Replicating traffic between domain controllers

Introduction
Firewalls present two difficulties when deploying a distributed Active Directory (AD) directory service architecture:

Initially promoting a server to a domain controller. Replicating traffic between domain controllers.

Active Directory relies on remote procedure call (RPC) for replication between domain controllers. (Simple Mail Transfer Protocol [SMTP] can be used in certain situationsschema, configuration, and global catalog replication, but not domain naming contextlimiting its usefulness.) Getting replication to function properly in environments where a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. There are three possible approaches:

Open the firewall wide to permit RPC's native dynamic behavior. Limit RPC's use of TCP ports and open the firewall just a little bit. Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the

firewall for that. Each approach has its pros and cons. In general, there are more cons than pros at the top of the list, and more pros than cons at the bottom. So although this document describes how to do all three, most of its focus is on the IPSec approach because of its benefits over the other two.

Limited RPC is the second approach, and the approach I decided to use. You may follow the original document link to read details of the other two methods. Original Document
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrep fir.mspx#EWC

Limited RPC
Pros More secure than dynamic RPConly one open high port Cons Registry modification to all servers

This scenario gives you more security, but it does require making registry modifications to all your domain controllers. Registry modifications can be scripted with tools in the Microsoft Windows 2000 Resource Kit, which helps eliminate configuration errors. You must decide upon fixed port numbers for AD replication for the file replication service (FRS). The Internet Assigned Numbers Authority (IANA) has set aside the range 49152 through 65535 for use by private and dynamic assignments. Using the registry editor, navigate to this registry key: HKEY_LOCAL_MACHINE SYSTEM\

CurrentControlSet\ Services\ NTDS\ Parameters\ Add a new DWORD value called TCP/IP Port (include the space). Set the value's data to the port number that you want to use (remember to change the displayed base to decimal before you enter the data). Next, navigate to this registry key: HKEY_LOCAL_MACHINE SYSTEM\ CurrentControlSet\ Services\ NTFRS\ Parameters\ Add a new DWORD value called RPC TCP/IP Port Assignment (include the spaces). Set the value's data to the port number that you want to use (remember to change the displayed base to decimal before you enter the data). Do this on all your Active Directory servers. You must restart them for the change to take effect. Now configure your firewall to permit the following. Service RPC endpoint mapper NetBIOS name service NetBIOS datagram service NetBIOS session service RPC static port for AD replication RPC static port for FRS SMB over IP (Microsoft-DS) LDAP LDAP ping LDAP over SSL Global catalog LDAP Global catalog LDAP over SSL Kerberos DNS WINS resolution (if required) WINS replication (if required) Port/protocol 135/tcp, 135/udp 137/tcp, 137/udp 138/udp 139/tcp <AD-fixed-port>/TCP <FRS-fixed-port>/TCP 445/tcp, 445/udp 389/tcp 389/udp 636/tcp 3268/tcp 3269/tcp 88/tcp, 88/udp 53/tcp, 53/udp 1512/tcp, 1512/udp 42/tcp, 42/udp

Replace <AD-fixed-port> and <FRS-fixed-port> with the port numbers that you used in the registry values. As before, if you do not want to permit DNS or WINS, you can use HOSTS (for DNS) and LMHOSTS (for WINS) files for name resolution. These files are stored in %SystemRoot%\system32\drivers\etc. Look inside the files for information on how to use them.

You still need the endpoint mapper because clients will not know that you fixed the ports. The endpoint mapper always returns your fixed ports when clients request the port numbers associated with AD's and FRS's RPC UUIDs. Here is some text that you can import into the registry. It sets the AD port to 49152 and the FRS port to 49153. Copy it to the clipboard, paste it into a blank Notepad screen, save the file with a .REG extension, and then double-click that file in Windows Explorer. If you want to use a different port, use the Windows Calculator (in scientific mode) to convert the number from decimal to hexadecimal. Remember to pad the value with four leading zeros, as you see in the following example. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]"TCP/IP Port"=dword:0000c000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters]"RPC TCP/IP Port Assignment"=dword:0000c001