RPC Dynamic Ports for DMZ with 2008 RODC

B

biga

Member
Joined
Aug 4, 2009
Messages
3
We have a 2003 forest. We are going to install a 2008 RODC in our DMZ and a 2008 DC in our LAN because of an extranet SharePoint project.
The only thing Im confuse about, are the RPC dynamic ports.
I did they things described in the following articles:
http://support.microsoft.com/kb/154596/en-us
http://www.pbbergs.com/windows/articles/FirewallReplication.html

The second article stated that those registry setting should only be applied to the DCs in the DMZ.
But because we use a RODC in DMZ, and it can only communicate with a writable 2008 DC in our LAN, I think I should apply these registry setting also on this 2008 DC in our LAN.
But again if I do that, dont I have to apply the registry setting on all DCs in our LAN. I dont want to to that.

Thanx
 
I,ve been testing the RPC registry settings. Seems that if i only configure the RODC in the DMZ with the registry settings, i get AD replication errors(repadmin /showrepl).
If i apply those registry settings also in the 2008 DC in our LAN, replication seems to be OK.
Questions is, how do the other 2003 DC's in our LAN know on which RPC port to replicate with the 2008 DC in our LAN? As far as i know, RPC use random ports above 1024.
Thanx
 
I posted the same question on the Microsoft forum. Link to forum:
RPC Dynamic Ports for DMZ with 2008 RODC

Answer:
For 2003 2008 RPC communication, a domain controller without RPC port allocation can replicate with a domain controller with RPC port allocation. That means we dont need to make the registry modifications to all your domain controllers, unless you want to restrict the traffic on all domain controllers.

For the 2008 RODC communication, we need to make the registry modifications on the Windows Server 2008 writable DC. The dynamic port is required for RODC to pull the changes from the writable DC. Here is the process for your reference:

1. When RODC requests changes from the writable DC, it contacts the RPC endpoint mapper (port 135) on the writable DC.
2. Writable DC queries the RPC endpoint mapper to determine what port has been assigned for Active Directory replication, and then responds from port 135 with that port (we set in registry key, i.e. 49157) and closes the connection.
3. The RODC then makes a new session connection on the writable DC port 49157 to pull the changes.

You may also refer to the Required communication ports of the following article for more information:

Designing RODCs in the Perimeter Network
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx#ad_rep

If there is anything unclear, please feel free to let me know.
 
Back
Top