How to restrict FRS replication traffic to a specific static port
NOTE: The functionality that is described in this article is a post-Windows 2000 Service Pack 2 (SP2) feature. Therefore, the information in this article applies only to Windows 2000-based servers that are running SP2 and the post-SP2 QFE hotfix that is described in the following Microsoft Knowledge Base article:
FRS ReplicationBy default, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPC Endpoint Mapper (also known as RPCSS) on port 135; the process is the same for Active Directory or Microsoft Exchange Server replication. You can override this default functionality and specify the port that all FRS replication traffic passes through (you can configure Active Directory in the same way). When you do so, you can limit replication to a static port. For more informationabout how to restrict Active Directory replication traffic to a port, click the following article number to view the article in the Microsoft Knowledge Base:
In FRS replication, the client does not know thecomplete binding. Therefore, when the client connects to an RPC endpoint, the RPC run-time on the client contacts RPC Endpoint Mapper on the server at a well-known port (port 135), and obtains the port to connect to for the service that is supporting the RPC interface. The service registers the endpoint when it starts, and it has the choice of a using either a dynamically assigned port or a specific port.
You can use the following procedure to configure FRS to run on a specific port. When you do so, the port is registered with RPC Endpoint Mapper.
NOTE: This article does not describe the complete solution for a server to use FRS through a firewall. If you use FRS replication together with a firewall, you may have to open several additional ports such as the ports for Kerberos and for the Lightweight Directory Access Protocol (LDAP). The set of ports may depend on the domain role of the server. For example, assume the domain role of the server is a domain controller. In this scenario, FRS can obtain Kerberos tickets and configuration information from Active Directory Domain Services (AD DS) locally.
How to Restrict FRS Traffic to a Specific Static PortImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Modify the following value on each domain controller where the restricted port is to be used:
- Start Registry Editor (Regedt32.exe).
- Locate and then click the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
- On the Edit menu, click Add Value, and then add the following registry value:Value name: RPC TCP/IP Port AssignmentNOTE: If you do not type a value, this registry setting always uses a value of zero and a dynamic TCP/IP port assignment is used.
Data type: REG_DWORD
Value data: Type an available port. This value needs to be specified in decimal format.
- Quit Registry Editor.
For additional information about the post-SP2 hotfix for FRS, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 319553 - Last Review: 02/01/2010 06:39:08 - Revision: 4.0
- kbenv kbfix kbhowto KB319553