Announcement

Collapse
No announcement yet.

RPC port lockdown for firewall replication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RPC port lockdown for firewall replication

    Hi

    I'm migrating an AD from 2003 to 2008. The Ad consist of 4 site setup in a "hub and spoke" design.

    All AD sites are in same physical site, but due to different security zones we have to seperate them with firwalls. To enhance security we have "locked down" tcp connection to "limited" RPC (http://technet.microsoft.com/en-us/l...7063.aspx#EIAA) on the 2003 servers and everything is ok.

    Now when I try to implement the same settings on the 2008 DC's

    Here are the settings:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters]
    "TCP/IP Port"=dword:0000c000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NtFrs\Parameters]
    "RPC TCP/IP Port Assignment"=dword:0000c001

    Replcation of AD object will not take place and when I try repadmin /showrepl I get this error:

    DsBindWithCred to localhost failed with status 1753 (0x6d9):
    There are no more endpoints available from the endpoint mapper.

    Filereplication is also not functioning. The testing has been done between a 2003 and 2008 in the same ip subnet so there are no firewalls. Windows' firewall is also turned off.

    Anyone tried these settings on 2008 ??
    Last edited by gekken; 26th February 2009, 12:47.

  • #2
    Re: RPC port lockdown for firewall replication

    I have not tried it but considering that 2008 uses DFSR and not FRS for replication, so maybe there is a different setting you need to change for that part..
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

    Comment


    • #3
      Re: RPC port lockdown for firewall replication

      Originally posted by gepeto View Post
      I have not tried it but considering that 2008 uses DFSR and not FRS for replication, so maybe there is a different setting you need to change for that part..
      This is true only if the forest functional level is windows 2008 though. In a mixed 2003/08 domain as in your case, FSR is still used.

      Have a look at this for troubleshooting RPC endpoint mapper problems: http://support.microsoft.com/?kbid=839880

      Ta
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: RPC port lockdown for firewall replication

        Originally posted by L4ndy View Post
        This is true only if the forest functional level is windows 2008 though. In a mixed 2003/08 domain as in your case, FSR is still used.

        Have a look at this for troubleshooting RPC endpoint mapper problems: http://support.microsoft.com/?kbid=839880

        Ta
        You're right, I guess I didn't read through properly !
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: RPC port lockdown for firewall replication

          hi gepeto,

          Did you manage to find the solution to your problem? We have a similar setup and have experienced the same problems, as soon as the regisrty entries are in place on the 2003 DC's replication is ok but fails when implemented on the 2008 Domain.

          Thanks in advance
          Bob

          Comment

          Working...
          X