Re: AD what tcp/ip port or registry settings?
- From: MarcusB <marcusb@xxxxxxxxx>
- Date: Fri, 03 Jun 2005 17:13:43 +0200
Can you tell KB number? According KB I read you can set only one port:
You need to decide upon a fixed port number for RPC replication. The Internet Assigned Numbers Authority (IANA) has set aside the range 49152 through 65535 for use by private and dynamic assignments.
Using the registry editor, navigate to this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
Add a new DWORD value called TCP/IP Port (include the space). Set the value's data to the port number you want to use—remember to change the displayed base to decimal before you enter the data. Do this on all your Active Directory servers. You need to restart them for the change to take effect.
Now configure your firewall to permit the following:
Service Port/protocol
RPC endpoint mapper 135/tcp, 135/udp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC static port for AD replication <fixed-port>/tcp
SMB over IP (Microsoft-DS) 445/tcp, 445/udp
LDAP 389/tcp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
WINS resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp
Network time protocol (NTP) 123/udp
Replace <fixed-port> with the port number you used in the registry value.
As before, if you don't want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look in the files for information on how to use them.
You still need the endpoint mapper because clients won't know that you've fixed the port. The endpoint mapper always returns your fixed port when clients request the port number associated with Active Directory's RPC UUID.
Here is some text you can import into the registry to set the port to 49152. Copy the text to the Clipboard, paste it into a blank Notepad screen, save the file with a .reg extension, and double-click that file in Windows Explorer. To use a different port, use the Windows calculator in scientific mode to convert the number from decimal to hexadecimal. Remember to pad the value with four leading zeros, as shown in this example.
Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] "TCP/IP Port"=dword:0000c000
MarcusB Roger Abell wrote:
"MarcusB" <marcusb@xxxxxxxxx> wrote in message news:uOpzZbCaFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
Yes ICMP is allowed. We use iptables firewalls. DNS is also allowed and is on the both DC which are also behind the firewall. I think that it have to do with RPC, which is comunicating on one port only as I described. How to configure it to work on five ports instead for example.
MarcusB
After a quick scan of your list, and fact that you do function both in and out, that was exactly my first guess, that you are forcing all RPC down into one port. The KB that showed where in reg to configure RPC to not use random ephemeral ports also states how to set the exact range allowed for use.
.
- References:
- AD what tcp/ip port or registry settings?
- From: MarcusB
- Re: AD what tcp/ip port or registry settings?
- From: neo [mvp outlook]
- Re: AD what tcp/ip port or registry settings?
- From: neo [mvp outlook]
- Re: AD what tcp/ip port or registry settings?
- From: MarcusB
- Re: AD what tcp/ip port or registry settings?
- From: Roger Abell
- AD what tcp/ip port or registry settings?
- Prev by Date: Re: Removing Member Computer from AD
- Next by Date: Re: Removing Member Computer from AD
- Previous by thread: Re: AD what tcp/ip port or registry settings?
- Next by thread: Re: AD what tcp/ip port or registry settings?
- Index(es):
Relevant Pages
|
