Restricting Active Directory replication traffic and client RPC traffic to a specific port Page 1 of 3

Article ID: 224196 - Last Review: May 7, 2009 - Revision: 11.0

Restricting Active Directory replication traffic and client RPC traffic to a
specific port

This article applies to a different version of Windows than the one you are using. Content in this
article may not be relevant to you.
Visit the Windows XP Solution Center

This article was previously published under Q224196

By default, Active Directory replication remote procedure calls (RPC) occur dynamically
over an available port through the RPC Endpoint Mapper (RPCSS) by using port 135. This
process is the same process as in Microsoft Exchange. As in Microsoft Exchange, an
administrator can override this functionality and specify the port that all Active Directory
RPC traffic passes through. This procedure locks the port down.

When you specify ports to use by using the registry entries that are mentioned in the
"More Information" section, both Active Directory server-side replication traffic and client
RPC traffic are sent to these ports by the endpoint mapper. This configuration is possible
because all RPC interfaces that are supported by Active Directory are running on all ports
on which it is listening.

Note This article does not imply that replication can occur through a firewall. Additional
ports must be opened to make replication work through a firewall. For example, additional
ports must be opened for the Kerberos protocol. To obtain a complete list of the required
ports for services across a firewall, click the following article number to view the article in
the Microsoft Knowledge Base:
832017 (http://support.microsoft.com/kb/832017/ ) Service overview and network port
requirements for the Windows Server system

Important This section, method, or task contains steps that tell you how to modify the
registry. However, serious problems might occur if you modify the registry incorrectly.
Therefore, make sure that you follow these steps carefully. For added protection, back up
the registry before you modify it. Then, you can restore the registry if a problem occurs.
For more information about how to back up and restore the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the
registry in Windows

When you connect to an RPC endpoint, the RPC runtime on the client contacts the RPC
endpoint mapper (RPCSS) on the server at a well-known port (135) and obtains the port
to connect to for the service supporting desired RPC interface. This assumes that the
client does not know the complete binding. This is the case with all AD RPC services.

The service registers one or more endpoints when it starts, and has the choice of a
dynamically assigned port or a specific port.

If you configure Active Directory and Netlogon to run at "port x" as in the following entry,

http://support.microsoft.com/kb/224196 11/28/2009
Restricting Active Directory replication traffic and client RPC traffic to a specific port Page 2 of 3

this becomes the ports that are registered with the endpoint mapper in addition to the
standard dynamic port.

Use Registry Editor to modify the following values on each domain controller where the
restricted ports are to be used. Member servers are not considered to be logon servers.
Therefore, static port assigment for NTDS and Netlogon has no effect on them.

Registry key 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)

Registry key 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DCTcpipPort

Value type: REG_DWORD
Value data: (available port)

Administrators should confirm that if any intermediate network devices or software is

used to filter packets between domain controllers, that communication over the specified
port is enabled. Both the replication and the netlogon should be set to use different ports.

Note When you use the DCTcpipPort registry entry, and you set it to the same port as the
TCP/IP Port registry entry, you receive Netlogon error event 5809 under
NTDS\Parameters. This indicates that the port configured is in use. In this case, you
should remove the DCTcpipPort registry entry. You will receive the same event when you
have a unique port, and you restart the Netlogon service on the domain controller. This is
by design, and occurs because of the way the RPC runtime manages its server ports. The
port for Netlogon is still being registered with the runtime, even when you stop the
Netlogon service. The port will be used after the restart, and the event can be ignored.

Frequently, you must also manually set the File Replication Service (FRS) RPC port
because AD and FRS replication replicate with the same Domain Controllers. The File
Replication Service (FRS) RPC port should use a different port. For more information, click
the following article number to view the article in the Microsoft Knowledge Base:
319553 (http://support.microsoft.com/kb/319553/ ) How to restrict FRS replication
traffic to a specific static port

If you are setting the Active Directory replication to a fixed port outside the range that is
allowed for RPC ports to control access and logons through a firewall, the replication port
and the dynamic RPC ports will have to be opened on the firewall to allow access and
logons. This is because logon uses the Replication Port for user mapping.

You may want to set the Active Directory replication to a fixed port outside the range that
is allowed for RPC ports. You may want to do this to control access and logons through a
firewall. However, because of this, the replication and Netlogon port must be opened on
the firewall. This is because the logon process uses the Replication Port for user mapping.
For more information about the RPC Endpoint Mapper, click the following article number
to view the article in the Microsoft Knowledge Base:
154596 (http://support.microsoft.com/kb/154596/ ) How to configure RPC dynamic port
allocation to work with firewalls

http://support.microsoft.com/kb/224196 11/28/2009
Restricting Active Directory replication traffic and client RPC traffic to a specific port Page 3 of 3

APPLIES TO

z Microsoft Windows Server 2003, Standard Edition (32-bit x86)

z Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
z Microsoft Windows 2000 Server
z Microsoft Windows 2000 Advanced Server
z Microsoft Windows 2000 Datacenter Server
z Microsoft Windows Server 2003, Enterprise x64 Edition
z Microsoft Windows Server 2003, Standard x64 Edition

Keywords: kbenv kbinfo KB224196

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Microsoft Support ©2009 Microsoft

http://support.microsoft.com/kb/224196 11/28/2009