Restricting Active Directory Replication Traffic to a Specific Port

ID: Q224196

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Server

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

By default, Active Directory replication over RPC (Remote Procedure Calls) takes place dynamically over an available port via the RPC Endpoint Mapper (RPCSS) using port 135; the same as Microsoft Exchange. As with Microsoft Exchange, the administrator may override this functionality and specify the port that all replication traffic passes through, thereby locking the port down.

NOTE: Note that this article does not imply that replication can occur through a firewall. For example, there are a number of ports that must be opened (for kerberos, and so on) to make it work. Replication through a firewall is not tested or supported. If you need to do so, use Virtual Private Networking.

MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

When connecting to an RPC endpoint, assuming the client does not know the complete binding, which is the case with DS Replication, the RPC run-time on the client contacts the RPC endpoint mapper (RPCSS) on the server at a well-known port (135), and obtains the port to connect to for the service supporting desired RPC interface.

The service registers the endpoint when it starts, and has the choice of a dynamically assigned port or a specific port.

If you configure Active Directory to run at "port x," per the below entry, this becomes the port that gets registered with the endpoint mapper.

Using Registry Editor, modify the following value on each domain controller where the restricted port is to be used:

Registry key:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)

Administrators should confirm that if any intermediate network devices or software is used to filter packets between domain controllers, that communication over the specified port is enabled.

For additional information about the RPC Endpoint Mapper, please see the following article(s) in the Microsoft Knowledge Base:

Q154596 Configuring RPC Dynamic Port Allocation to Work With Firewall

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo