To establish secure communications between DC’s defined and variable ports (High Ports) need to be able to communicate. In the scenario defined below the internal dc’s have no outbound restrictions, inbound is restricted to a need to have with the restriction of 200 RPC ports are set for on demand need.
The following port definitions should be defined on ALL DC's within the DMZ that could be replicating to external DC’s. These define which ports will be made available to there requesting DC's.
Start Registry Editor (Regedt32.exe).
Restrict FRS Traffic to a Specific Static Port – KB319553
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
New = Reg_DWORD
Name = RPC TCP/IP Port Assignment
Value = 10000 (Decimal)
Restricting AD replication traffic to a single port – KB224196
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
New = REG_DWORD
Name = TCP/IP Port
Data = 10001 (Decimal)
RPC dynamic port allocation – KB154596 (Only allow ports 10002 – 10200 for RPC from other machines)
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\
Create a New Key = Internet
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\
Add the values
"Ports" (MULTI_SZ) = 10002-10200
"PortsInternetAvailable" (REG_SZ) = Y
"UseInternetPorts" (REG_SZ) = Y
Configure 2003 Firewall Ports – KB179442
| 135 | TCP | RPC | RPC Connector Helper (Machines connect to find out what high port to use) |
| 137 | TCP | UDP | NetBIOS Name |
| 138 | UDP | NetBIOS Netlogon and Browsing | |
| 139 | TCP | NetBIOS Session | |
| 123 | UDP | NTP | |
| 389 | TCP | UDP | LDAP |
| 636 | TCP | LDAP SSL | |
| 3268 | TCP | LDAP GC | |
| 3269 | TCP | LDAP GC SSL | |
| 42 | TCP | WINS Replication | |
| 53 | TCP | UDP | DNS |
| 88 | TCP | UDP | Kerberos |
| 445 | TCP | UDP | SMB over IP (Microsoft-DS) |
| 123 | UDP | NTP | |
| 10000 | TCP | RPC NTFRS | |
| 10001 | TCP | RPC NTDS | |
| 10002 –10200 | TCP | RPC – Dynamic High Open Ports | |
| ICMP |
If you would like to test connectivity to validate FRS communication
NTFRSUTL version server_name
If the two can communicate through the firewall via FRS the response will provide the current version number
If you would like to validate connectivity between DC’s use the tool PortQryUI
Download PortQryUI and run the tool
Select the destination DC or PDC
Select Domains and Trusts
Validate the ports that should be open in fact are via the output provided by the tool.
For additional info on this tool see PortQry features, this is the backend tool for PortQryUI