I'm an employee of HCL working on an Active Directory for the SBI General Insurance Company Limited. We need to restrict the communication ports for replication between all the Windows 2008 Domain Controller Servers, from a large range of RPC ports (1024-65536) to a few selected ports. But we are not able to find out the exact required ports which should be always open in firewall for AD to AD communication. We need to implement this AD replication over limited RPC ports in SBI General Insurance Project.

Hi, Required ports for AD replication are mentioned in below articles: Active Directory and Active Directory Domain Services Port Requirements http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx AD DS and RPC Ports http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/c108f740-9546-4057-9fe1-fcca8cd936fe Use PortQry v2 for check. Note that ports needed should be opened on both directions. More here: http://support.microsoft.com/kb/832919 Hope this helps. Regards, Yan Li Yan Li TechNet Community Support

I have to restrict the dynamic RPC port range of 1024 -65536 in the firewall for AD to AD communication. I have already configure the registry value of the Active Directory Server as per folllowing details to restrict the dynamic port range of 1024-65535. But after configuring this still the communication is happening in the high end ports. If we block the high end Dynamic RPC port range 1024-65535 (except 49152,49153,49154) then we have faced replication issues. Registry key 1 <samp>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters</samp> Registry value: TCP/IP Port Value type: REG_DWORD Value data: 49152 Registry key 2 <samp>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters </samp> Registry value: DCTcpipPort Value type: REG_DWORD Value data: 49153 Registry key 3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ NTFRS\Parameters Value name: RPC TCP/IP Port Assignment Data type: REG_DWORD Value data: 49154 Suryodoy Banerjee

you also need to fix DFSR port if you replicate SYSVOL with DFSR. http://blogs.technet.com/b/askds/archive/2009/07/16/configuring-dfsr-to-a-static-port-the-rest-of-the-story.aspx also be sure to do the setting on both DCs in question. You also need to restart both DCs. o.

I need the exact port numbers between the port range 1024-65535, which should be opened for inbound out bound traffic. I have to provide that ports list to customer. If you provide me your mail ID then I can send you the firewall output report where all the high end used ports are mentioned.Suryodoy Banerjee

no, you are correct. you have already fixed the three ports to your 49152, 49153 and 49154, so the last thing that you must do is to fix the remaining DFSR port. Use the tool mentioned in the blog post and fix the DFSR relication to something like 49155. Then the ports must be accessible in both directions - mutually from/among both/all DC's ondrej.

Ok. But After doing this four entries in the registry of the Domain Controllers should have to do any further steps or should have to restrict any other ports for any services through registry entry? Because my main concern is after restricting these four ports why the communication is happening in the other RPC high end other ports as well we have to provide a valid confirmation to the customer about the required ports for any kind of AD to AD replication including the 1024-65536.Suryodoy Banerjee

I will be gratefull if you will provide the exact registry entry to restrict the DFSR port. I am not able find out the exact way to do this operation in the given blog.Suryodoy Banerjee

a) use DFSRDIAG to fix the port. I do not know about the port number b) the four ports - AD Replication, Netlogon Authentication, NTFRS and DFSR ports are the only ports that pure AD requires to replicate and serve DC contents. No other DCOM/RPC ports above 1024 are required to serve AD itself. If there are any other services, that communicate between the DCs, you will have to use Network Monitor, NETSTAT -ano and other tools to identify them and either fix or at least document them. ondrej.

Hi, For DFSR, the System service name: DFSR. The Distributed File System Replication (DFSR) service is a state-based, multi-master file replication engine that automatically copies updates to files and folders between computers that are participating in a common replication group. DFSR was added in Windows Server 2003 R2. You can configure DFSR by using the Dfsrdiag.exe command-line tool to replicate files on specific ports, regardless of whether they are participating in Distributed File System Namespaces (DFSN) or not. The registry key for it should be : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ DFSR\Parameters Value name: RPC TCP/IP Port Assignment Data type: REG_DWORD Value data: For more details, please refer to the below link: Service overview and network port requirements for the Windows Server system : http://support.microsoft.com/kb/832017 Regards Yan Li TechNet Community Support

Thank you so much for your valuable feedback. But still I am not sure that what are the other steps should I have to do to restrict the communication between AD to Application servers and normal client laptops/desktops through RPC dynamic ports?Suryodoy Banerjee

yes, the previous discussion covered only DC-to-DC communications. In addition, I forgot to mention yet another port - every DC synchronizes its time with PDC (protocol NTP). Another thing is that Infrastructure Master running on non-GC (global catalog) connects to a GC over TCP 3268,3269. DCs do not start any communications against their clients. So only clients access DCs. Also note, that DCs may enroll certificates from enterprise CAs which is also DCOM. So to recap overall: DC-to-DC, in both directions among all DCs: NTDS port Netlogon port NTFRS port DFSR port DC-to-PDC, just in this direction: NTP InfraMaster-to-GC, just in this direction, to any GC: 3268,3269 Client-to-DC, just in this direction: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx DC-to-CA, just in this direction: dynamic DCOM, or static DCOM port, if the port has been fixed on the Certification Authority http://social.technet.microsoft.com/wiki/contents/articles/how-to-set-a-static-dcom-port-for-ad-cs.aspx others, please investigate yourself. there may be lots of applications that are installed in different environments. Nobody can advise you preciselly. These are just some of the communications that are mandatory. DC infrastructure is considered local intranet technology and limiting their communications using static ports is really long term operation consisting of debugging the communications and then allowing the access. ondrej.

Thanks for your valuable suggestion. As per your given link http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx for Client to DC communication two points are not clear to me. Please check the below point Protocol and Port AD and AD DS Usage Type of traffic TCP Dynamic Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS UDP Dynamic Group Policy DCOM, RPC, EPM Now my question is if we have to restrict any kind of dynamic communication then how to restrict these two types of traffic and what will be the port number for it? Suryodoy Banerjee

these are not too corret. - clients use dynamic TCP against DC's Netlogon port (the one, that you have already fixed on DCs, the \Services\Netlogon registry key) - clients do not use RPC or DCOM to access any group policy on DCs. Group Policy is obtained using 389 LDAP and 445 SMB instead. So it is not correct o.

Thanks again. Please provide me the information that why we need these ports tcp/25 - SMTP and tcp/1723 - PPTP for client to DC communication?Suryodoy Banerjee

no, we do not :-)

But in the link that you have suggested it's mentioned over there that SMTP is required for Client to DC communication. Can you please give me the exact ports number which only are required for Client to AD communication and vice versa.Suryodoy Banerjee

Hi, Required ports for AD replication are mentioned in below articles: Active Directory and Active Directory Domain Services Port Requirements http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx Please refer to the article. Regards Yan Li TechNet Community Support

Hi, Required ports for AD replication are mentioned in below articles: Active Directory and Active Directory Domain Services Port Requirements http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx Please refer to the article. Regards Yan Li TechNet Community Support