Restricting Active Directory replication traffic to the fixed ports

Overview:

Except of well known ports such 389 TCP/UDP, 636 TCP, 3268 TCP, etc. (full overview is here) Active Directory uses a few ones from dynamic pool for replicaton purposes. If we don’t have strict security policy where is allowed only explicity defined traffic in firewalls we can leave default configuration of communication between domain contollers:

1024  – 65535 TCP Dynamic RPC W2K/W2K3

49152 – 65535 TCP Dynamic RPC W2K8+

However if we would like to have more control over AD and SYSVOL replication we can limit above scope to our needs:

#1. Restricting Active Directory replication traffic to exemplary 5000 TCP port (0x1388):

#2a. Restricting SYSVOL FRS traffic to exemplary 5050 TCP port (0x13ba):

#2b. Restricting SYSVOL DFS-R traffic to exemplary 5050 TCP port:

#3. RPC dynamic port allocation to exemplary 6000 – 6050 TCP port pool:

Practice:

Common operation issues in complex environments, like Event 1722: “The RPC server is unavailable”, are sometimes caused by FW restrictions where are allowed traffics on fixed ports only instead of full RPC dynamic pool. For example just promoted domain controller with default configuration is trying to replicate with remote partner located behind FW via dynamically assigned 49157 TCP port where design of replication topology strictly defines 5000 TCP for example and it is implemented on all DCs and FWs.

To check what ports are used for replication purposes simply query 135 TCP enpoint mapper of each domain contoller. It looks like as follow using portqry.exe:

and in the result try to find section: MS NT Directory DRS Interface to check AD replication ports:

and: Frs2 Service to check DFS-R port:

To find out if above RPC ports are fixed or not simply query registry settings of this domain controller:

Restricted Active Directory replication traffic:

RPC dynamic port allocation:

 

Reference articles:

How to configure a firewall for domains and trusts

Active Directory Replication Over Firewalls

Restricting AD Replication Traffic between DCs to only a few ports

Service overview and network port requirements for Windows

Using PORTQRY for troubleshooting

 

Leave a Reply