Thanks Fred and David, actually i don't have the whole information to know if the DC2 is PDC emulator. It it is, so ports between FIM and DC2 will need to be opened. If not, as my understanding, it's only required a great replication scheme between DC1 and DC2 to have a good SSPR performance, and not open ports between FIM and DC2. Am i ok?

If FIM communicates only with DC1 then the document you linked to is correct. If DC1 and DC2 are in the same domain then they'll need the usual ports open for AD replication, etc. CraigMartin Edgile, Inc. http://identitytrench.com

Thanks Craig, so this means to have the following ports opened between FIMsrv and DC2 srv: 1. TCP/UDP 135 (RPC EPMapper) 2. TCP/UDP 389 (LDAP, LDAP Ping) 3. TCP 636 (LDAP over SSL) 4. TCP 3268 (GC) 5. TCP 3269 (GC SSL) 6. TCP/UDP 53 (DNS) 7. TCP/UDP 88 (Kerberos) 8. TCP Dynamic (RPC) 9. TCP/UDP 464 (Kerberos Change/Set Password) 10. TCP 445 – (CIFS/ MICROSOFT-DS) Just remembering that final users are located at the same network that DC2. Actually, required ports between DC1 and DC2 are opened.

If FIM is talking to DC1, and If DC1 and DC2 are in the same domain then I don't think FIM needs to talk to DC2 at all, unless DC1 goes down and FIM does looking for another DC to talk to. CraigMartin Edgile, Inc. http://identitytrench.com

If the scenario was password syncrhonization, so would be necessary to open ports between FIMsrv and DC2?

For SSPR to work, your end users clients need to be able to contact the FIM server. Contact to the DC in the local network is not enough. I guess it's not needed for the FIM server to be able to contact the local DC although if the DC replication is slow, the users might experience that their SSPR will take a while to work./Frederik Leed

Self Service Password Reset and Password Sync: One more thing to consider: When setting passwords FIM Sync contacts the PDCemulator no matter with which DC it normally communicates. Therefore is DC2 going to be the PDCemulator or is likely to become so? If so then you do need the ports opened as described in the technet article you referenced. Password Sync consideration (instructions on setting up PCNS): Assuming DC1 and DC2 are in the same domain, then if that domain is to be the source for passwords to be synchronized to other systems then you need to follow the instructions found here for what ports to open: Service Protocol Port RPC Endpoint mapper TCP 135 Dynamic RPC ports (PCNS) TCP 5000 - 5100 Dynamic RPC ports (management agent for Active Directory) TCP 57500 - 57520 David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

I have a customer that will have located FIM and DC1 servers in Miami, though DC2 server and final users are located in Colombia. Final users will work with SSPR. I'd like to know if it's necessary to open ports between FIMsrv and DC2 in order to support SSPR, opening the ports referred in the link http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx. Any comment is very welcomed. Thanks.