Problem with Windows 2008 Domain Controllers

We have 4 Windows 2008 R2 domain controllers (DC), 2 at each site connected via firewalls. Can anyone tell us why they are trying to communicate over tcp/45003-45007 ports? The main service failing is lsass.exe. We cannot find any documentation from Microsoft stating that Active Directory should be using this port range. For compliance reasons we cannot open these ports without backup documentation. Can anyone help explain why all 4 of our DC’s are using these ports (45003-45007)?
dwortmanEngineering AssociateAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
You may want to check to see if the DCs are configured to use static RPC ports for replication. https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port will help you find the registry settings that control that. You'll want to make sure this isn't enabled if it is configured to use those ports.

You'll also want to check the DFS replication configuration to see if it is set for a static port.
0
MaheshArchitectCommented:
for specific active directory communication such as sysvol replication (DFSR) , Ntfrs, group policy, certificate services if installed on DC, Ad use dynamic RPC high ports ranges from 1024 to 65535
https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

For rest of the RPC communication it uses high RPC port ranging from 49152 to 65535 and you can control this
https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
This change need to be done on every domain controller
---------------------------------------------------------------------------------------------------------------------
You may customize / restrict which high RPC ports AD should use
https://support.microsoft.com/en-in/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista
This change need to be done on every domain controller however this change is risky as it may stop some of operations and need Microsoft PSS / MCS guidance
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Hello ThereSystem AdministratorCommented:
From Microsoft documentation:
In a domain that consists of Windows Server® 2003–based domain controllers, the default dynamic port range is 1025 through 5000. Windows Server 2008 R2 and Windows Server 2008, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic port range for connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 R2 and Windows Server 2008 server and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535.

When you see “TCP Dynamic” in the Protocol and Port column in the following table, it refers to ports 1025 through 5000, the default port range for Windows Server 2003, and ports 49152 through 65535, the default port range beginning with Windows Server 2008.
0
dwortmanEngineering AssociateAuthor Commented:
Thanks for all of the suggestions.
0
dwortmanEngineering AssociateAuthor Commented:
Thanks for all of the suggestions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.