    Last Post: 10-01-2011, 03:25 AM
  3. Replies: 3
    Last Post: 20-08-2009, 10:46 PM
  4. how to forward ports to different internal ports
    By Abshir in forum Networking & Security
    Replies: 2
    Last Post: 30-06-2009, 10:26 PM
  5. Serial Ports, Com Ports and USB
    By Russell in forum Vista Hardware Devices
    Replies: 2
    Last Post: 28-01-2009, 04:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •