Win 2008 Firewall with DFSR using a static port - Solved

09-04-2008, 01:59 PM

In Windows 2008 Microsoft have made changes to the dynamic port range to
comply with IANA recommendations.

Details at http://support.microsoft.com/default...b;EN-US;929851,
including how to modify the settings.

The range now starts at 49152. This is unfortunate as 49152 was the
suggested port in the Microsoft docs for configuring AD replication to use a
static port. We've used 49152, 49153 and 499154 for AD, NTFRS and DFSR on
Windows 2003.

I've struggled to get this working with Windows 2008 and the local firewall.
Diagnosis was difficult as netstat showed the expected connections and the
firewall log showed no dropped packets but communications failed.

The fix:

1) Set the dynamic port range to start at 49160

2) Delete the default inbound firewall rule 'DFS Replication (RPC-In)' - as
default rules cannot be edited.

3) Create a replacement rule with settings

Type = TCP, Local port = specific 49154, Remote port = All ports

Program = %SystemRoot%\System32\dfsrs.exe, Service = DFSR

See also earlier message 'Win 2008 Firewall with DFSR using a static port
Query'

PC

09-05-2008, 12:11 AM

Thank you for sharing your experience with us.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"moi" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In Windows 2008 Microsoft have made changes to the dynamic port range to
> comply with IANA recommendations.
>
> Details at http://support.microsoft.com/default...b;EN-US;929851,
> including how to modify the settings.
>
> The range now starts at 49152. This is unfortunate as 49152 was the
> suggested port in the Microsoft docs for configuring AD replication to use
> a static port. We've used 49152, 49153 and 499154 for AD, NTFRS and DFSR
> on Windows 2003.
>
> I've struggled to get this working with Windows 2008 and the local
> firewall. Diagnosis was difficult as netstat showed the expected
> connections and the firewall log showed no dropped packets but
> communications failed.
>
> The fix:
>
> 1) Set the dynamic port range to start at 49160
>
> 2) Delete the default inbound firewall rule 'DFS Replication (RPC-In)' -
> as default rules cannot be edited.
>
> 3) Create a replacement rule with settings
>
> Type = TCP, Local port = specific 49154, Remote port = All ports
>
> Program = %SystemRoot%\System32\dfsrs.exe, Service = DFSR
>
> See also earlier message 'Win 2008 Firewall with DFSR using a static port
> Query'
>
> PC
>
>
>
>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Switch firewall profile public <-> private in Server 2008/Vista	Jeff Stark	Windows Networking	0	02-27-2009 09:32 PM
Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF	Bruce Sanderson	Windows Networking	7	10-07-2008 09:57 AM
Protect multihomed single 2008 AD server with Windows Firewall Adv	Kevin	Windows Networking	0	09-10-2008 10:26 PM
Win 2008 Firewall with DFSR using a static port Query	moi	Windows Networking	2	08-26-2008 12:16 PM
Server 2008: dcpromo fails because of dynamic IP addresses - changing to static ones does not help	Thomas Adams	Windows Networking	2	08-10-2008 06:29 PM