{"id":2851,"date":"2017-09-09T18:26:32","date_gmt":"2017-09-09T16:26:32","guid":{"rendered":"http:\/\/wordpress.networknet.nl\/?p=2851"},"modified":"2017-09-16T13:42:58","modified_gmt":"2017-09-16T11:42:58","slug":"powershell-set-static-rpc-ports-for-active-directory-domain-controller","status":"publish","type":"post","link":"https:\/\/www.networknet.nl\/apps\/wp\/archives\/2851","title":{"rendered":"PowerShell: Set static RPC ports for Active Directory Domain Controller"},"content":{"rendered":"<p>\n\tPutting a domain joined windows system behind a firewall can be challenging. I have successfully managed to put my Web Application Proxy (WAP) servers in a DMZ network where inbound and outbound ACL&#39;s have been specified. More details in another post.\n<\/p>\n<p>\n\tThe challenge I had is to configure the domain controllers to be specific on RPC traffic ports so I only need to allow a subset of tcp\/udp ports.\n<\/p>\n<p>\n\tThe script below will need to be run on each domain controller that can be reached by the servers in the DMZ. I have run the script on a Windows Server 2012 R2 server.\n<\/p>\n<h3>\n\tSet tcp ports 55000 &#8211; 55303 for NTDS, Netlogon, NtFrs and RPC<br \/>\n<\/h3>\n<pre class=\"brush:powershell\">\r\n#Set NTDS RPC port to static setting\r\nNew-ItemProperty &quot;HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters&quot; -Name &quot;TCP\/IP Port&quot; -Value 55000 -PropertyType &quot;DWord&quot;\r\n\r\n#Set Netlogon RPC port to static setting\r\nNew-ItemProperty &quot;HKLM:\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters&quot; -Name &quot;DCTcpipPort Port&quot; -Value 55001 -PropertyType &quot;DWord&quot;\r\n\r\n#Set NtFrs RPC port to static setting\r\nNew-ItemProperty &quot;HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NtFrs\\Parameters&quot; -Name &quot;RPC TCP\/IP Port Assignment&quot; -Value 55002 -PropertyType &quot;DWord&quot;\r\n\r\n#Set RPC dynamic ports to static range setting\r\nNew-Item &quot;HKLM:\\Software\\Microsoft\\RPC\\Internet&quot;\r\nNew-ItemProperty &quot;HKLM:\\Software\\Microsoft\\RPC\\Internet&quot; -Name &quot;Ports&quot; -Value &#39;55003-55303&#39; -PropertyType MultiString -Force\r\nNew-ItemProperty &quot;HKLM:\\SOFTWARE\\Microsoft\\Rpc\\Internet&quot; -Name &quot;PortsInternetAvailable&quot; -Value Y -PropertyType &quot;String&quot;\r\nNew-ItemProperty &quot;HKLM:\\SOFTWARE\\Microsoft\\Rpc\\Internet&quot; -Name &quot;UseInternetPorts&quot; -Value Y -PropertyType &quot;String&quot;<\/pre>\n<p>\n\tAfter the domain controllers have been reboot I run gpupdate on my DMZ server to make sure AD services were reachable. I performed another reboot and domain logon to make sure no ports were blocked.\n<\/p>\n<h3>\n\tReferences<br \/>\n<\/h3>\n<ul>\n<li>\n\t\t<a href=\"https:\/\/bensjibberjabber.wordpress.com\/2011\/07\/26\/configuring-domain-controllers-to-use-fixed-rpc-ports-behind-firewalls\/\" target=\"_blank\">https:\/\/bensjibberjabber.wordpress.com\/2011\/07\/26\/configuring-domain-controllers-to-use-fixed-rpc-ports-behind-firewalls\/<\/a>\n\t<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Putting a domain joined windows system behind a firewall can be challenging. I have successfully managed to put my Web Application Proxy (WAP) servers in a DMZ network where inbound and outbound ACL&#39;s have been specified. More details in another post. The challenge I had is to configure the domain controllers to be specific on RPC traffic ports so I only need to allow a subset of tcp\/udp ports. The script below will need to be run on each domain controller that can be reached by the servers in the DMZ. I have run the script on a Windows Server 2012 R2 server. Set tcp ports 55000 &#8211; 55303 for NTDS, Netlogon, NtFrs and RPC #Set NTDS RPC port to static setting New-ItemProperty &quot;HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters&quot; -Name &quot;TCP\/IP Port&quot; -Value 55000 -PropertyType &quot;DWord&quot; #Set Netlogon RPC port to static setting New-ItemProperty &quot;HKLM:\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters&quot; -Name &quot;DCTcpipPort Port&quot; -Value 55001 -PropertyType &quot;DWord&quot; #Set NtFrs RPC port to static setting New-ItemProperty &quot;HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NtFrs\\Parameters&quot; -Name &quot;RPC TCP\/IP Port Assignment&quot; -Value 55002 -PropertyType &quot;DWord&quot; #Set RPC dynamic ports to static range setting New-Item &quot;HKLM:\\Software\\Microsoft\\RPC\\Internet&quot; New-ItemProperty &quot;HKLM:\\Software\\Microsoft\\RPC\\Internet&quot; -Name &quot;Ports&quot; -Value &#39;55003-55303&#39; -PropertyType MultiString -Force New-ItemProperty &quot;HKLM:\\SOFTWARE\\Microsoft\\Rpc\\Internet&quot; -Name &quot;PortsInternetAvailable&quot; -Value Y -PropertyType &quot;String&quot; New-ItemProperty &quot;HKLM:\\SOFTWARE\\Microsoft\\Rpc\\Internet&quot; -Name &quot;UseInternetPorts&quot; -Value Y -PropertyType &quot;String&quot; After the domain controllers have been reboot I run gpupdate on my DMZ server to make sure AD services were reachable. I performed another reboot and domain logon to make sure no ports were blocked. References https:\/\/bensjibberjabber.wordpress.com\/2011\/07\/26\/configuring-domain-controllers-to-use-fixed-rpc-ports-behind-firewalls\/<\/p>\n","protected":false},"author":2,"featured_media":1270,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[515],"tags":[838,736,225,509,42,836,11,837],"class_list":["post-2851","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell-microsoft","tag-dmz","tag-domain","tag-domain-controller","tag-firewall","tag-powershell","tag-rpc","tag-script","tag-static-ports"],"_links":{"self":[{"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/posts\/2851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/comments?post=2851"}],"version-history":[{"count":8,"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/posts\/2851\/revisions"}],"predecessor-version":[{"id":2862,"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/posts\/2851\/revisions\/2862"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/media\/1270"}],"wp:attachment":[{"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/media?parent=2851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/categories?post=2851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.networknet.nl\/apps\/wp\/wp-json\/wp\/v2\/tags?post=2851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}