Not knowing your configuration, I am not sure what advice I can offer. You don't need a port range to make the FRS portion work, just a single port. 135 is a high end port about 1026 is required... you set the high end port in the registry. I would make sure you have 135, 445, 1025 & 1026 (Secure channel with DC), and say 50,000 for NTDS replication, and 50,002 for FRS replication. You might be able to get away with an IPSEC policy on all machines.
Other things to consider when messing with firewalls is UDP fragmentation. Initally Windows 2000 used a lot of UDP ports for LDAP, etc. What happens is that you can have everything working hunky dory... then all the sudden you start seeing replication problems due to authentication, etc. It can be quite maddening. So you will want to force the use of TCP for certain functions like LDAP, etc. Todd -----Original Message----- From: Za Vue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 20, 2006 7:04 PM To: [email protected] Subject: Re: [ActiveDir] DFS-R replication through a firewall We open port 135 for our subnets only. We made changes to registry to force high ports through a range and open those ports in firewall policy. -Z.V. Almeida Pinto, Jorge de wrote: > Hi Everyone, > > I assume everyone knows about: > "How to restrict FRS replication traffic to a specific static port" > http://support.microsoft.com/kb/319553 > > I was wondering about the configuration for DFS-R. Does anyone have experience with that working through a firewall? (instead of opening 135 and a range of high ports) > > Thanks! > > cheers, > Jorge > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : <see sender address> > > > > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
