Help and Support
 

powered byLive Search

How to restrict FRS replication traffic to a specific static port

View products that this article applies to.
Article ID:319553
Last Review:November 6, 2007
Revision:3.5
This article was previously published under Q319553
On This Page

SUMMARY

This article describes how to configure a static port for File Replication service (FRS) traffic.

NOTE: The functionality that is described in this article is a post-Windows 2000 Service Pack 2 (SP2) feature. Therefore, the information in this article applies only to Windows 2000-based servers that are running SP2 and the post-SP2 QFE hotfix that is described in the following Microsoft Knowledge Base article:
321557 (http://support.microsoft.com/kb/321557/) Improvements in the post-SP2 release of Ntfrs.exe that is packaged with an updated Ntfs.sys driver

Back to the top

MORE INFORMATION

FRS is a multiple-threaded, multiple-master replication engine that replaces the LANMan Directory Replication (LMRepl) service in Microsoft Windows NT versions 3.x and 4.0. Windows 2000-based domain controllers and servers use FRS to replicate system policy and logon scripts for client computers that are running Windows 2000 and earlier. Additionally, FRS can replicate content between Windows 2000-based servers that host the same fault-tolerant Distributed File System (DFS) roots or child-node replicas.

Back to the top

FRS Replication

By default, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPC Endpoint Mapper (also known as RPCSS) on port 135; the process is the same for Active Directory or Microsoft Exchange Server replication. You can override this default functionality and specify the port that all FRS replication traffic passes through (you can configure Active Directory in the same way). When you do so, you can limit replication to a static port. For more informationabout how to restrict Active Directory replication traffic to a port, click the following article number to view the article in the Microsoft Knowledge Base:
224196 (http://support.microsoft.com/kb/224196/) Restricting Active Directory replication traffic and client RPC traffic to a specific port
NOTE: Before you change the default port settings in your production environment, set up a lab to simulate FRS use and to test performance. Some administrators keep only policies and scripts in SYSVOL, but other administrators may keep large amounts of data. Because every environment is different, make sure that you make your test configuration as close as possible to the production environment.

In FRS replication, the client does not know the complete binding. Therefore, when the client connects to an RPC endpoint, the RPC run-time on the client contacts RPC Endpoint Mapper on the server at a well-known port (port 135), and obtains the port to connect to for the service that is supporting the RPC interface. The service registers the endpoint when it starts, and it has the choice of a using either a dynamically assigned port or a specific port.

You can use the following procedure to configure FRS to run on a specific port. When you do so, the port is registered with RPC Endpoint Mapper.

NOTE: This article does not describe FRS replication through a firewall. If you use a firewall, you must open a number of ports (for example, Kerberos and others) for FRS replication to work. If you must initiate FRS replication over a firewall, use virtual private networking (VPN). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
179442 (http://support.microsoft.com/kb/179442/) How to configure a firewall for domains and trusts

Back to the top

How to Restrict FRS Traffic to a Specific Static Port

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows

Modify the following value on each domain controller where the restricted port is to be used:
1.Start Registry Editor (Regedt32.exe).
2.Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
3.On the Edit menu, click Add Value, and then add the following registry value:
Value name: RPC TCP/IP Port Assignment
Data type: REG_DWORD
Value data: Type an available port. This value needs to be specified in decimal format.
NOTE: If you do not type a value, this registry setting always uses a value of zero and a dynamic TCP/IP port assignment is used.
4.Quit Registry Editor.
IMPORTANT: You must see if there is an intermediate network device or software that is being used to filter packets between domain controllers. If so, verify that the device or the software allows communication over the specified port. Additionally, make sure the destination TCP port that you set is open on the firewall.

For additional information about the post-SP2 hotfix for FRS, click the following article number to view the article in the Microsoft Knowledge Base:
321557 (http://support.microsoft.com/kb/321557/) Improvements in the post-S release of Ntfrs.exe that is packaged with an updated Ntfs.sys driver
For additional information about RPC Endpoint Mapper, click the following article number to view the article in the Microsoft Knowledge Base:
154596 (http://support.microsoft.com/kb/154596/) How to configure RPC dynamic port allocation to work with firewalls

Back to the top

APPLIES TO
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Advanced Server
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003, Standard x64 Edition
Windows Server 2008 Datacenter
Windows Server 2008 Enterprise
Windows Server 2008 for Itanium-Based Systems
Windows Server 2008 Standard

Back to the top

Keywords: 
kbenv kbfix kbhowto KB319553

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.