Windows DatabaseebooksStatistical Information

LWE10043 : Which ports to open for Active Directory replication in a site.

Symptom:

Replication of active directory DC (domain controller) does not function

Cause:

The firewall is configured to restrictive

Solution:

The RPC-based replication uses dynamic port mapping by default. The RPC run time contacts the RPC endpoint mapper on

the server on the well-known port 135. The server queries the RPC endpoint mapper to determine what port has been

assigned for Active Directory replication on the server. (This has been assigned dynamically) This query occurs even

when the port assignment is fixed.

Service    UDP    TCP

ldap        389    389

ldap            636 (SSL)

ldap            3268 (Global catalog)

Kerberos    88    88

DNS        53    53

SMB over IP    445    445

And FRS (file replication service) uses a dynamic RPC Port.

For a firewall this means to open a wide range of ports. FRS cannot be restricted to a fixed port but you can edit

the registry to restrict the directory replication service to communicate on a static port.

To set the rpc replication to a certain port instead of a variable one you can use the following registry key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters]
"TCP/IP Port"=dword:0000c000

This will set the port to 49152 decimal. This port needs to be opened on the firewall instead of opening a port

range.


Disclaimer:

The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!
Copyright © 2004-2011 Lubby (V3.0.10 Aug 2011)
Sponsored by Keskon.
Statistical information by Google Analytics