I hadn't tried it since 2000 since we didn't have much success. Basically DCs would fail replication because they were still picking ports out of ranges that were no longer supposed to be used… J Well, I have all my DCs to 2003 SP1… I think I may give this a go again. I have a perfect opportunity at something I'd like to test.
Are there any drawbacks related to this? Performance maybe?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Friday, March 10, 2006 9:16 AM
To: [email protected]
Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
Honestly? I have with servers, but haven't tried a DC in 2000. As noted in the next post, it has been shown to have good results in 2003 + SP1. In 2000 there were all kinds of "undone" or "mostly done" features that you'll find work much better in 2003 + SP1.
My advice if you need this functionality is to bring it to 2003 + sp1 or don't try real hard to get it done. I know that business reasons can be brought up to get in the way, but I'm sure that reliability obtained through bug fixes is worth the extra effort in every case.
2000 was good, but 2003 is WAY better by far in it's reliability and capabilities.
Al
On 3/10/06, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote:
Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall…
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Thursday, March 09, 2006 9:42 PM
To: [email protected]
Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS
1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case).
RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions).
If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random.
Was there a particularly interesting reason you want to disable that access? >From outside your network you certainly do, but any particular reason why you would on the machine?
Al
On 3/9/06, Ravi Dogra < [EMAIL PROTECTED]> wrote:
Hi,
Just wanted to know what is this and how disabling or enabling it can
affect my DC?
--
Ravi Dogra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Not that I'm aware of.
Keep in mind that in normal operation, the rpc negotiation just agrees to the randomly picked port it will talk on (you contact the server and it picks a random port for you to continue conversations on from the range >1024 tcp) but if you hardcode the port, you're telling the negotiation to always pick nnnn vs. any random. It's otherwise no different.
Al
On 3/10/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
- Re: [ActiveDir] 1025/tcp open NFS-or-IIS Al Mulnick
- Re: [ActiveDir] 1025/tcp open NFS-or-IIS Ravi Dogra
- Re: [ActiveDir] 1025/tcp open NFS-or-IIS Al Mulnick
