?
Solved

DFS-R Design

Posted on 2010-09-09
5
Medium Priority
?
1,144 Views
Last Modified: 2013-11-05
So, I am in the process of deploying a simple DFS-R infrastructure.  I have about 70+ servers in just as many remote offices that act as File & Print servers but, they also will double as App-V streaming servers.  I want to use DFS-R to keep the App-V content share consistent on each server.  Now I know that DFS-R uses RPC to replicate the data to each server.

My road blocks are: We will have a mixed bag of '03 R2 and '08 R2 systems which use different RPC ports.  Another is: our network security team will not allow these RPC random ports.  Rather than just isolate DFS-R replication to a single port as outlined in:  http://support.microsoft.com/kb/319553/en-us.  I was thinking I can accomplish both issues by limiting all RPC coming from the server on a port range of 300 (Example: 5000-5300)  I chose 300 because the minimum port range for Windows server '08 is 255 and I wanted a round number:).

I was going to follow the following articles:

Windows Server 2003: http://support.microsoft.com/kb/154596

Windows Server 2008: http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx

I was hoping that someone could provide feedback or flaws.

Thanks,
0
Comment
Question by:JTOCCO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 33645812
Ugh, I feel your pain.  Anything that I deploy usually has to deal with a firewall and my network guys are very stingy when it comes to what I can do.  
The Microsoft article 319553 will work.  I've used this before through the firewalls as well.    Normally you would need high ports to a destination of 135 and then it will negotiate a random high port, but hardcoding it as per the 319553 works.  
I have also limited the RPC ports ranges as you also are considering.  The one thing to keep in mind is that limiting your RPC ports can have some downside if your servers are really busy because they may run out of ports.
My network guys also like the limited range as well.  If I can give them a port rule small source port range, they are usually much happier.
 
0
 
LVL 1

Author Comment

by:JTOCCO
ID: 33646110
Thanks for the info!

So, as far as restricting RPC as a whole from the server.  Would you suggest increasing the amount of ports to say 1000 from 300?

Also, have you run DFSR in an enviornment this way instead of using microsoft's KB319553.
0
 
LVL 26

Accepted Solution

by:
Pber earned 2000 total points
ID: 33646285
You can monitor it.  Low usage servers you might be fine with 100 ports, Servers with lots of users or applications such as SQL, you may deplete the available RPC ports quickly.  You'll get RPC errors if you run out.
You can also sniff with netmon and watch the RPC ports.  You'll see the source ports go up from your defined range.  They eventually get re-used as connections come up and drop.  Experiment with 300 and see how it goes.
As far as DFSR, that is generally how I've done it not restricting to a specific port, but to use a constricted RPC range.  Works fine.
0
 
LVL 1

Author Closing Comment

by:JTOCCO
ID: 33646600
I appreciate the input!
0
 
LVL 26

Expert Comment

by:Pber
ID: 33647412
Glad to help.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses
Course of the Month12 days, 22 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question