AD Restricting Active Directory RPC traffic to a specific port
Restricting Active Directory RPC traffic to a specific port
Member servers do have the Netlogon RPC Interface, but it is rarely used. Some examples would maybe be remote configuration retrieval such as "nltest /server:member.contoso.com /sc_query:contoso.com".
Note When you use the DCTcpipPort registry entry, and you set it to the same port as the "TCP/IP Port" registry entry, you receive Netlogon error event 5809 under NTDS\Parameters. This indicates that the port configured is in use, and you should choose a different port.
You will receive the same event when you have a unique port, and you restart the Netlogon service on the domain controller. This is by design, and occurs because of the way the RPC runtime manages its server ports. The port will be used after the restart, and the event can be ignored.
Administrators should confirm that the communication over the specified port is enabled if any intermediate network devices or software is used to filter packets between the domain controllers.
Frequently, you must also manually set the File Replication Service (FRS) RPC port because AD and FRS replication replicate with the same Domain Controllers. The File Replication Service (FRS) RPC port should use a different port. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Member servers do have the Netlogon RPC Interface, but it is rarely used. Some examples would maybe be remote configuration retrieval such as "nltest /server:member.contoso.com /sc_query:contoso.com".
Registry key 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)
You need to restart the computer for the new setting to become effective.
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)
You need to restart the computer for the new setting to become effective.
Registry key 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: (available port)
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: (available port)
You need to restart the Netlogon service for the new setting to become effective.
Note When you use the DCTcpipPort registry entry, and you set it to the same port as the "TCP/IP Port" registry entry, you receive Netlogon error event 5809 under NTDS\Parameters. This indicates that the port configured is in use, and you should choose a different port.
You will receive the same event when you have a unique port, and you restart the Netlogon service on the domain controller. This is by design, and occurs because of the way the RPC runtime manages its server ports. The port will be used after the restart, and the event can be ignored.
Administrators should confirm that the communication over the specified port is enabled if any intermediate network devices or software is used to filter packets between the domain controllers.
Frequently, you must also manually set the File Replication Service (FRS) RPC port because AD and FRS replication replicate with the same Domain Controllers. The File Replication Service (FRS) RPC port should use a different port. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Comments
Post a Comment