How can I restrict Active Directory (AD) replication traffic to a specific port?

A. By default, AD replication via remote procedure calls (RPCs) takes place dynamically over an available port via the RPC Endpoint Mapper using port 135 (the same as Microsoft Exchange). An administrator may override this functionality and specify the port that all replication traffic passes through, thereby locking down the port.

To set a specific port, perform the following steps:

  1. Start a registry editor (e.g., regedit.exe).
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
  3. From the edit menu, select New, DWORD Value.
  4. Enter a name of TCP/IP Port, and press Enter.
  5. Double-click TCP/IP Port, set the value to the desired port, then click OK.
  6. Close the registry editor.
  7. Reboot the domain controller.

Because some routers filter packets, administrators should confirm that they don't filter out any intermediate network devices or software that filters packets between domain controllers.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.