LKBEN10600: Which ports to open for Active Directory replication in a site.
Symptom
Replication of active directory DC (domain controller) does not function
Cause
The firewall is configured to restrictive
Solution
The RPC-based replication uses dynamic port mapping by default. The RPC run time contacts the RPC endpoint mapper on
the server on the well-known port 135. The server queries the RPC endpoint mapper to determine what port has been
assigned for Active Directory replication on the server. (This has been assigned dynamically) This query occurs even
when the port assignment is fixed.
Service UDP TCP
ldap 389 389
ldap 636 (SSL)
ldap 3268 (Global catalog)
Kerberos 88 88
DNS 53 53
SMB over IP 445 445
And FRS (file replication service) uses a dynamic RPC Port.
For a firewall this means to open a wide range of ports. FRS cannot be restricted to a fixed port but you can edit
the registry to restrict the directory replication service to communicate on a static port.
To set the rpc replication to a certain port instead of a variable one you can use the following registry key.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters]
"TCP/IP Port"=dword:0000c000
This will set the port to 49152 decimal. This port needs to be opened on the firewall instead of opening a port
range.
Disclaimer:
The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!About the Author
Author: - Keskon GmbH & Co. KG
Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience, including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform.