biga Posted August 4, 2009 Posted August 4, 2009 We have a 2003 forest. We are going to install a 2008 RODC in our DMZ and a 2008 DC in our LAN because of an extranet SharePoint project. The only thing Im confuse about, are the RPC dynamic ports. I did they things described in the following articles: http://support.microsoft.com/kb/154596/en-us http://www.pbbergs.com/windows/articles/FirewallReplication.html The second article stated that those registry setting should only be applied to the DCs in the DMZ. But because we use a RODC in DMZ, and it can only communicate with a writable 2008 DC in our LAN, I think I should apply these registry setting also on this 2008 DC in our LAN. But again if I do that, dont I have to apply the registry setting on all DCs in our LAN. I dont want to to that. Thanx Quote
biga Posted August 4, 2009 Author Posted August 4, 2009 I,ve been testing the RPC registry settings. Seems that if i only configure the RODC in the DMZ with the registry settings, i get AD replication errors(repadmin /showrepl). If i apply those registry settings also in the 2008 DC in our LAN, replication seems to be OK. Questions is, how do the other 2003 DC's in our LAN know on which RPC port to replicate with the 2008 DC in our LAN? As far as i know, RPC use random ports above 1024. Thanx Quote
biga Posted August 14, 2009 Author Posted August 14, 2009 I posted the same question on the Microsoft forum. Link to forum: RPC Dynamic Ports for DMZ with 2008 RODC Answer: For 2003 2008 RPC communication, a domain controller without RPC port allocation can replicate with a domain controller with RPC port allocation. That means we dont need to make the registry modifications to all your domain controllers, unless you want to restrict the traffic on all domain controllers. For the 2008 RODC communication, we need to make the registry modifications on the Windows Server 2008 writable DC. The dynamic port is required for RODC to pull the changes from the writable DC. Here is the process for your reference: 1. When RODC requests changes from the writable DC, it contacts the RPC endpoint mapper (port 135) on the writable DC. 2. Writable DC queries the RPC endpoint mapper to determine what port has been assigned for Active Directory replication, and then responds from port 135 with that port (we set in registry key, i.e. 49157) and closes the connection. 3. The RODC then makes a new session connection on the writable DC port 49157 to pull the changes. You may also refer to the Required communication ports of the following article for more information: Designing RODCs in the Perimeter Network http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx#ad_rep If there is anything unclear, please feel free to let me know. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.