Restricting Active Directory replication traffic to a specific port (224196)

SUMMARY

By default, Active Directory replication over RPC (Remote Procedure Calls) takes place dynamically over an available port via the RPC Endpoint Mapper (RPCSS) using port 135; this is the same as Microsoft Exchange. As with Microsoft Exchange, the administrator can override this functionality and specify the port that all replication traffic passes through, thereby locking the port down.

When you specify a port to use for replication using the registry entry that is mentioned later in this article, clients can also connect to the RPC interfaces that they require for authentication and for domain information. This is possible because all RPC interfaces that are supported by Active Directory are running on all ports on which it is listening.

Note This article does not imply that replication can occur through a firewall. For example, there are a number of ports that must be opened (for Kerberos, and so on) to make it work. If you need to do so, use Virtual Private Networking.

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

When connecting to an RPC endpoint, assuming the client does not know the complete binding, which is the case with DS Replication, the RPC run-time on the client contacts the RPC endpoint mapper (RPCSS) on the server at a well-known port (135), and obtains the port to connect to for the service supporting desired RPC interface.

The service registers the endpoint when it starts, and has the choice of a dynamically assigned port or a specific port.

If you configure Active Directory to run at "port x," per the below entry, this becomes the port that gets registered with the endpoint mapper.

Using Registry Editor, modify the following value on each domain controller where the restricted port is to be used:

Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)

Administrators should confirm that if any intermediate network devices or software is used to filter packets between domain controllers, that communication over the specified port is enabled.

Frequently, you must also manually set the File Replication Service (FRS) RPC port because AD and FRS replication replicate with the same Domain Controllers. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

319553 How to restrict FRS replication traffic to a specific static port

If you are setting the Active Directory replication to a fixed port outside the range that is allowed for RPC ports to control access and logons through a firewall, the replication port and the dynamic RPC ports will have to be opened on the firewall to allow access and logons. This is because logon uses the Replication Port for user mapping.

You may want to set the Active Directory replication to a fixed port outside the range that is allowed for RPC ports. You may want to do this to control access and logons through a firewall. However, because of this, the replication port and the dynamic RPC ports must be opened on the firewall. This is because the logon process uses the Replication Port for user mapping.

For more information about the RPC Endpoint Mapper, click the following article number to view the article in the Microsoft Knowledge Base:

154596 How to configure RPC dynamic port allocation to work with firewalls