RE: [ActiveDir] 1025/tcp open NFS-or-IIS

[Marcus.Oh]

I hadn’t tried it since 2000 since we didn’t have much success.  Basically DCs would fail replication because they were still picking ports out of ranges that were no longer supposed to be used… J  Well, I have all my DCs to 2003 SP1… I think I may give this a go again.  I have a perfect opportunity at something I’d like to test.   Are there any drawbacks related to this?  Performance maybe?   :m:dsm:cci:mvp  marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, March 10, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS   Honestly?  I have with servers, but haven't tried a DC in 2000.  As noted in the next post, it has been shown to have good results in 2003 + SP1.  In 2000 there were all kinds of "undone" or "mostly done" features that you'll find work much better in 2003 + SP1.   My advice if you need this functionality is to bring it to 2003 + sp1 or don't try real hard to get it done.  I know that business reasons can be brought up to get in the way, but I'm sure that reliability obtained through bug fixes is worth the extra effort in every case.   2000 was good, but 2003 is WAY better by far in it's reliability and capabilities.   Al   On 3/10/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Al, do you have success with that rpc port limitation?  With win2k, it did not work as advertised as I recall…   :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Thursday, March 09, 2006 9:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS   1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case).   RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions).   If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random.     Was there a particularly interesting reason you want to disable that access? >From outside your network you certainly do, but any particular reason why you would on the machine? Al   On 3/9/06, Ravi Dogra < [EMAIL PROTECTED]> wrote: Hi, Just wanted to know what is this and how disabling or enabling it can affect my DC? -- Ravi Dogra List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/