Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to restrict FRS replication traffic to a specific static port
Article ID: 319553 - View products that this article applies to.
This article was previously published under Q319553
This article describes how to configure a static port for File Replication service (FRS) traffic.
NOTE: The functionality that is described in this article is a post-Windows 2000 Service Pack 2 (SP2) feature. Therefore, the information in this article applies only to Windows 2000-based servers that are running SP2 and the post-SP2 QFE hotfix that is described in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/321557/ )Improvements in the post-SP2 release of Ntfrs.exe that is packaged with an updated Ntfs.sys driver
FRS is a multiple-threaded, multiple-master replication engine that replaces the LANMan Directory Replication (LMRepl) service in Microsoft Windows NT versions 3.x and 4.0. Windows 2000-based domain controllers and servers use FRS to replicate system policy and logon scripts for client computers that are running Windows 2000 and earlier. Additionally, FRS can replicate content between Windows 2000-based servers that host the same fault-tolerant Distributed File System (DFS) roots or child-node replicas.
FRS ReplicationBy default, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPC Endpoint Mapper (also known as RPCSS) on port 135; the process is the same for Active Directory or Microsoft Exchange Server replication. You can override this default functionality and specify the port that all FRS replication traffic passes through (you can configure Active Directory in the same way). When you do so, you can limit replication to a static port. For more informationabout how to restrict Active Directory replication traffic to a port, click the following article number to view the article in the Microsoft Knowledge Base:
224196NOTE: Before you change the default port settings in your production environment, set up a lab to simulate FRS use and to test performance. Some administrators keep only policies and scripts in SYSVOL, but other administrators may keep large amounts of data. Because every environment is different, make sure that you make your test configuration as close as possible to the production environment.
(http://support.microsoft.com/kb/224196/ )Restricting Active Directory replication traffic and client RPC traffic to a specific port
In FRS replication, the client does not know the complete binding. Therefore, when the client connects to an RPC endpoint, the RPC run-time on the client contacts RPC Endpoint Mapper on the server at a well-known port (port 135), and obtains the port to connect to for the service that is supporting the RPC interface. The service registers the endpoint when it starts, and it has the choice of a using either a dynamically assigned port or a specific port.
You can use the following procedure to configure FRS to run on a specific port. When you do so, the port is registered with RPC Endpoint Mapper.
NOTE: This article does not describe the complete solution for a server to use FRS through a firewall. If you use FRS replication together with a firewall, you may have to open several additional ports such as the ports for Kerberos and for the Lightweight Directory Access Protocol (LDAP). The set of ports may depend on the domain role of the server. For example, assume the domain role of the server is a domain controller. In this scenario, FRS can obtain Kerberos tickets and configuration information from Active Directory Domain Services (AD DS) locally.
How to Restrict FRS Traffic to a Specific Static PortImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Modify the following value on each domain controller where the restricted port is to be used:
For additional information about the post-SP2 hotfix for FRS, click the following article number to view the article in the Microsoft Knowledge Base:
321557For additional information about RPC Endpoint Mapper, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/321557/ )Improvements in the post-S release of Ntfrs.exe that is packaged with an updated Ntfs.sys driver
(http://support.microsoft.com/kb/154596/ )How to configure RPC dynamic port allocation to work with firewalls
Article ID: 319553 - Last Review: February 1, 2010 - Revision: 4.0