Password change notifications - static high port?
-
Monday, March 26, 2012 9:26 PM
Is it possible to configure a static fixed high port for password change, instead of default RPC 135 and dynamic high ports?
This would be useful in AD/firewall environments who not allow dynamic high ports.
If not firewall rules allow dynamic high ports means that you have to wait for the password change to be replicated the normal way, which can be some time if you have linked sites.
You can avoid dynamic high ports for AD, FRS and DFS replication, by configuring static fixed ports.
Snipped from:
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
RPC static port for AD replication <AD-fixed-port>/TCP
RPC static port for FRS or <FRS-fixed-port>/TCP
RPC static port for DFS Replication <DFSR-fixed-port>/TCPSnipped from:
http://blogs.technet.com/b/kenstcyr/archive/2008/07/05/understanding-urgent-replication.aspxPassword Changes
This is just one scenario that illustrates urgent replication. Password changes sort of break the rules. When a password is changed, there is an immediate replication to the PDC Emulator. This is different than urgent replication because it occurs immediately without any regard to the inter-site replication interval. There is a reason why the password change is immediately replicated to the PDC Emulator. If a user changes their password and then immediately logs on against another DC in a different site, the logon would probably fail because the other DC wouldn't yet have the change. AD takes this scenario into account. When there is an invalid password, the DC passes the authentication back to the PDC Emulator because it's going to have a copy of the latest password. If the PDC Emulator authenticates him successfully then the logon is processed. This happens behind the scenes and does not increment the bad password count attribute. Urgent replication is different than immediate replication and on-demand replication, so be careful not to confuse them. The key takeaway here is that urgent replication does not guarantee immediate convergence. Urgent replication only impacts the delay in change notifications.
..
.
.
.
* * Update: 01.04.2012 * *
Already have fixed static high ports for AD and FRS replication working OK and firewalls
configured with these fixed statics ports. Dynamic high ports are not allowed in any
firewall.But regarding to the nature of password change “urgent notify update”, which normally happens in
seconds if all DC’s freely can connect to PDC Emulator by RPC and dynamic high
ports (1024-65535/tcp).Real life scenario - when Helpdesk people reset a user password on DC A in site A, and the user try to logon with the new password on DC C in site C, user logon is not possible.
This happens because of the new password isn’t replicated to DC C yet.
The user must then wait for AD replication, before login is possible. If there are some
hops between AD sites, and firewalls between sites, this passord update could take hours.If DC’s aren’t able to connect to PDC Emulator by RPC and dynamic high ports (FW rules), the password “update alert request” get blocked by firewall and the updated password have to be
replicated by normal AD replication.Any ideas how to solve this “urgent notify password update” behavior without allowing RPC
dynamic high ports?
- Edited by Nohandyman Sunday, April 01, 2012 3:39 PM
All Replies
-
Monday, March 26, 2012 9:59 PM
Hello,
please se http://support.microsoft.com/kb/224196 for available options. Also check http://support.microsoft.com/kb/154596 and http://support.microsoft.com/kb/319553
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Proposed As Answer by Elytis ChengModerator Tuesday, March 27, 2012 3:12 AM
- Marked As Answer by Elytis ChengModerator Thursday, April 05, 2012 9:22 AM
-
Monday, March 26, 2012 11:58 PM
You can choose to restrict the port ranges to specific ports, and if choosing this option, you must specifically specify the correct ports for the correct service.
It depends on what ports and services you want to restrict?
1. Method 1
This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.
This is applicable for restriction AD replication to a specific port range. Procedure:
Modify registry to select a static port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ParametersRestricting Active Directory replication traffic and client RPC traffic to a specific port
http://support.microsoft.com/kb/2241962. Method 2
This is for configuring the port range(s) in the Windows Firewall.
Netsh - use the following examples to set a starting port range, and number of ports after it to use
netsh int ipv4 set dynamicport tcp start=10000 num=1000
netsh int ipv4 set dynamicport udp start=10000 num=1000The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/9298513. Modify the registry
This is for WIndows services communications. It also affects AD communications.
HKEY_LOCAL_MACHINE\Software\Microsoft\RpcHow to configure RPC dynamic port allocation to work with firewalls
http://support.microsoft.com/kb/154596/en-usHere are some related links to restricting AD replication ports.
Reference thread:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/RODC Firewall Port Requirements
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspxActive Directory Replication over Firewalls
Reference link:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
http://technet.microsoft.com/en-us/library/bb727063.aspx
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Proposed As Answer by Elytis ChengModerator Tuesday, March 27, 2012 3:12 AM
- Marked As Answer by Elytis ChengModerator Thursday, April 05, 2012 9:22 AM
-
Monday, April 02, 2012 7:27 AM
Hi
Already have fixed static high ports for AD and FRS replication working OK and firewalls
configured with these fixed statics ports. Dynamic high ports are not allowed in any
firewall.But regarding to the nature of password change “urgent notify update”, which normally happens in
seconds if all DC’s freely can connect to PDC Emulator by RPC and dynamic high
ports (1024-65535/tcp).Real life scenario - when Helpdesk people reset a user password on DC A in site A, and the user try to logon with the new password on DC C in site C, user logon is not possible.
This happens because of the new password isn’t replicated to DC C yet.
The user must then wait for AD replication, before login is possible. If there are some
hops between AD sites, and firewalls between sites, this passord update could take hours.If DC’s aren’t able to connect to PDC Emulator by RPC and dynamic high ports (FW rules), the password “update alert request” get blocked by firewall and the updated password have to be
replicated by normal AD replication.Any ideas how to solve this “urgent notify password update” behaviorwithout allowing RPC
dynamic high ports? -
Tuesday, April 03, 2012 8:51 AMModerator
Hi,
If DC’s aren’t able to connect to PDC Emulator by RPC and dynamic high ports (FW rules), the password “update alert request” get blocked by firewall and the updated password have to be
replicated by normal AD replication.Any ideas how to solve this “urgent notify password update” behaviorwithout allowing RPC
dynamic high ports?
>> Password changes are replicated differently than both normal (non-urgent) replication and urgent replication. Changes to security account passwords present a replication latency problem wherein a user’s password is changed on domain controller A and the user subsequently attempts to log on, being authenticated by domain controller B. If the password has not replicated from A to B, the attempt to log on fails. Active Directory replication remedies this situation by forwarding password changes immediately to a single domain controller in the domain, the PDC emulator.In Active Directory, when a user password is changed at a domain controller, that domain controller attempts to update the respective replica at the domain controller that holds the PDC emulator role. Update of the PDC emulator occurs immediately, without respect to schedules on site links. The updated password is propagated to other domain controllers by normal replication within a site.
When the user logs on to a domain and is authenticated by a domain controller that does not have the updated password, the domain controller refers to the PDC emulator to check the credentials of the user name and password rather than denying authentication based on an invalid password. Therefore, the user can log on successfully even when the authenticating domain controller has not yet received the updated password. On domain controllers that are running Windows Server 2003 or Windows 2000 Server with SP4, if the authentication is successful at the PDC emulator, the PDC emulator replicates the password immediately to the requesting domain controller to prevent that domain controller from having to check the PDC emulator again.
If the update at the PDC emulator fails for any reason, the password change is replicated non-urgently by normal replication.
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
- Proposed As Answer by Sandesh DubeyMicrosoft Community Contributor Tuesday, April 03, 2012 4:33 PM
- Marked As Answer by Elytis ChengModerator Thursday, April 05, 2012 9:22 AM
.png)
