I have a new 2008 domain with 2 domain controllers. I am trying to join a 2003 R2 Enterprise Server and 2008 Enterprise Server to the domainthrough a firewall. I have allowed TCP ports 53, 88, 135, 139, 326, 389, 445,636,3269 I have allowed UDP ports 53, 88,123, 137,138, 389, 445 I initially ran in to trouble and would get error messages when attempting to join the domain. Turns outthat there are a bunch of Dynamic RPC ports that need to be allowed and by analyzing firewall traffic, I haveidentified the TCPDynamic RPC ports that the server is using. I have temporarily allowed 20 ports in the sequence that Windows is using them and was able to join the domain successfully. The Dynamic RPC ports that Windows usesinitially will begin at a random port, but seem to increment sequentially once they start.I would like to configure Windows to only use certain RPC ports. I found the following 2 Microsoft KB articles http://support.microsoft.com/kb/908472and http://support.microsoft.com/kb/154596. They suggest to use RPCCfg.exe as the tool to relocate and reduce the RPC dynamic port range. My problem/question is that I would like to know how many Dynamic RPC ports I should open on the firewall. I would like to keep the ports that I open to an absolute minimum. I have read some that suggest opening 100 ports is a minimum. That sound excessive to me and I would like to allow no more than 20 ports open on the firewall for Dynamic RPC, 10 ports or less would be ideal. Additionally, I would like to know where to use RPCCfg.exe. On the host servers only, or on the domain controllers as well? Do I need to use RPCCfg.exe on all of the servers that I am attempting to join to the domain? How often are RPC dynamic ports used? What will happen if I allow certain Dynamic RPC ports through the firewall, but do not use the RPCCfg tool; will they increment themselves out of the allowable range and fail? Is there a way to configure Dynamic RPC ports throught a script? All of the instructions that I have found are for 2003 Server and I am not sure if the same instructions apply to 2008 Server. This is a very simple domain with only 7 domain members including the 2 domain controllers. I am planning to join possibly 10 more domain members over the next year or two. There are no plans for Exchange, which I understand could use up many Dynamic RPC ports. Any suggestions or 2008 specific instructions (preferably from a Microsoft Technet or KB article)would be greatly appreciated. Thank you, Fabian

Hello, Please note that the default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008. The range now is from 49152 to 65535, so you may change the dynamic RPC ports start at a number much larger than 49152 instead of 5000. See the following article for more details: The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008: http://support.microsoft.com/kb/929851 Regarding the first question, well, according the previous article, the minimum range of ports you can set is 255. If you install additional applications that use dynamic RPC, you may need to increase this range. Regarding the second question, you may need to run RPCCfg.exe on all the computers, including DCs and member servers. For a general information about the ports used in an Active Directory domain, I would like to suggest that you read the following articles in detail, they give the answers to your last questions: How to configure a firewall for domains and trusts: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q179442 Service overview and network port requirements for the Windows Server system: http://support.microsoft.com/kb/832017 For more information about Active Directory and firewall configuration, view the "Active Directory in Networks Segmented by Firewalls" Microsoft White Paper. To do this, visit the following Web site: http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en I hope this helps. Good luck. Best regards, Chang Yin

...how many Dynamic RPC ports I should open on the firewall... You may configure a server to using a range of 100 (2003) or 255 ports (2008) (or more), and then open up those ports on the firewall, but be aware that there are many processes/services running on a server that use various numbers of dynamically-allocated RPC ports. Even processes that run completely locally on a server will be restricted to that range. I've had problems where I tried to use the minimum number of ports, but ran into functionality issues with locally running processes due to "insufficient resources". These error symptoms can best be described as "weird", in that you won't find anything from Google that will help diagnose the problem. Some errors I've seen are: - Trying to unlock the console on a server, and getting "No logon servers are currently available to service the logon request" - Trying to run a SQL query, and getting "SQL server does not exist or access denied; native error 17 - Application log errors, "Unable to contact MOM server" - IIS BITS upload can't be enabled In my case, SCCM "Active Directory System Group Discovery" apparently uses thousands of dynamically-allocated RPC ports, and quickly exhausts the pool available for other processes. So how many ports should you open? It depends on how many your server needs; no hard answer I'm afraid. Nick.