How Can I Restrict Active Directory Replication Traffic to a Specific Port?

By default, Active Directory (AD) replication via remote procedure calls (RPCs) takes place dynamically over an available port via the RPC Endpoint Mapper using port 135 (the same port as Microsoft Exchange). An administrator can override this functionality and specify the port that all replication traffic passes through. To set a specific port, perform the following steps:

1. Start a Registry Editor (e.g., regedit.exe)
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
3. From the Edit menu, select New, then DWORD Value.
4. Enter the name as "TCP/IP Port" without the quotes and click Enter.
5. Double-click TCP/IP Port, set the value to the desired port, and click OK.
6. Close the Registry Editor and reboot.

Because some routers filter packets, administrators must be sure that they don't filter out any intermediate network devices or software that filters packets between domain controllers.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.