FRS and firewalls

Recently we began a lot of work tightening down our network at work. This included tightening the internal firewall settings such that inter-site connections were set up such that only traffic going over identified ports.

This is a good thing and a bad thing to have. It is good in that you can severely restrict what is able to process across the linkages and therefore prevent a lot of unneeded traffic from consuming your WAN links. It can be bad in a way too – it breaks things.

One such thing is file replication services. By locking down the firewalls between sites some components stop functioning due to their reliance on dynamic ports and FRS uses dynamic ports. FRS begins a conversation by communicating on port 135, but once the source communicates to the target they switch to a dynamically assigned port.

FRS in a 2003 domain is what is used to replicate the login scripts and GPOs via the SYSVOL share. No FRS replication means no SYSVOL replication, creating security holes in and of itself, in addition to messing up your day when login scripts aren’t updated on remote DCs.

The solution is to restrict the FRS service to a specified port.

First, identify a port not being used within your network. Avoid using anything below 1024. For the purpose of this discussion I’m going to use 12345.

Next, program your intermediate network devices to allow this port to and from specific hosts. In this case the domain controllers are the hosts and the port is going to be 12345.

Third, on each DC open regedit. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters. Add the DWORD value RPC TCP/IP Port Assignment. For the value data enter your port, 12345 in our example, IN DECIMAL FORMAT, not hexadecimal.

Finally, restart the FRS service on each DC. Within a few minutes you should start seeing your SYSVOL contents being replicated amongst the DCs again.


Comments are closed.