FRS is a multiple-threaded, multiple-master replication engine that replaces the LANMan Directory Replication (LMRepl) service in Microsoft Windows NT versions 3.x and 4.0. Windows 2000-based domain controllers and servers use FRS to replicate system policy and logon scripts for client computers that are running Windows 2000 and earlier. Additionally, FRS can replicate content between Windows 2000-based servers that host the same fault-tolerant Distributed File System (DFS) roots or child-node replicas.
By default, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPC Endpoint Mapper (also known as RPCSS) on port 135; the process is the same for Active Directory or Microsoft Exchange Server replication. You can override this default functionality and specify the port that all FRS replication traffic passes through (you can configure Active Directory in the same way). When you do so, you can limit replication to a static port. For more informationabout how to restrict Active Directory replication traffic to a port, click the following article number to view the article in the Microsoft Knowledge Base:
Restricting Active Directory replication traffic and client RPC traffic to a specific port
: Before you change the default port settings in your production environment, set up a lab to simulate FRS use and to test performance. Some administrators keep only policies and scripts in SYSVOL, but other administrators may keep large amounts of data. Because every environment is different, make sure that you make your test configuration as close as possible to the production environment.
In FRS replication, the client does not know thecomplete binding. Therefore, when the client connects to an RPC endpoint, the RPC run-time on the client contacts RPC Endpoint Mapper on the server at a well-known port (port 135), and obtains the port to connect to for the service that is supporting the RPC interface. The service registers the endpoint when it starts, and it has the choice of a using either a dynamically assigned port or a specific port.
You can use the following procedure to configure FRS to run on a specific port. When you do so, the port is registered with RPC Endpoint Mapper.NOTE
: This article does not describe the complete solution for a server to use FRS through a firewall. If you use FRS replication together with a firewall, you may have to open several additional ports such as the ports for Kerberos and for the Lightweight Directory Access Protocol (LDAP). The set of ports may depend on the domain role of the server. For example, assume the domain role of the server is a domain controller. In this scenario, FRS can obtain Kerberos tickets and configuration information from Active Directory Domain Services (AD DS) locally.
How to Restrict FRS Traffic to a Specific Static PortImportant
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
Modify the following value on each domain controller where the restricted port is to be used:
- Start Registry Editor (Regedt32.exe).
- Locate and then click the following key in the registry:
- On the Edit menu, click Add Value, and then add the following registry value:
Value name: RPC TCP/IP Port AssignmentNOTE: If you do not type a value, this registry setting always uses a value of zero and a dynamic TCP/IP port assignment is used.
Data type: REG_DWORD
Value data: Type an available port. This value needs to be specified in decimal format.
- Quit Registry Editor.
: You must see if there is an intermediate network device or software that is being used to filter packets between domain controllers. If so, verify that the device or the software allows communication over the specified port. Additionally, make sure the destination TCP port that you set is open on the firewall.
For additional information about the post-SP2 hotfix for FRS, click the following article number to view the article in the Microsoft Knowledge Base:
Improvements in the post-S release of Ntfrs.exe that is packaged with an updated Ntfs.sys driver
For additional information about RPC Endpoint Mapper, click the following article number to view the article in the Microsoft Knowledge Base:
How to configure RPC dynamic port allocation to work with firewalls