| Author | Messages | |
AD000001178
Posts:0
 | | 03/09/2006 9:56 AM |
| Hi,
Just wanted to know what is this and how disabling or enabling it can
affect my DC?
--
Ravi Dogra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| amulnick
Posts:127
| | 03/10/2006 2:19 AM |
| My advice if you need this functionality is to bring it to 2003 + sp1 or don't try real hard to get it done. I know that business reasons can be brought up to get in the way, but I'm sure that reliability obtained through bug fixes is worth the extra effort in every case.
2000 was good, but 2003 is WAY better by far in it's reliability and capabilities.
Al
On 3/10/06, Marcus.Oh@xxxxxxx wrote:
Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall¦
:m:dsm:cci:mvp marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Al MulnickSent: Thursday, March 09, 2006 9:42 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case).
RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions).
If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random.
Was there a particularly interesting reason you want to disable that access? From outside your network you certainly do, but any particular reason why you would on the machine?
Al
On 3/9/06, Ravi Dogra wrote:
Hi,Just wanted to know what is this and how disabling or enabling it canaffect my DC?--Ravi DograList info :
http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| MarcusOh
Posts:7
| | 03/10/2006 2:38 AM |
| I
hadn™t tried it since 2000 since we didn™t have much success.
Basically DCs would fail replication because they were still picking ports out
of ranges that were no longer supposed to be used¦ J Well, I have all
my DCs to 2003 SP1¦ I think I may give this a go again. I have a
perfect opportunity at something I™d like to test.
Are
there any drawbacks related to this? Performance maybe?
:m:dsm:cci:mvp
marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Friday, March 10, 2006 9:16 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
Honestly? I have with servers, but haven't tried a DC
in 2000. As noted in the next post, it has been shown to have good
results in 2003 + SP1. In 2000 there were all kinds of "undone"
or "mostly done" features that you'll find work much better in 2003 +
SP1.
My advice if you need this functionality is to bring it to
2003 + sp1 or don't try real hard to get it done. I know that business
reasons can be brought up to get in the way, but I'm sure that reliability
obtained through bug fixes is worth the extra effort in every case.
2000 was good, but 2003 is WAY better by far in it's
reliability and capabilities.
Al
On 3/10/06, Marcus.Oh@xxxxxxx Marcus.Oh@xxxxxxx> wrote:
Al, do you have
success with that rpc port limitation? With win2k, it did not work as
advertised as I recall¦
:m:dsm:cci:mvp
marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Al Mulnick
Sent: Thursday, March 09, 2006 9:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
1025/tcp is in the range of ephemeral ports. If it were some versions of
BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in
this case).
RPC endpoints are typically negotiated and pick from the ephemeral ports
that Windows has available (above 1024 or implicitly 1025-65535 with some
exceptions).
If you disable that port on a standalone machine, especially a DC you can
easily break it's normal function or at least whatever is based on RPC
connectivity. You *could* lock down the ports that the RPC endpoint mapper
hands out however, which would allow you to use some other port and thereby
disable that port if you really wanted to for some reason. The end result is
that when asked, your server would always hand out the same port number to
communicate vs. picking one at random.
Was there a particularly interesting reason you want to disable that access?
>From outside your network you certainly do, but any particular reason why you
would on the machine?
Al
On 3/9/06, Ravi Dogra dogra.ravi@xxxxxxxxx> wrote:
Hi,
Just wanted to know what is this and how disabling or enabling it can
affect my DC?
--
Ravi Dogra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| amulnick
Posts:127
| | 03/10/2006 2:43 AM |
| Was there a particularly interesting reason you want to disable that access? From outside your network you certainly do, but any particular reason why you would on the machine?
Al
On 3/9/06, Ravi Dogra wrote:
Hi,Just wanted to know what is this and how disabling or enabling it canaffect my DC?--
Ravi DograList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| MarcusOh
Posts:7
| | 03/10/2006 5:16 AM |
| Al, do you have success with that rpc port
limitation? With win2k, it did not work as advertised as I recall¦
:m:dsm:cci:mvp marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Thursday, March 09, 2006
9:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] 1025/tcp
open NFS-or-IIS
1025/tcp is in the range of ephemeral ports. If it were some versions
of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP
in this case).
RPC endpoints are typically negotiated and pick from the ephemeral
ports that Windows has available (above 1024 or implicitly 1025-65535 with some
exceptions).
If you disable that port on a standalone machine, especially a DC you
can easily break it's normal function or at least whatever is based on RPC
connectivity. You *could* lock down the ports that the RPC endpoint mapper
hands out however, which would allow you to use some other port and thereby
disable that port if you really wanted to for some reason. The end result is
that when asked, your server would always hand out the same port number to
communicate vs. picking one at random.
Was there a particularly interesting reason you want to disable that
access? From outside your network you certainly do, but any particular reason
why you would on the machine?
Al
On 3/9/06, Ravi
Dogra
wrote:
Hi,
Just wanted to know what is this and how disabling or enabling it can
affect my DC?
--
Ravi Dogra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001486
Posts:0
| | 03/10/2006 7:36 AM |
| Marcus,
I have tested that with 2003 SP1 dc's. Works like a charm.
I used the following KB: http://support.microsoft.com/kb/154596/
Cheers.
On 3/10/06, Marcus.Oh@xxxxxxx wrote:
>
>
>
> Al, do you have success with that rpc port limitation? With win2k, it did
> not work as advertised as I recall¦
>
>
>
>
> :m:dsm:cci:mvp marcusoh.blogspot.com
> ________________________________
>
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al
> Mulnick
> Sent: Thursday, March 09, 2006 9:42 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
>
>
>
>
>
> 1025/tcp is in the range of ephemeral ports. If it were some versions of
> BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP
> in this case).
>
>
>
>
>
> RPC endpoints are typically negotiated and pick from the ephemeral ports
> that Windows has available (above 1024 or implicitly 1025-65535 with some
> exceptions).
>
>
>
>
>
> If you disable that port on a standalone machine, especially a DC you can
> easily break it's normal function or at least whatever is based on RPC
> connectivity. You *could* lock down the ports that the RPC endpoint mapper
> hands out however, which would allow you to use some other port and thereby
> disable that port if you really wanted to for some reason. The end result is
> that when asked, your server would always hand out the same port number to
> communicate vs. picking one at random.
>
>
>
>
>
> Was there a particularly interesting reason you want to disable that access?
> From outside your network you certainly do, but any particular reason why
> you would on the machine?
>
>
>
> Al
>
>
>
> On 3/9/06, Ravi Dogra wrote:
>
> Hi,
>
> Just wanted to know what is this and how disabling or enabling it can
> affect my DC?
> --
> Ravi Dogra
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
--
"Ambition is a dream with a V8 engine." ~ Elvis Presley
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| amulnick
Posts:127
| | 03/10/2006 9:25 AM |
| Al
On 3/10/06, Marcus.Oh@xxxxxxx wrote:
I hadn't tried it since 2000 since we didn't have much success. Basically DCs would fail replication because they were still picking ports out of ranges that were no longer supposed to be used¦
J Well, I have all my DCs to 2003 SP1¦ I think I may give this a go again. I have a perfect opportunity at something I'd like to test.
Are there any drawbacks related to this? Performance maybe?
:m:dsm:cci:mvp marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Al MulnickSent: Friday, March 10, 2006 9:16 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
Honestly? I have with servers, but haven't tried a DC in 2000. As noted in the next post, it has been shown to have good results in 2003 + SP1. In 2000 there were all kinds of "undone" or "mostly done" features that you'll find work much better in 2003 + SP1.
My advice if you need this functionality is to bring it to 2003 + sp1 or don't try real hard to get it done. I know that business reasons can be brought up to get in the way, but I'm sure that reliability obtained through bug fixes is worth the extra effort in every case.
2000 was good, but 2003 is WAY better by far in it's reliability and capabilities.
Al
On 3/10/06, Marcus.Oh@xxxxxxx wrote:
Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall¦
:m:dsm:cci:mvp marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Al MulnickSent: Thursday, March 09, 2006 9:42 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case).
RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions).
If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random.
Was there a particularly interesting reason you want to disable that access? >From outside your network you certainly do, but any particular reason why you would on the machine?
Al
On 3/9/06, Ravi Dogra wrote:
Hi,Just wanted to know what is this and how disabling or enabling it canaffect my DC?--Ravi DograList info :
http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001178
Posts:0
| | 03/10/2006 10:43 AM |
| Hi,
I will preffer not to play with this one. Actually what i was doing is
to restrict a server to open only the required ports as per its role.
and in this case i was not so sure about this Port.
Actually i have been given the task to harden the servers we have.
:: Kinldy update me if you have any suggestions to harden the servers.
what all topics i should cover? etc.
Thanks and Regards
Ravi Dogra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| amulnick
Posts:127
| | 03/11/2006 2:00 AM |
| | Message body was not found. | | | |
|
|