none
Password change notifications - static high port?

    Question

  • Is it possible to configure a static fixed high port for password change, instead of default RPC 135 and dynamic high ports?
    This would be useful in AD/firewall environments who not allow dynamic high ports.
    If not firewall rules allow dynamic high ports means that you have to wait for the password change to be replicated the normal way, which can be some time if you have linked sites.

    You can avoid dynamic high ports for AD, FRS and DFS replication, by configuring static fixed ports.
    Snipped from:
    http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
    RPC static port for AD replication <AD-fixed-port>/TCP
    RPC static port for FRS or <FRS-fixed-port>/TCP
    RPC static port for DFS Replication <DFSR-fixed-port>/TCP

    Snipped from:
    http://blogs.technet.com/b/kenstcyr/archive/2008/07/05/understanding-urgent-replication.aspx

    Password Changes
    This is just one scenario that illustrates urgent replication. Password changes sort of break the rules. When a password is changed, there is an immediate replication to the PDC Emulator. This is different than urgent replication because it occurs immediately without any regard to the inter-site replication interval. There is a reason why the password change is immediately replicated to the PDC Emulator. If a user changes their password and then immediately logs on against another DC in a different site, the logon would probably fail because the other DC wouldn't yet have the change. AD takes this scenario into account. When there is an invalid password, the DC passes the authentication back to the PDC Emulator because it's going to have a copy of the latest password. If the PDC Emulator authenticates him successfully then the logon is processed. This happens behind the scenes and does not increment the bad password count attribute. Urgent replication is different than immediate replication and on-demand replication, so be careful not to confuse them. The key takeaway here is that urgent replication does not guarantee immediate convergence. Urgent replication only impacts the delay in change notifications.
    .

    .

    .

    .

    .

    * * Update: 01.04.2012  * *

    Already have fixed static high ports for AD and FRS replication working OK and firewalls
    configured with these fixed statics ports. Dynamic high ports are not allowed in any
    firewall.

    But regarding to the nature of password change “urgent notify update”, which normally happens in
    seconds if all DC’s freely can connect to PDC Emulator by RPC and dynamic high
    ports (
    1024-65535/tcp).

    Real life scenario - when Helpdesk people reset a user password on DC A in site A, and the user try to logon with the new password on DC C in site C, user logon is not possible.

    This happens because of the new password isn’t replicated to DC C yet.

    The user must then wait for AD replication, before login is possible. If there are some
    hops between AD sites, and firewalls between sites, this passord update could take hours.

    If DC’s aren’t able to connect to PDC Emulator by RPC and dynamic high ports (FW rules), the password “update alert request” get blocked by firewall and the updated password have to be
    replicated by normal AD replication.

    Any ideas how to solve this “urgent notify password update” behavior without allowing RPC
    dynamic high ports?











    • Edited by Nohandyman Sunday, April 01, 2012 3:39 PM
    Monday, March 26, 2012 9:26 PM

Answers

  • Hello,

    please se http://support.microsoft.com/kb/224196 for available options. Also check http://support.microsoft.com/kb/154596 and http://support.microsoft.com/kb/319553


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, March 26, 2012 9:59 PM
  • You can choose to restrict the port ranges to specific ports, and if choosing this option, you must specifically specify the correct ports for the correct service.

    It depends on what ports and services you want to restrict?

    1. Method 1
    This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.
    This is applicable for restriction AD replication to a specific port range. Procedure:
     Modify registry to select a static port.
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Restricting Active Directory replication traffic and client RPC traffic to a specific port
     http://support.microsoft.com/kb/224196

    2. Method 2
    This is for configuring the port range(s) in the Windows Firewall.
     Netsh - use the following examples to set a starting port range, and number of ports after it to use
     netsh int ipv4 set dynamicport tcp start=10000 num=1000
     netsh int ipv4 set dynamicport udp start=10000 num=1000

    The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
     http://support.microsoft.com/kb/929851

    3. Modify the registry
    This is for WIndows services communications. It also affects AD communications.
     HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

    How to configure RPC dynamic port allocation to work with firewalls
     http://support.microsoft.com/kb/154596/en-us

    Here are some related links to restricting AD replication ports.
    Reference thread:
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/

    RODC Firewall Port Requirements
    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    Active Directory Replication over Firewalls
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Reference link:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, March 26, 2012 11:58 PM
  • Hi,


    If DC’s aren’t able to connect to PDC Emulator by RPC and dynamic high ports (FW rules), the password “update alert request” get blocked by firewall and the updated password have to be
     replicated by normal AD replication.

    Any ideas how to solve this “urgent notify password update” behaviorwithout allowing RPC
     dynamic high ports?


    >> Password changes are replicated differently than both normal (non-urgent) replication and urgent replication. Changes to security account passwords present a replication latency problem wherein a user’s password is changed on domain controller A and the user subsequently attempts to log on, being authenticated by domain controller B. If the password has not replicated from A to B, the attempt to log on fails. Active Directory replication remedies this situation by forwarding password changes immediately to a single domain controller in the domain, the PDC emulator.

    In Active Directory, when a user password is changed at a domain controller, that domain controller attempts to update the respective replica at the domain controller that holds the PDC emulator role. Update of the PDC emulator occurs immediately, without respect to schedules on site links. The updated password is propagated to other domain controllers by normal replication within a site.

    When the user logs on to a domain and is authenticated by a domain controller that does not have the updated password, the domain controller refers to the PDC emulator to check the credentials of the user name and password rather than denying authentication based on an invalid password. Therefore, the user can log on successfully even when the authenticating domain controller has not yet received the updated password. On domain controllers that are running Windows Server 2003 or Windows 2000 Server with SP4, if the authentication is successful at the PDC emulator, the PDC emulator replicates the password immediately to the requesting domain controller to prevent that domain controller from having to check the PDC emulator again.

    If the update at the PDC emulator fails for any reason, the password change is replicated non-urgently by normal replication.


    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Tuesday, April 03, 2012 8:51 AM

All replies

  • Hello,

    please se http://support.microsoft.com/kb/224196 for available options. Also check http://support.microsoft.com/kb/154596 and http://support.microsoft.com/kb/319553


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, March 26, 2012 9:59 PM
  • You can choose to restrict the port ranges to specific ports, and if choosing this option, you must specifically specify the correct ports for the correct service.

    It depends on what ports and services you want to restrict?

    1. Method 1
    This is to used to set the specific AD replication port. By default it uses dynamic port to replicate data from DC in one site to another.
    This is applicable for restriction AD replication to a specific port range. Procedure:
     Modify registry to select a static port.
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Restricting Active Directory replication traffic and client RPC traffic to a specific port
     http://support.microsoft.com/kb/224196

    2. Method 2
    This is for configuring the port range(s) in the Windows Firewall.
     Netsh - use the following examples to set a starting port range, and number of ports after it to use
     netsh int ipv4 set dynamicport tcp start=10000 num=1000
     netsh int ipv4 set dynamicport udp start=10000 num=1000

    The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
     http://support.microsoft.com/kb/929851

    3. Modify the registry
    This is for WIndows services communications. It also affects AD communications.
     HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

    How to configure RPC dynamic port allocation to work with firewalls
     http://support.microsoft.com/kb/154596/en-us

    Here are some related links to restricting AD replication ports.
    Reference thread:
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/76e8654a-fbba-49af-b6d6-e8d9d127bf03/

    RODC Firewall Port Requirements
    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    Active Directory Replication over Firewalls
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Reference link:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, March 26, 2012 11:58 PM
  • Hi

    Already have fixed static high ports for AD and FRS replication working OK and firewalls
    configured with these fixed statics ports. Dynamic high ports are not allowed in any
    firewall.

    But regarding to the nature of password change “urgent notify update”, which normally happens in
    seconds if all DC’s freely can connect to PDC Emulator by RPC and dynamic high
    ports (
    1024-65535/tcp).

    Real life scenario - when Helpdesk people reset a user password on DC A in site A, and the user try to logon with the new password on DC C in site C, user logon is not possible.

    This happens because of the new password isn’t replicated to DC C yet.

    The user must then wait for AD replication, before login is possible. If there are some
    hops between AD sites, and firewalls between sites, this passord update could take hours.

    If DC’s aren’t able to connect to PDC Emulator by RPC and dynamic high ports (FW rules), the password “update alert request” get blocked by firewall and the updated password have to be
    replicated by normal AD replication.

    Any ideas how to solve this “urgent notify password update” behaviorwithout allowing RPC
    dynamic high ports?

    Monday, April 02, 2012 7:27 AM
  • Hi,


    If DC’s aren’t able to connect to PDC Emulator by RPC and dynamic high ports (FW rules), the password “update alert request” get blocked by firewall and the updated password have to be
     replicated by normal AD replication.

    Any ideas how to solve this “urgent notify password update” behaviorwithout allowing RPC
     dynamic high ports?


    >> Password changes are replicated differently than both normal (non-urgent) replication and urgent replication. Changes to security account passwords present a replication latency problem wherein a user’s password is changed on domain controller A and the user subsequently attempts to log on, being authenticated by domain controller B. If the password has not replicated from A to B, the attempt to log on fails. Active Directory replication remedies this situation by forwarding password changes immediately to a single domain controller in the domain, the PDC emulator.

    In Active Directory, when a user password is changed at a domain controller, that domain controller attempts to update the respective replica at the domain controller that holds the PDC emulator role. Update of the PDC emulator occurs immediately, without respect to schedules on site links. The updated password is propagated to other domain controllers by normal replication within a site.

    When the user logs on to a domain and is authenticated by a domain controller that does not have the updated password, the domain controller refers to the PDC emulator to check the credentials of the user name and password rather than denying authentication based on an invalid password. Therefore, the user can log on successfully even when the authenticating domain controller has not yet received the updated password. On domain controllers that are running Windows Server 2003 or Windows 2000 Server with SP4, if the authentication is successful at the PDC emulator, the PDC emulator replicates the password immediately to the requesting domain controller to prevent that domain controller from having to check the PDC emulator again.

    If the update at the PDC emulator fails for any reason, the password change is replicated non-urgently by normal replication.


    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Tuesday, April 03, 2012 8:51 AM