Configuring Domain Controllers to use fixed RPC ports behind firewalls

Well here goes…my first post.

A while ago we had some issues getting our domain controllers to replicate properly behind our edge firewalls (we have lots of remote dc’s for our remote sites). I had read through all the Microsoft technotes on how to configure dc’s for this but it all seemed rather vague and lacked real clarity.

I configured them using a group policy that defined the settings mentioned in this kb article: http://support.microsoft.com/kb/224196 and thought that everything was ok…until we started having replication issues and clients unable to authenticate to remote dc’s.

After more digging I found another article mentioning client RPC dynamic port allocation: http://support.microsoft.com/kb/154596 but this didn’t specifically talk about AD replication and authentication.

I ended up engaging Microsofts Premier Support and a case was raised. I had a few discussions via email and phone with one of their techs who suggested that I also add this registry setting in addition to the two mentioned in kb224196 (ntds and netlogon services) which is covered in this article http://support.microsoft.com/kb/319553

He then also recommended fixing a range of ports for dynamic RPC as mentioned in the article I had previously read: http://support.microsoft.com/kb/154596

This lead me to have the following settings applied to my dc’s:

NTDS RPC settings

NTDS RPC settings

Netlogon RPC settings

Netlogon RPC settings

NTFRS RPC settings

NTFRS RPC settings

Dynamic RPC ports

Dynamic RPC ports

Note that the dynamic port assignment had to be done as a manual reg file as you can’t create an ADM template that uses the data type of REG_MULTI_SZ, hence it can’t be done via group policy (without using a logon script, etc).

This seemed to work at first until I discovered that we still had issues with our 2008 R2 dc’s. The MS tech was at a loss as to why these settings had not worked for all of our dc’s. I stumbled across this technet post: http://social.technet.microsoft.com/Forums/en-ZA/winserverNIS/thread/91b6f99d-53d5-4d1c-b07f-d3651e302fa4.

I suggested to the tech that maybe the 2008 R2 dc’s needed their dynamic RPC ports set using the netsh command. He could not find anything in his internal knowledge base and went on to say that his test environment was 2003 only, at which point he recommended I apply the dynamic RPC port settings using this method.

So, in the end we had three reg fixes for ALL dc’s, 2003 and 2008, that statically assign a port for NTDS, NTFRS and Netlogon services (each must be a different port in the dynamic range). Then for all 2003 dc’s we applied the dynamic RPC port assignment as per article KB154596 and for all 2008/R2 dc’s we applied the netsh command to set these RPC ports (as per this  article: http://support.microsoft.com/kb/929851).

Eventually we had all of our dc’s replicating properly and clients were able to authenticate through the firewalls with no issues. Just remember to give yourself at least a few hundred ports for the dynamic range (the ntfrs, ntds and netlogon can only have a single port assigned to them).

The MS tech was quite pleased to add this information to his knowledge base for his own reference 🙂 Would have been far easier if MS had pulled all of these articles together to give one easy to follow document for allowing AD to work through firewalls…

Anyway, I hope this helps others out there!

Advertisements