Re: Locking down AD ports
You can checkout the link of the kb article for restricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/224196. This will cause AD replication traffic to use the port you specify. Keep in mind the endpoint mapper still needs to be available (so 135 is a must regardless) but instead of it randomly negotiating a port after 135, it will use the one you configure.
Re: Locking down AD ports
Hi EINSTEIN_007,
Thanks for the advise. Will check it out. Probably I will also test out the rules in our developlement servers.
Regards
Re: Locking down AD ports
Hi EINSTEIN_007,
I did some testing on our development setup. We setup one writable DC (in site 1) and a RODC (in site 2). We also simulate a firewall between them using ISA server 2006. In ISA server, we also setup access rules to allow the ports required be DC stated in the given article (TCP 135, 445 etc) and also fixed the NTFRS, NTDS and NETLOGON ports to a fixed one. They are also allowed in ISA server. But we didn't allow the dynamic RPC range.
Not sure if we ISA rules is setup wrongly, we have been seeing replication errors between the DCs. Hence, we would like clarify with you if dynamic RPC ranges are required for replication to works even we have fixed the AD ports to specific ports.
Regards