AD Client requirement to access replication port number when replication has been restricted to a single port number

  • 212 Views
  • Last Post 09 June 2016
BrianB posted this 09 June 2016

All,   I am building out a new green field AD forest. As part of our previous forest config, we restricted replication between Domain Controllers to a single port outside of the ephemeral range. See https://support.microsoft.com/en-us/kb/179442. I recall reading some years ago that clients needed access to the replication port to be able to process group policy correctly. So we opened that port up to our clients. Now that I am green fielding a new forest, I am questioning everything that we did and trying to fully document it.

  I just can’t remember the reason for why we had to allow that port to our clients and have since lost the URL to the article that I got the information from. I am hoping that someone knows the answer to this and can point me to the article or explain the reason behind it. Does anyone know the answer?   If I can find the answer I will post it as a follow up.      Brian Britt

Order By: Standard | Newest | Votes
g4ugm posted this 09 June 2016

 Group Policy is read from a file share, so normally you need RPC to access the SMB shares. Did you lock down the client to use the same RPC port for SMB shares? https://support.microsoft.com/en-gb/kb/832017 has more info and refers to https://support.microsoft.com/en-gb/kb/224196 which also references some hot fixes. Dave 

show

BrianB posted this 09 June 2016

Dave,

 

No, we only restricted the NTDS Parameter for a single port. All other client RPC was allowed over the ephemeral port ranges of 49152 – 65535..

 

Brian

 

show

Close