Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to restrict FRS replication traffic to a specific static port


View products that this article applies to.

Summary

This article describes how to configure a static port for File Replication service (FRS) traffic.

NOTE: The functionality that is described in this article is a post-Windows 2000 Service Pack 2 (SP2) feature. Therefore, the information in this article applies only to Windows 2000-based servers that are running SP2 and the post-SP2 QFE hotfix that is described in the following Microsoft Knowledge Base article:
321557 Improvements in the post-SP2 release of Ntfrs.exe that is packaged with an updated Ntfs.sys driver

↑ Back to the top


More information

FRS is a multiple-threaded, multiple-master replication engine that replaces the LANMan Directory Replication (LMRepl) service in Microsoft Windows NT versions 3.x and 4.0. Windows 2000-based domain controllers and servers use FRS to replicate system policy and logon scripts for client computers that are running Windows 2000 and earlier. Additionally, FRS can replicate content between Windows 2000-based servers that host the same fault-tolerant Distributed File System (DFS) roots or child-node replicas.

FRS Replication

By default, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPC Endpoint Mapper (also known as RPCSS) on port 135; the process is the same for Active Directory or Microsoft Exchange Server replication. You can override this default functionality and specify the port that all FRS replication traffic passes through (you can configure Active Directory in the same way). When you do so, you can limit replication to a static port. For more informationabout how to restrict Active Directory replication traffic to a port, click the following article number to view the article in the Microsoft Knowledge Base:
224196 Restricting Active Directory replication traffic and client RPC traffic to a specific port
NOTE: Before you change the default port settings in your production environment, set up a lab to simulate FRS use and to test performance. Some administrators keep only policies and scripts in SYSVOL, but other administrators may keep large amounts of data. Because every environment is different, make sure that you make your test configuration as close as possible to the production environment.

In FRS replication, the client does not know the complete binding. Therefore, when the client connects to an RPC endpoint, the RPC run-time on the client contacts RPC Endpoint Mapper on the server at a well-known port (port 135), and obtains the port to connect to for the service that is supporting the RPC interface. The service registers the endpoint when it starts, and it has the choice of a using either a dynamically assigned port or a specific port.

You can use the following procedure to configure FRS to run on a specific port. When you do so, the port is registered with RPC Endpoint Mapper.

NOTE: This article does not describe the complete solution for a server to use FRS through a firewall. If you use FRS replication together with a firewall, you may have to open several additional ports such as the ports for Kerberos and for the Lightweight Directory Access Protocol (LDAP). The set of ports may depend on the domain role of the server. For example, assume the domain role of the server is a domain controller. In this scenario, FRS can obtain Kerberos tickets and configuration information from Active Directory Domain Services (AD DS) locally.

How to Restrict FRS Traffic to a Specific Static Port

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

Modify the following value on each domain controller where the restricted port is to be used:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters
  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: RPC TCP/IP Port Assignment
    Data type: REG_DWORD
    Value data: Type an available port. This value needs to be specified in decimal format.
    NOTE: If you do not type a value, this registry setting always uses a value of zero and a dynamic TCP/IP port assignment is used.
  4. Quit Registry Editor.
IMPORTANT: You must see if there is an intermediate network device or software that is being used to filter packets between domain controllers. If so, verify that the device or the software allows communication over the specified port. Additionally, make sure the destination TCP port that you set is open on the firewall.

For additional information about the post-SP2 hotfix for FRS, click the following article number to view the article in the Microsoft Knowledge Base:
321557 Improvements in the post-S release of Ntfrs.exe that is packaged with an updated Ntfs.sys driver
For additional information about RPC Endpoint Mapper, click the following article number to view the article in the Microsoft Knowledge Base:
154596 How to configure RPC dynamic port allocation to work with firewalls

↑ Back to the top


Keywords: kbenv, kbfix, kbhowto, KB319553

↑ Back to the top

Article Info
Article ID : 319553
Revision : 4
Created on : 2/1/2010
Published on : 2/1/2010
Exists online : False
Views : 1567