AD Client requirement to access replication port number when replication has been restricted to a single port number

  • Last Post 09 June 2016
BrianB posted this 09 June 2016

All,   I am building out a new green field AD forest. As part of our previous forest config, we restricted replication between Domain Controllers to a single port outside of the ephemeral range. See I recall reading some years ago that clients needed access to the replication port to be able to process group policy correctly. So we opened that port up to our clients. Now that I am green fielding a new forest, I am questioning everything that we did and trying to fully document it.

  I just can’t remember the reason for why we had to allow that port to our clients and have since lost the URL to the article that I got the information from. I am hoping that someone knows the answer to this and can point me to the article or explain the reason behind it. Does anyone know the answer?   If I can find the answer I will post it as a follow up.      Brian Britt

Order By: Standard | Newest | Votes
g4ugm posted this 09 June 2016

 Group Policy is read from a file share, so normally you need RPC to access the SMB shares. Did you lock down the client to use the same RPC port for SMB shares? has more info and refers to which also references some hot fixes. Dave 


BrianB posted this 09 June 2016



No, we only restricted the NTDS Parameter for a single port. All other client RPC was allowed over the ephemeral port ranges of 49152 – 65535..