Problem with Windows 2008 Domain Controllers

We have 4 Windows 2008 R2 domain controllers (DC), 2 at each site connected via firewalls. Can anyone tell us why they are trying to communicate over tcp/45003-45007 ports? The main service failing is lsass.exe. We cannot find any documentation from Microsoft stating that Active Directory should be using this port range. For compliance reasons we cannot open these ports without backup documentation. Can anyone help explain why all 4 of our DC’s are using these ports (45003-45007)?
dwortmanEngineering AssociateAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
for specific active directory communication such as sysvol replication (DFSR) , Ntfrs, group policy, certificate services if installed on DC, Ad use dynamic RPC high ports ranges from 1024 to 65535
https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

For rest of the RPC communication it uses high RPC port ranging from 49152 to 65535 and you can control this
https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
This change need to be done on every domain controller
---------------------------------------------------------------------------------------------------------------------
You may customize / restrict which high RPC ports AD should use
https://support.microsoft.com/en-in/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista
This change need to be done on every domain controller however this change is risky as it may stop some of operations and need Microsoft PSS / MCS guidance
0
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
You may want to check to see if the DCs are configured to use static RPC ports for replication. https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port will help you find the registry settings that control that. You'll want to make sure this isn't enabled if it is configured to use those ports.

You'll also want to check the DFS replication configuration to see if it is set for a static port.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Hello ThereConnect With a Mentor System AdministratorCommented:
From Microsoft documentation:
In a domain that consists of Windows Server® 2003–based domain controllers, the default dynamic port range is 1025 through 5000. Windows Server 2008 R2 and Windows Server 2008, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic port range for connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 R2 and Windows Server 2008 server and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535.

When you see “TCP Dynamic” in the Protocol and Port column in the following table, it refers to ports 1025 through 5000, the default port range for Windows Server 2003, and ports 49152 through 65535, the default port range beginning with Windows Server 2008.
0
 
dwortmanEngineering AssociateAuthor Commented:
Thanks for all of the suggestions.
0
 
dwortmanEngineering AssociateAuthor Commented:
Thanks for all of the suggestions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.