What SPECIFIC ports does DFS under Windows 2003 R2 require?

DFS uses the following ports:
TCP 137, 139, 389, 135, 445
UDP 137, 138, 389, 445
You can see details on the following link:
http://technet2.microsoft.com/windowsserver/en/library/a9096e88-1634-4da6-b820-537341d349061033.mspx?mfr=true

However !!! Most of those ports can be very risky to have exposed on the Internet. DFS between sites is usually done within the safety of a VPN or dedicated connection such as a site to site T1.

Notice how that Article is based on Windows 2003 Server, NOT Windows 2003 Server R2!

The article you refer to is about 4 years old since it was last updated.

I need information that applys to Windows 2003 Server R2's version of DFS.

Sorry, didn't realize there was a difference.
Are you actually forwarding this traffic over the Internet unencrypted?
Within a VPN tunnel, all ports are open by default making configuration easier and safe.

...and also the following, specific to R2:
"Can DFS Replication replicate between branch offices without a VPN connection?
Yesassuming that there is a private Wide Area Network (WAN) link (not the Internet) connecting the branch offices. However, you must open the proper ports in external firewalls. DFS Replication uses the RPC Endpoint Mapper (port 135) and a randomly assigned ephemeral port above 1024. You can use the Dfsrdiag command line tool to specify a static port instead of the ephemeral port. For more information about how to specify the RPC Endpoint Mapper, see article 154596 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=73991). "
from:
http://technet2.microsoft.com/windowsserver2008/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx?mfr=true

No, I'm running this through a VPN tunnel, a few Cisco ASAs, and a few Tipping Points.

This is why I need to have someone who's using Windows 2003 R2 DFS to verify that it uses all of the ports that Windows 2003 [non-R2] plus anything new (135, random RPC).

MS is not making it clear that DFS on the ORIGINAL version of Windows 2003 and DFS on Windows 2003 R2 use exactly the same ports - or are even the same thing.

This KB Article: http://support.microsoft.com/kb/832017 Lists DFS & DFSR...

Are DFS and DFSR the same thing? or has DFSR taken over for DFS??  (Did they come up with a new version of DFS called DFSR in R2, and then limit it to two ports?)

So maybe I need to be asking this:

What Windows 2003 R2 service do I need to be running in order to host a DFS Namespace and DFS Replication?  Furthermore, what SPECIFIC ports are required in R2 [ONLY, since the KB is not R2 specific] to use DFS Namespaces and DFSR?

In so far as RPC is concerned, you can limit RPC to a range according to this KB:

http://support.microsoft.com/kb/154596/en-us

Afraid I don not know anything further than the above.  All versions of DFS used the same ports since NT, but quite right, it is possible R2 has changed that, as replication in the primary change in R2. If using the Cisco VPN, do you have restrictions within the tunnel that have to be dealt with? I would think all traffic would be allowed but perhaps for security you have it tightened down. The fact that R2 appears to use dynamically assigned random ports over 1024 does make it more difficult, if the VPN tunnel is not "wide open".

No, that's not how we do things here... we use a permit only scheme:  We turn things on only that we know we have to.

Then, we use inspection engines to look at the traffic and verify that it's not an attack, etc...

Understandable.