locked
Methods of setting the Dynamic Port range to be used by Domain Controllers RRS feed

  • Question

  • Hello,

    Whats the difference between the two methods below in settiing the Dynamic Ports a Server 2008 R2 Domain Controller is to use?  Is one method preferred or any better than the other?  Also, both methods set the dynamic port range from 49152-63999.  Thanks in advance.

    1. Netsh int ipv4 set dynamicport tcp start=49152 num=14847

    2. Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
    "PortsInternetAvailable"="Y"
    "UseInternetPorts"="Y"
    "Ports"=hex(7):34,00,39,00,31,00,35,00,32,00,2d,00,36,00,33,00,39,00,39,00,39,\
      00,00,00,00,00


    Thanks for your help! SdeDot
    Thursday, January 12, 2012 9:04 PM

Answers

  • Paul: In your post, you mention you don't know how #2 would work, but in your referenced article (which I pasted below), you use the same technique.

    My point was I use values as you have in your lower post.  I don't know how you configured your ports via
    "Ports"=hex(7):34,00,39,00,31,00,35,00,32,00,2d,00,36,00,33,00,39,00,39,00,39,\
      00,00,00,00,00

    NetSh has nothing to do with the RPC ports, it has to do with you modifying the FW settings.  You are getting confused, the settings set two different things.

    1) Which Ports are being used for RPC communications with this machine
    2) What ports are allowed opn to this machine within the FW

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Wednesday, January 18, 2012 6:16 PM
    • Marked as answer by SdeDot Wednesday, January 18, 2012 8:11 PM
    Wednesday, January 18, 2012 1:00 PM
  • That's correct. The RPC settings is what you need to concentrate on, assuming the Windows Firewall is turned off. Netsh is useless here.

    Also, make sure no antivirus will block traffic either, since many of them have new features that "protect network traffic" and are detrimental to DCs.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by SdeDot Wednesday, January 18, 2012 8:12 PM
    Wednesday, January 18, 2012 7:54 PM

All replies

  • I believe the netsh method affects the Windows firewall, whereas you want to set the NTDS values to work for AD. I have some info on this in the following blog and additional links in it as well. I hope you find it helpful.

    Active Directory Firewall Ports - Let's Try To Make This Simple
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx 

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, January 13, 2012 4:23 AM
  • You can find explanations below. Netsh is a cmd line tool which can handle view or allocation of dynamic port and many other function like resetting TCP/IP stack,dhcp admin etc. Where as the key you mentioned used to bind RPC static port in AD.

    In Vista and 2008, most administration of things at the network stack level is handled via NETSH.  Using NETSH, it’s possible to see what your dynamic port range is set to on a per server basis:

    http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx

    Restricting Active Directory replication traffic and client RPC traffic to a specific port

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;224196

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Friday, January 13, 2012 12:31 PM
  • netsh is the official and MS supported way. But (as many configuration
    tasks do) it only sets appropriate registry values to reflect your
    command line arguments. Same is true for
     
    - firewall rules
    - service configuration
    - ...
     
    Tools like regshot leverage this to create custom registry files for
    import on other machines without invoking GUIs.
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, January 13, 2012 12:52 PM
  • If you are using 2008 or 2008 R2 then method 1 is setting the firewall ports open (As others have metioned), but if you are on 2003 this probably get you a command line error.  Not sure though, maybe 2003 will allow it.

    The second line is setting the ports, of which I don't know if it will even work I haven't seen that way to define ports.

    I have a blog on how to configure ports for a the dynamic range for your DC (You are talking about a DC right?) that will go into more detail with the options.  I would suggest using my method since the RPC port range define is much clearer to follow.
    http://www.pbbergs.com/windows/articles/FirewallReplication.html

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, January 13, 2012 1:03 PM
  • All,

    Thanks for all the information.  I've spent some time reviewing, however Im still confused.  All my work is done on a 2008 R2 Domain Controller.

    Paul: In your post, you mention you don't know how #2 would work, but in your referenced article (which I pasted below), you use the same technique.

    So if I set my dynamic ports via method 2 above, and then issue a 'netsh int ipv4 show dynamicport tcp', the output does not display the range I just set.  Why is this?  I guess what Im really asking here is doesnt the netsh and registry method (KB154596) set the DynamicPorts?

    RPC dynamic port allocation - KB154596 (Only allow ports 10002 - 10200 for RPC from other machines)

     

    Locate and then click the following key in the registry:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\

    Create a New Key = Internet

    Locate and then click the following key in the registry:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\

    Add the values

    "Ports" (MULTI_SZ)                            =          10002-10200

    "PortsInternetAvailable" (REG_SZ)       =          Y

    "UseInternetPorts" (REG_SZ)               =          Y


    Thanks for your help! SdeDot
    Tuesday, January 17, 2012 9:33 PM
  • I'm curious the reason or end goal for these settings? Is it to control AD replication traffic, or client communications traffic, or both?

    The two methods you are describing, are for two separate, different reasons.

    RPC registry mods are desinged for dynamic port service response ports (the ephemeral ports), by restricting the RPC ports.

    The netsh command is used to configure the dynamic port ranges that the Window built-in firewall is controlling.

    I guess with what you're doing, unless I'm missing something, is if you alter the RPC ports, then you may have to alter the Windows ports to accept the traffic.

    Take a look at this discussion in the following thread to see what I mean:

    How to restrict 08R2 AD Default dynamic port range ?
    http://social.technet.microsoft.com/Forums/da/winserverDS/thread/c60df8b3-fca7-4847-b5a0-12a7d452350e

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn


    Wednesday, January 18, 2012 4:34 AM
  • Paul: In your post, you mention you don't know how #2 would work, but in your referenced article (which I pasted below), you use the same technique.

    My point was I use values as you have in your lower post.  I don't know how you configured your ports via
    "Ports"=hex(7):34,00,39,00,31,00,35,00,32,00,2d,00,36,00,33,00,39,00,39,00,39,\
      00,00,00,00,00

    NetSh has nothing to do with the RPC ports, it has to do with you modifying the FW settings.  You are getting confused, the settings set two different things.

    1) Which Ports are being used for RPC communications with this machine
    2) What ports are allowed opn to this machine within the FW

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Wednesday, January 18, 2012 6:16 PM
    • Marked as answer by SdeDot Wednesday, January 18, 2012 8:11 PM
    Wednesday, January 18, 2012 1:00 PM
  • Ace/Paul,

    So I think I understand where my misunderstanding is based on your posts. 

    The goal Im trying to achieve is to set the RPC ports on a Domain Controller to be fixed due to what ports are open on our Firewalls.  So the Domain Controller would only use the RPC ports for RPC communications throught a Domain Controller.

    I thought both methods (ie. Netsh and registry) were used to set RPC ports for RPC communication on a Domain Controller, but it looks as if the registry method I specified sets the RPC ports but the Netsh method sets Dynamic Ports used for the Windows Firewall.  Is this correct?  If so, then I was confusing the use of two seperate mechanisms to set RPC ports for RPC communication.


    Thanks for your help! SdeDot
    Wednesday, January 18, 2012 6:53 PM
  • That's correct. The RPC settings is what you need to concentrate on, assuming the Windows Firewall is turned off. Netsh is useless here.

    Also, make sure no antivirus will block traffic either, since many of them have new features that "protect network traffic" and are detrimental to DCs.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by SdeDot Wednesday, January 18, 2012 8:12 PM
    Wednesday, January 18, 2012 7:54 PM
  • I came across this article my challenge is to put a range limit on what LPC uses to rx data after inquiries like systeminfo, it uses 135 to request it and pass the authentication but once the info is ready to be rx by the client from the server the client selects a hi port randomly I want to limit that range. I used netsh and I did the registry hack like shown above but still it is locked in to requesting the info out of on a port out of range.

    How is the random hi port selected is it set during the initial exchange and the server I am requesting the info from decides or is it the client the requesting machine that decides.

    Monday, August 3, 2020 4:27 PM
  • Despite this thread bein 8 years old and assuming you mean RPC and not LPC: The client sends a request to remote port 135 on the server. The server replies to this request with one of his available RPC listeners which listens in the high port range. You can even look at this with the portqry.exe tool available for download at MS. Or have a look at https://devblogs.microsoft.com/scripting/testing-rpc-ports-with-powershell-and-yes-its-as-much-fun-as-it-sounds/

    To sum it up: The SERVER chooses the port for RPC comm, not the client.


    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    Monday, August 3, 2020 4:44 PM