hello , I see a lot of technical stuff up here...but does anyone have a quick listing of the ports or aother exceptions that are needed to keep replication going when the windows forwall is up? thanks

Yes Active directory thanks Mr Weber

Mienolf, I have added all the ports listed in the document your fist link points to. Some of them, when adding, explianed they could not be added possibly since they were already in there . I added these and then enabled the firwall on the (backup) domain controller (server 2003 r2 sp2) I had 2 problems originally when turning the FW on.. relpication would stop expalining no end points from mapper, and DHCP clients would no longer get requestd DHCP leases after adding all the listed ports ....DHCP server is working fine but replication is having problems when I run replmon , my primary DC is listed first and this server ( DC #2) is listed 2nd the firstenry states the mapper erro a=butthe rest (config/schema/DNSzones\Forest DNS zones are all OK the sencod "section" for this DC#2 all 5 items have the BANG on them ( yellow circle with exclaimation point) and there is no "stuff" displayed at all if you click on one of them

also when I have the FW up ( and then I get the endpoint mapper errors ) I asos l run dcdiag and all test pass (even one called replication ) I also do ahve the FW logs but cant begin to analyse those :(

Hello, please upload the following files for a better overview: ipconfig /all >c:\ipconfig.txt [all DCs] dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) http://explore.live.com/windows-live-skydrive and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

heres the URL https://skydrive.live.com/#cid=BD95D9F727CB8E30&id=BD95D9F727CB8E30%21120 ipconfig1 = main DC ipconfig 2= backup DC this is the one that if I put the FireWall on replication fails ( I have the FW off on DC1 intending to learn from this issue with DC2 before I turn the FW on DC1 backon) Thanks letme know if you need me to do more stuff

Hello, as you use HP teaming please assure that the configuration is made for failover and NOT for load balancing as this is NOT supported from Microsoft. What are the Forwarders 192.168.1.21, 192.168.1.22 and 192.168.100.2 for machines, are they domain DNS servers? Normally you should use either the root hints or ISPs DNS server as Forwarders. Is your domain a child domain and the used forwarders are from the root domain?Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

I am going ti dissolve the team..... there is no real value to it atthis point and once again I have found little support out there for the configuration.... the forwarders ...... they are DNS servers in other domains I connect to (trusts stuff)_

OK HP adapter team has been disolved on Server #1 I turned the firewall back on on server #2 still get "no end points error" I am offto do more "no end ppint " research

this may be why so many folks dont turn the FW on on their servers .......

Meinolf, did you get my link to my SkyDrive folder ?

Hello, we and lots of others have no problems with enabled fiewalls on the DCs, they replicate fine, so please assure the connecticvity, Portquery should help you or your firewall guys to verify http://www.microsoft.com/en-us/download/details.aspx?id=17148Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Arthur Li TechNet Community Support

Well I do not know where to go from here ....I still have the problen when the firewall is on ( on my backup domain controller ) AD will not replicate " there are no more edn points from the end point mapper " I was able to get my DHCP service to operate correctly when I turn the FW on by adding port exceptions to the FW......and while I was at it, I also added a ton of other exceptions that are listed in that "setting firewals up on Domain controllers" document.....but AD will still not replicate when the FW is on

Ok I ran PQ from the Dc to the backup DC With Firewall ON IP address resolved to ml350g5bpm querying... TCP port 389 (ldap service): FILTERED UDP port 389 (unknown service): LISTENING or FILTERED Using ephemeral source port Sending LDAP query to UDP port 389... LDAP query to port 389 failed Server did not respond to LDAP query portqry.exe -n 192.168.50.48 -e 389 -p BOTH exits with return code 0x00000001.

hi, any updates? if your question is answered it would be nice if you mark it accordingly because this may help others who have got the same or a similar question. Thanks a lot in advance Kind regards Thomasregards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

no change...still have the problem........I know to mark answers..

Hi Meinholf, notsure if i have narrowed anyhting down to a level where trouble shooting can begin In replmon I did the generate repprt ( with the firewall on DC#2 up ) and whe I got to the stanza that listed the no endpoint error it listed Transport = Intra-site RPC So I was reading up on AD replcation ( the amount of detail that just about any aspect of Windwos Servers is amazing ya know like what is KCC and what does it do...and what ISTG and so on .... for someone like me that is tasked to "do it all" build servers run cabling load servers and do all lthat same stuff at the workstation level run a help desk for end user applciation support, and also be a perimtier guy running Sonicwall appliaicnes and also exchange mgr........I cant seem to dive all the way into any one disapline to the point of gaining more that a cursory understanding of all these detials anyhow I then ran Port query on port 135 for both TCP and UDP..TCP all looks good ... but from each server there looks like UDP problems each with epmap service OK so I have the FW on DC #2 up when query UDP 135 from here to my #1 DC (No FW) I get UDP PORT 135 NOT LISTENING When I reverse this and query UDP 135 from my #1 Dc to #2 (whose FW is up) I get UDP port 135 (epmap service): LISTENING or FILTERED Using ephemeral source port Querying Endpoint Mapper Database... Server's response: RPC Endpoint Mapper did not respond UDP port 135 is FILTERED Anything here to go on ?? thanks

Well iam shooting in the dark.....I disabled the Firewall so now as usual replication works while the FW on DC#2 was down I ran port query from both ends again and now they both say UDP port 135 NOT LISTENING but like I say replication works If I was to stay on this lead..... it would imply that if UDP 135 is not listening then all will work...but if the FW is up on DC #2 then UDP 125 is tagged as "Listneing or filtered" and then the replication fails

Hi Daniel, Here is my analysis about the issue: 1. Only TCP 135 (RPC protocol) should be listened. No protocol uses UDP 135 so that UDP 135 should not be listened. It is normal that UDP 135 is not listened. It doesn't mean that UDP 135 not listened leads the AD replication to succeed. 2. When the status is FILTERED, it means the packets are blocked by the windows firewall or any other firewall. It seems that both TCP and UDP 389 are blocked by the windows firewall based on your information. Please add rules in windows firewall to ensure that TCP 389 and UDP 389 are allowed. Best Regards Scott Xie

I have both tcp and udp port 389 on the FW exception list( on DC #2) If (from DC #2) I query UDP port 389.(wi h FW on) .leaving the default 127.0.0.1 host in there I get "not listening" If I put the IP address if DC#2(not using local loopback 127.0.0.1) in then I get LISTENING tcp port queries give me the LAP paragraph....I assume that port is listening/working ok If I go the DC #1 ( primary DC and replcaition partner) and query udp 398 on DC#2 it says "listening' whaddaya think about that ?

Iget the same portquery results on udp port 389 whether the FW is on or off..... No matter what i cant replicate when the FW is on no more endpoints

Hi, It seems the replication issue is not caused by port 389. To further troubleshoot the issue, I suggest that you can enable Firewall log on the server. From the firewall log we can check if there is a firewall rule blocks the concerning network traffic: a. On the concerning server, click "Start"->"Run", type "gpedit.msc", press Enter. b. In "Local Group Policy Editor" window, in the left panel, locate to: "Computer Configuration/Windows Settings/Security Settings" c. Expand "Windows Firewall with Advanced Security", click "Windows Firewall with Advanced Security Local Group policy Object". d. In the right-panel, click "Windows Firewall Properties". e. In the new opened window, on "Domain Profile" tab, in "Logging" section, click "Customize". f. In "Customize Logging Settings for the Domain Profile" window, uncheck the two "Not configured" checkboxes. Set "Log dropped packets" to "Yes". Click "OK". g. Use step e - step f to enable "Log dropped packets" on "Private Profile" and "Public Profile" tab. Click "OK". Best Regards Scott Xie

The FW on DC#2 is set to log....I am not sure if I would still need to do the GP proceedure you outlined or if the existing pfirewall.log file is good enough I have uploaded that file lto my quickdoc folder on Skydrive https://skydrive.live.com/?cid=BD95D9F727CB8E30&id=BD95D9F727CB8E30%21120 let me know if this is OK thanks for sticking with me on this issue

Hi Daniel, You are welcome. Yes, the pfirewall.log file is enough. I have checked the file you uploaded. I find there are many dropped packets which ports is TCP 1025. Please refer to following link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;179442 Since your DC is windows server 2003, the following dynamic ports need to be opened: Client Port(s) Server Port(s) 1024-65535/TCP 1024-65535/TCP Please ensure these dynamic ports have been opened. Best Regards Scott Xie

I had to use one of my complimenry Support calls to Microsoft ...they indicated the same answer...... The key factor here is that I am on Server 2003 which has these dynamic ports blocked by default Microsoft DOES NNOT RECOMMEND assigning RPC to a specific port some of the docuents I was refered to seem to elude to this......... Maybe I am one of the last still operating on Server 2003 and this detail (dynamic ports blocked) must be very obscure on the plus side I know much more a bout DC firewalls and some of the assoicated tools used to troubleshoot............ thanks to all

Well well well.... I thought I would get a lesson on how to add this port range....but NO !! the official MS standpoint is this is not recommeded on Server 2003 domain controller platforms they showed me a technet DOC http://support.microsoft.com/kb/555381 and theyare refunding my support call since they say is a Microsoft probelm and admit there should be more supportive info on it so folks like me (idiots) can get educated the issue let me know what you think about their stance on this thanks

Meinolf.please see my final reply way down below........ sorry to have ben chewing up everyonestime..if I ever thopugh this was an activiy Microsoft really did not support complelty i would never gone down this path I appreciate everyone help even if it was fruitless for me http://support.microsoft.com/kb/555381