제2의 비엔지니어 인생관을 꿈꾸며

Posted
Filed under Study

The firewall in question was configured properly to allow Windows Server 2003 domain controllers to replicate, but the Win2008 domain controller was blocked.  This is not because we changed the way replication works per se.  Replication is still accomplished by server to server RPC calls, the same as in Win2003.  But we did change the underlying mechanism that the network stack uses to determine which ports those RPC calls use.

By default, the dynamic port range in Windows Server 2003 was 1024-5000 for both TCP and UDP.

In Windows Server 2008 (and Windows Vista), the dynamic port range is 49152-65535, for both TCP and UDP.

What this means is that any server-to-server RPC traffic (including AD replication traffic) is suddenly using an entirely new port range over the wire. We made this change in order to comply with IANA recommendations about port usage. Therefore, if you start deploying Windows Server 2008 on your network, and are using firewalls to restrict traffic on your internal network you will need to update the configuration of those firewalls to compensate for the new port range.

It doesn’t stop at RPC traffic though.  The dynamic port range is used for any and all outbound requests from your computer that don’t use a specific source port.  This means that if you fire up Internet Explorer and browse to a web page, the network traffic is going to source from a port higher than 49152 on Vista or 2008.  This means that potentially, any application that connects to other machines via the network could be impacted by a firewall that’s not configured for this change.  In Directory Services support here at Microsoft, we really care mostly about Active Directory related traffic, but this is something that everyone should watch out for. So for example, look at this snippet of a NETSTAT command run on a Vista machine where we are simply connected to a web site with IE7:

C:\Windows\system32>netstat -bn

Active Connections

Proto Local Address Foreign Address State
TCP 10.10.0.10:53556 65.59.234.166:80 TIME_WAIT
TCP 10.10.0.10:53572 65.59.234.166:80 TIME_WAIT
[iexplore.exe]

In Vista and 2008, most administration of things at the network stack level is handled via NETSH.  Using NETSH, it’s possible to see what your dynamic port range is set to on a per server basis:

>netsh int ipv4 show dynamicport tcp
>netsh int ipv4 show dynamicport udp
>netsh int ipv6 show dynamicport tcp
>netsh int ipv6 show dynamicport udp

These commands will output the dynamic port range currently in use.  Kind of a neat fact is that you can have different ranges for TCP and UDP, or for IPv4 and IPv6, although they all start off the same.

In Windows Server 2003 the range always defaults to starting with TCP port 1024, and that is hard-coded.  But in Vista/2008, you can move the starting point of the range around.  So if you needed to, you could tell your servers to use ports 5000 through 15000 for dynamic port allocations, or any contiguous range of ports you wanted.  To do this, you use NETSH again:

   >netsh int ipv4 set dynamicport tcp start=10000 num=1000
   >netsh int ipv4 set dynamicport udp start=10000 num=1000
   >netsh int ipv6 set dynamicport tcp start=10000 num=1000
   >netsh int ipv4 set dynamicport udp start=10000 num=1000

The examples above would set your dynamic port range to start at port 10000 and go through port 11000 (1000 ports).

A few important things to know about the port range:

· The smallest range of ports you can set is 255.
· The lowest starting port that you can set is 1025.
· The highest end port (based on the range you set) cannot exceed 65535.

For more information on this, check out KB 929851.

At this point you’re probably wondering what our recommendation is for configuring firewalls for AD replication with Windows Server 2008.  Generally speaking, we don’t recommend that you restrict traffic between servers on your internal network.  If you must deploy firewalls between servers, you should use IPSEC or VPN tunnels to allow all traffic between those servers to pass through, regardless of source or destination ports.  However, experience has taught us that some customers are going to want to restrict traffic, which is why it is possible to configure this range and control the ports that will be used.

Here are two FAQs that have come up internally around this change:

Q:  How do the changes to the dynamic port ranges affect AD replication?

A:  AD replication relies on dynamically allocated ports for both sides of the replication connection.  This means that by default, replication traffic will now use ports higher than 49152 on both domain controllers involved in the transaction.

Q:  Can the port that replication traffic uses be controlled?

A:  It is still possible to restrict replication traffic to a specific port using the registry values documented in KB 224196.

RPC 포트에 대해서 문제가 발생한 최근이였습니다. ISA나 FTMG 방화벽만 사용해서 RPC 동적포트는 특별하게 생각하지 않았는데 최근에 Windows Server 2012 와 MSSQL 2008 R2 클러스터가 접속이 원할이 되지 않는 현상에서 특정포트가 통신이 되지 않는 현상을 발견했습니다. 동적포트라고 하면 1024-65535 랜덤으로 사용되는 포트인데 RPC 도 세션이 맺어지면 동적포트를 생성해야 되는 이슈가 있었습니다. 동적포트라고 해도 내부 동적포트로만 알고 있었는데 이게 외부포트라는걸 오늘 알았는데 특정한 포트만 사용되는것도 의문이였습니다. TCP/UDP 49155, 49159 이 두포트만 통신이 안되서 방화벽에서 열어줬더니 안되던게 해결이 되었습니다만 저많은 범위를 오픈해야 된다는것 또한 이슈가 될것이기 때문에 어떻게 풀어야 하나 숙제가 되었습니다. 그냥 많은 범위 열어줘라고 밀어부치든가 VPN이나 쓰던가 해야되지만 같은 인프라에서 대역하나 건너뛰었다고 VPN을 쓰는것도 모냥 빠진거 같고 이런걸 어떻게 바라봐야 할건지 그냥 무덤덤합니다. 현재로서는 그냥 밀어부친다?라거나 그냥 두포트만 열어 쓰다가 또다른 에러나면 그때가서 다 열어줘라 할건가 세월이 이부분을 증명해주겠죠 ㅋㅋㅋ

2013/10/10 16:46 2013/10/10 16:46