RODC Frequently Asked Questions

http://technet.microsoft.com/en-us/library/cc754956(WS.10,printer).aspx

RODC Frequently Asked Questions
Updated: May 1, 2009
Applies To: Windows Server 2008
This section includes frequently asked questions (FAQ) and answers pertaining to read-only domain controllers (RODCs). The questions range from general background information to in-depth technical issues.

What new attributes support the RODC Password Replication Policy?
Password Replication Policy is the mechanism for determining whether a user or computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008.
The following attributes have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations:
msDS-Reveal-OnDemandGroup. This attribute points to the distinguished name (DN) of the Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the RODC.
msDS-NeverRevealGroup. This attribute points to the distinguished names of security principals whose credentials are denied replication to the RODC. This has no impact on the ability of these security principals to authenticate using the RODC. The RODC never caches the credentials of the members of the Denied List. A default list of security principals whose credentials are denied replication to the RODC is provided. This improves the security of RODCs that are deployed with default settings.
msDS-RevealedList. This attribute is a list of security principals whose current passwords have been replicated to the RODC.
msDS-AuthenticatedToAccountList. This attribute contains a list of security principals in the local domain that have authenticated to the RODC. The purpose of the attribute is to help an administrator determine which computers and users are using the RODC for logon. This enables the administrator to refine the Password Replication Policy for the RODC.

How can you clear a password that is cached on an RODC?
There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.
In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.

Can an RODC replicate to other RODCs?
No, an RODC can only replicate from a writable Windows Server 2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline. This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to a writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user’s credentials cached, then the logon attempt will fail.
What operations fail if the WAN is offline, but the RODC is online in the branch office?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:
Password changes
Attempts to join a computer to a domain
Computer rename
Authentication attempts for accounts whose credentials are not cached on the RODC
Group Policy updates that an administrator might attempt by running the gpupdate /force command

What operations succeed if the WAN is offline, but the RODC is online in the branch office?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations succeed:
Authentication and logon attempts, if the credentials for the resource and the requestor are already cached.
Local RODC server administration performed by a delegated RODC server administrator.
Will RODC support my Active Directory–integrated application?
Yes, RODC supports an Active Directory–integrated application if the application conforms to the following rules:
If the application performs write operations, it must support referrals (enabled by default on clients).
The application must tolerate Write outages when the hub is offline.
Does an RODC contain all of the objects and attributes that a writable domain controller contains?
Yes, an RODC contains all the objects that a writable domain controller contains. If you compare the LDAP store on a writable domain controller to the LDAP store of an RODC, they are identical, except that the RODC does not contain all of the credentials or attributes that are defined in the RODC filtered attribute set.

Why does the RODC not have a relative ID (RID) pool?
All writable domain controllers can allocate RIDs from their respective RID pools to create security principals as needed. Because an RODC cannot create security principals, it cannot provide any RIDs, and it is never allocated a RID pool.

Can I list the krbtgt account that is used by each RODC in the domain?
Yes. To list the krbtgt account that is used by each RODC in the domain, type the following command at a command line, and then press ENTER:
Repadmin /showattr /subtree /filter:"(&(objectclass=computer)(msDS-Krbtgtlink=*))" /atts:msDS-krbtgtlink

How does the client DNS update referral mechanism work?
Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a "writable DNS server." When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.
The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.
If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.
Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.
If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update.

Why doesn't the KCC on writable domain controllers try to build connections from an RODC?
To build the replication topology, the Knowledge Consistency Checker (KCC) examines the following:
All the sites that contain domain controllers
The directory partitions that each domain controller holds
The cost that is associated with the site links to build a least-cost spanning tree
The KCC determines if there is a domain controller in a site by querying AD DS for objects of the NTDS-DSA category—the objectcategory attribute value of the NTDS Settings object. The NTDS Settings objects for RODCs do not have this object category. Instead, they support a new objectcategory value named NTDS-DSA-RO.
As a result, the KCCs on writable domain controllers never consider an RODC as part of the replication topology. This is because the NTDS Settings objects are not returned in the query.
However, the KCC on an RODC also needs to consider the local domain controller (itself) to be part of the replication topology to build inbound connection objects. This is achieved by a minor logic change to the algorithm that the KCC uses on all domain controllers running Windows Server 2008 that forces it to add the NTDS Settings object of the local domain controller to the list of potential domain controllers in the topology. This makes it possible for the KCC on an RODC to add itself to the topology. However, the KCC on an RODC does not add any other RODCs to the list of domain controllers that it generates.

How does the KCC build inbound connections locally on an RODC when the RODC is supposed to be read-only?
An RODC is completely read-only from the perspective of external clients, but it can internally originate changes for a limited set of objects. It permits replicated write operations and a limited set of originating write operations.
Both the KCC and the replication engine are special “writers” on an RODC. The replication engine performs replicated write operations on an RODC in exactly the same way as it does on the read-only partitions of a global catalog server that runs Windows Server 2003. The KCC is permitted to perform originating write operations of the objects that are required to perform Active Directory replication, such as connection objects.
Why does an RODC have two inbound connection objects?
This is because File Replication Service (FRS) requires its own pair of connection objects in order to function correctly.
In previous versions of Windows Server, FRS was able to utilize the existing connection objects between two domain controllers to support its replication of SYSVOL content. However, because an RODC only performs inbound replication of Active Directory data, a reciprocal connection object on the writable replication partner is not needed.
Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of connection objects to support FRS replication of SYSVOL when you install an RODC. The FRS connection objects are not required by DFS Replication.

How does RODC connection failover work?
If the bridgehead replication partner of an RODC becomes unavailable, the KCC on the RODC builds a connection to another partner. By default, this happens after about two hours, which is the same for a writable domain controller. However, the FRS connection object on an RODC must use the same target as the connection object that the KCC generates on the RODC for Active Directory replication. To achieve this, the fromServer value on the two connections is synchronized.
However, the trigger for changing the fromServer value on the FRS connection object is not the creation of the new connection; instead, it is the removal of the old connection. The removal step happens some hours after the new connection object is created. Consequently, the fromServer value continues to reference the original partner until the old connection is removed by the KCC.
A side effect of this is that while Active Directory replication works successfully against the new partner, FRS replication fails during this period. The additional delay is by design—it avoids causing FRS to perform an expensive VVJoin operation against the new partner, which is unnecessary if the outage of the original partner is only temporary.

How can an administrator delete a connection object locally on an RODC?
The KCC on an RODC will build inbound connection objects for Active Directory replication. These objects cannot be seen on other writeable domain controllers because they are not replicated from the RODC.
You cannot use the Active Directory Sites and Services snap-in to remove these connection objects, but you can use Ldp.exe or Adsiedit.msc. The KCC on the RODC will then rebuild a connection.
This way, you can trigger redistribution of connection objects across a set of RODCs that have site links to a single hub site that has multiple bridgehead servers.

How can an administrator trigger replication to an RODC?
You can use the following methods:
By running the repadmin /replicate or repadmin /syncall operations.
By using the Active Directory Sites and Services snap-in. In this case, you can right-click the connection object and click Replicate Now.
You can use Active Directory Sites and Services on a writable domain controller to create an inbound replication connection object on any domain controller, including an RODC, even if no inbound connection exists on the domain controller. This is similar to running a repadmin /add operation.

How are writable directory partitions differentiated from read-only directory partitions?
This comes from an attribute on the directory partition head called instancetype. This is a bit mask. If bit 3 (0x4) is set, the directory partition is writable. If the bit is not set, the directory partition is read only.

Why can an RODC only replicate the domain directory partition from a domain controller running Windows Server 2008 in the same domain?
This is how the filtering of secrets is enforced during inbound replication to an RODC. A domain controller running Windows Server 2008 is programmed not to send secret material to an RODC during replication, unless the Password Replication Policy permits it. Because a domain controller running Windows Server 2003 has no concept of the Password Replication Policy, it sends all secrets, regardless of whether they are permitted.

How does the KCC differentiate between domain controllers running Windows Server 2003 and domain controllers running Windows Server 2008?
The NTDS-DSA object has an msDS-Behavior-Version attribute. A value of 2 indicates that the domain controller is running Windows Server 2003. A value of 3 indicates that it is running Windows Server 2008.

Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group?
The Allowed RODC Password Replication Group and the Denied RODC Password Replication Group are domain local groups. Domain local groups cannot contain built-in groups.

What actually happens when you add a user to an Administrator Role Separation role?
The configuration adds entries to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\lsa\rodcroles
Name: 544
Data type: REG_MULTI_SZ
Value: S-1-5-21-760266474-1386482297-4237089879-1107
The role is denoted by the entry name—544, for example, is the well known RID for the builtin\administrators group. Then, each value represents the security identifier (SID) of a user who has been assigned to the role.
How can an administrator determine the closest site for any given site?
Look at the site link costs that appear in Active Directory Sites and Services.-or-
After an RODC is installed successfully in an Active Directory site, run the nltest command against the RODC.
The following example shows the command and the results:
C:\>nltest /dsgetdc:rodc /server:rodc-dc-02 /try_next_closest_site /avoidself
DC: \\HUB-DC-01
Address: \\2001:4898:28:4:5e1:903a:7987:eea5
Dom Guid: 00e80237-c5ce-4143-b0b8-cfa5c83a5654
Dom Name: RODC
Forest Name: rodc.nttest.contoso.com
Dc Site Name: Hub
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET
The command completed successfully

Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site?
If your user account password cannot be replicated to the RODC in your site or if the RODC does not currently have your password, the Kerberos AS_REQ is forwarded to a hub domain controller that provides your TGT.
The process that updates the environment variables uses the hub domain controller as the logon server for the environment variable. The %logonserver% environment variable is not updated for the duration of that logon session, even though the user is forced to reauthenticate against the RODC.

What relevant RODC event log entries are there?
If an RODC attempts a Replicate Single Object (RSO) operation to cache a password that the Password Replication Policy prevents from replicating to the RODC, the hub domain controller that the RODC contacts logs event ID 1699.
The details for event ID 1699 include:
Log Name: Directory Service
Source: NTDS Replication
Date: 5/2/2006 2:37:39 PM
Event ID: 1699
Task Category: Replication
Level: Error
Keywords: Classic
User: RODC\RODC-DC-02$
Computer: HUB-DC-01
Description:
This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.
Directory partition:
CN=test10,OU=Branch1,OU=Branches,DC=rodc,DC=nttest,DC=contoso,DC=com
Network address:
c6ef8d14-f015-4cd0-94cc-c7f5c9c834ba._msdcs.rodc.nttest.contoso.com
Extended request code:
7
Additional Data
Error value:
8453 Replication access was denied.
A successful logon logs event ID 4768 on the hub domain controller and on the RODC.
The details of event ID 4768 on the hub domain controller include the following:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/2/2006 3:58:05 PM
Event ID: 4768
Task Category: Kerberos Ticket Events
Level: Information
Keywords: Audit Success
User: N/A
Computer: hub-dc-01.rodc.nttest.contoso.com
Description:
Authentication Ticket Request:
Account Name: test10
Supplied Realm Name: RODC
User ID: S-1-5-21-3503915162-2421288034-2003080229-1128
Service Name: krbtgt
Service ID: S-1-5-21-3503915162-2421288034-2003080229-502
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x17
Pre-Authentication Type: 2
Client Address: 2001:4898:28:4:6182:4acd:65c9:283a
Client Port: 55763
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
At the default Event log settings, no replication event shows that the password has replicated to the RODC.
Password changes are not always "chained" by an RODC. Why?
Some password-change operations, such as a user initiating a password-change request by pressing Ctrl+Alt+Del, specifically require a writable domain controller. When the client computer detects that the RODC is not writable, it locates a writable domain controller instead. Other password-change operations, such as a user's password expiring and when the user is prompted to change it at logon, do not specifically require a writable domain controller.

How does a hub domain controller recognize that a request to replicate a password is coming from an RODC?
The RODC does a bind and calls the "replicate single object" application programming interface (API). The binding handle shows that it is an RODC account.

Why does an RODC replicate in a cached password both by RSO operation and normal replication?
When a single object is replicated to the RODC in the branch site, the update sequence number (USN) and the high-water mark are not updated. As a result, the object is replicated to the branch site again at a later time.

Does an RODC perform password validation forwarding even when it has a password for a user?
Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server 2008 domain controller that is its replication partner, which in turn forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server 2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation.

Can you remove the last domain controller in a domain if there are unoccupied (or disabled) RODC accounts in the domain?
As for all previous versions of Windows Server, it is a requirement that all other domain controllers have been removed from the domain before you can remove the last domain controller. For Windows Server 2008, this requirement includes the removal of all RODCs and the removal of any precreated but unused RODC accounts.

What's the Wow6432Node under the HKEY_LOCAL_MACHINE\SOFTWARE registry subkey?

http://www.windowsitpro.com/article/internals-and-architecture/what-s-the-wow6432node-under-the-hkey_local_machine-software-registry-subkey-.aspx


What's the Wow6432Node under the HKEY_LOCAL_MACHINE\SOFTWARE registry subkey?

The Wow6432 registry entry indicates that you're running a 64-bit version of Windows. The OS uses this key to present a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on a 64-bit version of Windows. When a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\\ subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\\ subkey. The figure below shows the structure under Wow6432Node that 32-bit applications will see. A "registry reflector" copies certain values between the 32-bit and 64-bit registry views (e.g., mainly for COM registration) and resolves any conflicts using a last-writer-wins approach.

Active Directory and Active Directory Domain Services Port Requirements

http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx


Active Directory and Active Directory Domain Services Port Requirements
Updated: June 18, 2009
Applies To: Windows Server 2000,Windows Server 2003,Windows Server 2003 R2,Windows Server 2003 with SP1,Windows Server 2003 with SP2,Windows Server 2008,Windows Server 2008 Foundation,Windows Server 2008 R2,Windows Vista
This guide contains port requirements for various Active Directory® and Active Directory Domain Services (AD DS) components.
Default dynamic port range
In a mixed-mode domain that consists of Windows Server® 2003–based domain controllers, Microsoft® Windows® 2000 Server–based domain controllers, or early-version client computers, the default dynamic port range is 1025 through 5000. Windows Server 2008 and Windows Vista®, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 server, allow traffic through ports 1025 through 5000 and 49152 through 65535.
When you see “TCP Dynamic” in the Port columns in the following tables, it refers to ports 1025 through 5000, the default port range for Windows Server 2003 and earlier versions of the client operating system, and ports 49152 through 65535 for Windows Server 2008 and Windows Vista.
Note
For more information about the change in the dynamic port range in Windows Server 2008, see article 929851 [ http://go.microsoft.com/fwlink/?LinkId=153117 ] in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=153117).
You can find additional information about this change on the Ask the Directory Services Team blog. See the blog entry Dynamic Client Ports in Windows Server 2008 and Windows Vista [ http://go.microsoft.com/fwlink/?LinkId=153113 ] (http://go.microsoft.com/fwlink/?LinkId=153113).
Restricting RPC to a specific port
RPC traffic is used over a dynamic port range as described in the previous section, “Default dynamic port range.” To restrict RPC traffic to a specific port, see article 224196 [ http://go.microsoft.com/fwlink/?LinkID=133489 ] in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133489).
Operating systems
In the tables in this document, the port requirements are for Windows 2000 Server, Windows Server 2003, and Windows Server 2008 unless otherwise noted in the section heading or table.
Replication
The following table lists the port assignments for Active Directory and AD DS replication.

Port
Type of traffic
TCP and UDP 389
LDAP
TCP 636
LDAP SSL
TCP 3268
GC
TCP and UDP 88
Kerberos
TCP and UDP 53
DNS
TCP and UDP 445
SMB over IP
TCP 25
SMTP
TCP 135, Dynamic
RPC, ECM
Note
Replication of SYSVOL requires File Replication Service (FRS) or Distributed File System (DFS) Replication over a dynamic RPC port. If you want to configure FRS or DFS Replication to use a particular port, see article 832017 [ http://go.microsoft.com/fwlink/?LinkID=22498 ] in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=22498).
Trusts
The following tables list the port requirements for establishing trusts in the following environments:
Microsoft Windows NT®
Microsoft Windows 2000 Server and Windows Server 2003
Windows Server 2008
Windows NT
The following table lists the port assignments for establishing a trust with a Windows NT 4.0 domain. In this environment, one side of the trust is a Windows NT 4.0 trust or the trust was created by using the NetBIOS names.

Client port
Server port
Type of traffic
UDP 137
UDP 137
NetBIOS Name Resolution
UDP 138
UDP 138
NetBIOS Datagram Service
TCP Dynamic
TCP 139
NetBIOS Session Service
Windows 2000 Server and Windows Server 2003
For a mixed-mode domain that uses either Windows NT domain controllers or early-version client computers, trust relationships between Windows 2000 Server–based domain controllers and Windows Server 2003–based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened, in addition to the ports in the following table.
Note
The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest apart from one another. Also, the trusts in the forest are Windows Server 2003 trusts or Windows Server 2008 trusts.

Client port
Server port
Type of traffic
TCP Dynamic
TCP 135
RPC, EPM
TCP Dynamic
TCP Dynamic
Local Security Authority (LSA) RPC Services
TCP and UDP Dynamic
TCP389
LDAP
TCP Dynamic
TCP 636
LDAP SSL
TCP Dynamic
TCP 3268
GC
TCP Dynamic
TCP 3269
GC SSL
TCP and UDP 53, Dynamic
TCP and UDP 53
DNS
TCP and UDP Dynamic
TCP and UDP 88
Kerberos
TCP Dynamic
TCP 445
SMB, DFS, LsaRPC, Nbtss, NetLogonR, SamR, SrvSvc
Note
To define RPC server ports that the LSA RPC services use, see article 832017 [ http://go.microsoft.com/fwlink/?LinkID=22498 ] in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=22498).
Windows Server 2008
In a mixed domain environment, you have to open the ports in the following table as well as the ports in the Windows NT, Windows 2000 Server, and Windows Server 2003 tables in the “Trusts” section of this document.
Note
See the previous section “Default dynamic port range” for a description of the new dynamic port range that Windows Server 2008 uses.

Client port
Server port
Type of traffic
TCP Dynamic
TCP 135, 49152–65535
RPC, EPM
TCP and UDP Dynamic
TCP and UDP 389
LDAP
TCP Dynamic
TCP 636
LDAP SSL
TCP Dynamic
TCP 3268
GC
TCP Dynamic
TCP 3269
GC SSL
TCP and UDP 53, Dynamic
TCP and UDP 53
DNS
TCP and UDP Dynamic
TCP and UDP 88
Kerberos
TCP and UDP Dynamic
TCP-NP and UDP-NP 445
Security Accounts Manager (SAM), LSA
TCP Dynamic
UDP 138
NetBIOS Datagram Service
Global catalog
The following table lists the ports that global catalog servers use.

Port
Type of traffic
TCP 3268
GC
TCP 3269
GC SSL
Read-only domain controllers
The following table lists the ports that you must open on the firewall to allow communication from a writeable domain controller in a corporate network to a read-only domain controller (RODC) in a perimeter network.

Port
Type of traffic
TCP 135
RPC, EPM
TCP Static 53248
FRsRpc
TCP 389
LDAP
Note
For more information about configuring file replication through a specific static port, see article 319553 [ http://go.microsoft.com/fwlink/?LinkId=149419 ] in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=149419).
The following table lists the ports that you must open on the firewall to allow communication from an RODC in a perimeter network to a writeable domain controller in a corporate network.

Port
Type of traffic
TCP 57344
DRSUAPI, LsaRpc, NeLogonR
TCP Static 53248
FRsRpc
TCP and UDP 389
LDAP
TCP 3268
GC
TCP 445
DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP and UDP 53
DNS
TCP 88
Kerberos
UDP 123
Windows Time service (W32time)
TCP and UDP 464
Kerberos Change/Set Password
Note
For more information about configuring Active Directory replication through a specific port, see article 224196 [ http://go.microsoft.com/fwlink/?LinkID=133489 ] in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133489).
The following table lists the ports that you must open on the firewall to allow communication between the member servers in a perimeter network and an RODC in the perimeter network. You must open these ports only if there is an internal firewall that separates the member servers in the perimeter network from the RODC in the perimeter network.

Port
Type of traffic
TCP 135
RPC, EPM
TCP and UDP 389
LDAP
TCP 445
DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
UDP 53
DNS
TCP 88
Kerberos
TCP and UDP 464
Kerberos Change/Set Password
TCP Dynamic
DNS, DRSUAPI, NetLogonR, SamR
Note
If you are using Windows Server 2003 in the perimeter network, you must also open UDP port 88 for Kerberos communication. In contrast, by default Windows Server 2008 uses only TCP port 88 for Kerberos communication.
DNS
The following table lists the port requirements for Domain Name System (DNS).

Port
Type of traffic
TCP and UDP 53
DNS
DHCP
The following table lists the port requirements for Dynamic Host Configuration Protocol (DHCP).

Port
Type of traffic
UDP 67
DHCP
UDP 2535
MADCAP
Windows Internet Name Service
The following table lists the port requirements for Windows Internet Name Service (WINS).

Port
Type of traffic
TCP and UDP 42
WINS Replication
UDP 137
NetBIOS Name Resolution
User and computer authentication
The following table lists the port requirements for user and computer authentication.

Port
Type of traffic
TCP and UDP 445
SMB/CIFS/SMB2
TCP and UDP 88
Kerberos
UDP 389
LDAP
TCP and UDP 53
DNS
TCP Dynamic
RPC
Note
For information about how to restrict RPC traffic to a specific port, see article 224196 [ http://go.microsoft.com/fwlink/?LinkID=133489 ] in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133489).
Group Policy
The following table lists the port requirements for Group Policy. In addition to the ports in the following table, a client computer must also be able to contact a domain controller over Internet Control Message Protocol (ICMP). ICMP is used for slow link detection.

Port
Type of traffic
TCP and UDP Dynamic
DCOM, RPC, EPM
TCP 389
LDAP
TCP 445
SMB
Active Directory Web Services
The following table lists the port requirement for Active Directory Web Services (ADWS).
Note
ADWS is used only in Windows Server 2008 R2.

Port
Type of traffic
TCP 9389
SOAP

Boot INI Options Reference

http://www.microsoft.com/taiwan/technet/sysinternals/information/bootini.mspx

Introduction
There are number of BOOT.INI switches that are useful for driver developers that wish to test their drivers under a variety of different system configurations without having to have a separate machine for every one. For example, limiting the amount of memory NT sees can be useful for stressing memory loads, and limiting the number of processors for testing scalability. I've compiled a complete list of the options that BOOT.INI currently supports. This list is reproduced in the Startup, Shutdown and Crashes chapter of Windows Internals, where you'll find more information about the boot process. Entries in red were introduced in Windows 2000 and those in blue introduced in Windows XP or Windows Server 2003.
Note: to see what options a system has booted with examine HKLM\System\CurrentControlSet\Control\SystemStartOptions.
•
/3GB
•
Increases the size of the user process address space from 2 GB to 3 GB (and therefore reduces the size of system space from 2 GB to 1 GB). Giving virtual-memory- intensive applications such as database servers a larger address space can improve their performance. For an application to take advantage of this feature, however, two additional conditions must be met: the system must be running Windows XP, Windows Server 2003, Windows NT 4 Enterprise Edition, Windows 2000 Advanced Server or Datacenter Server and the application .exe must be flagged as a 3-GB-aware application. Applies to 32-bit systems only.
•
/BASEVIDEO
•
Causes Windows to use the standard VGA display driver for GUI-mode operations.
•
/BAUDRATE=
•
Enables kernel-mode debugging and specifies an override for the default baud rate (19200) at which a remote kernel debugger host will connect. Example: /BAUDRATE=115200.
•
/BOOTLOG
•
Causes Windows to write a log of the boot to the file %SystemRoot%\Ntbtlog.txt.
•
/BOOTLOGO
•
Use this switch to have Windows XP or Windows Server 2003 display an installable splash screen instead of the standard splash screen. First, create a 16-color (any 16 colors) 640x480 bitmap and save it in the Windows directory with the name Boot.bmp. Then add "/bootlogo /noguiboot" to the boot.ini selection.
•
/BREAK
•
Causes the hardware abstraction layer (HAL) to stop at a breakpoint at HAL initialization. The first thing the Windows kernel does when it initializes is to initialize the HAL, so this breakpoint is the earliest one possible. The HAL will wait indefinitely at the breakpoint until a kernel-debugger connection is made. If the switch is used without the /DEBUG switch, the system will Blue Screen with a STOP code of 0x00000078 (PHASE0_ EXCEPTION).
•
/BURNMEMORY=
•
Specifies an amount of memory Windows can't use (similar to the /MAXMEM switch). The value is specified in megabytes. Example: /BURNMEMORY=128 would indicate that Windows can't use 128 MB of the total physical memory on the machine.
•
/CHANNEL=
•
Used on conjunction with /DEBUGPORT=1394 to specify the IEEE 1394 channel through which kernel debugging communications will flow. This can be any number between 0 and 62 and defaults to 0 if not set.
•
/CLKLVL
•
Causes the standard x86 multiprocessor HAL (Halmps.dll) to configure itself for a level-sensitive system clock rather then an edge-triggered clock. Level-sensitive and edge-triggered are terms used to describe hardware interrupt types.
•
/CMDCONS
•
Passed when booting with into the Recovery Console (described later in this chapter).
•
/CRASHDEBUG
•
Causes the kernel debugger to be loaded when the system boots, but to remain inactive unless a crash occurs. This allows the serial port that the kernel debugger would use to be available for use by the system until the system crashes (vs. /DEBUG, which causes the kernel debugger to use the serial port for the life of the system session).
•
/DEBUG
•
Enables kernel-mode debugging.
•
/DEBUGPORT=
•
Enables kernel-mode debugging and specifies an override for the default serial (usually COM2 on systems with at least two serial ports) to which a remote kernel-debugger host is connected. Windows XP and Windows Server 2003 also support debugging through accept IEEE 1394 ports. Examples: /DEBUGPORT=COM2, /DEBUGPORT=1394.
•
/EXECUTE
•
This option disables no-execute protection. See the /NOEXECUTE switch for more information.
•
/FASTDETECT
•
Default boot option for Windows. Replaces the Windows NT 4 switch /NOSERIALMICE. The reason the qualifier exists (vs. just having NTDETECT perform this operation by default) is so that NTDETECT can support booting Windows NT 4. Windows Plug and Play device drivers perform detection of parallel and serial devices, but Windows NT 4 expects NTDETECT to perform the detection. Thus, specifying /FASTDETECT causes NTDETECT to skip parallel and serial device enumeration (actions that are not required when booting Windows), whereas omitting the switch causes NTDETECT to perform this enumeration (which is required for booting Windows NT 4).
•
/INTAFFINITY
•
Directs the standard x86 multiprocessor HAL (Halmps.dll) to set interrupt affinities such that only the highest numbered processor will receive interrupts. Without the switch, the HAL defaults to its normal behavior of letting all processors receive interrupts.
•
/KERNEL=/HAL=
•
Enable you to override Ntldr's default filename for the kernel image (Ntoskrnl.exe) and/or the HAL (Hal.dll). These options are useful for alternating between a checked kernel environment and a free (retail) kernel environment or even to manually select a different HAL. If you want to boot a checked environment that consists solely of the checked kernel and HAL, which is typically all that is needed to test drivers, follow these steps on a system installed with the free build:
•
Copy the checked versions of the kernel images from the checked build CD to your \Windows\System32 directory, giving the images different names than the default. For example, if you're on a uniprocessor, copy Ntoskrnl.exe to Ntoschk.exe and Ntkrnlpa.exe to Ntoschkpa.exe. If you're on a multiprocessor, copy Ntkrnlmp.exe to Ntoschk.exe and Ntkrpamp.exe to Ntoschkpa.exe. The kernel filename must be an 8.3-style short name.
•
Copy the checked version of the appropriate HAL needed for your system from \I386\Driver.cab on the checked build CD to your \Windows\System32 directory, naming it Halchk.dll. To determine which HAL to copy, open \Windows\Repair\Setup.log and search for Hal.dll; you'll find a line like \WINDOWS\system32\ hal.dll="halacpi.dll","1d8a1". The name immediately to the right of the equals sign is the name of the HAL you should copy. The HAL filename must be an 8.3-style short name.
•
Make a copy of the default line in the system's Boot.ini file.
•
In the string description of the boot selection, add something that indicates that the new selection will be for a checked build environment (for example, "Windows XP Professional Checked").
•
Add the following to the end of the new selection's line: /KERNEL=NTOSCHK.EXE /HAL= HALCHK.DLL
Now when the selection menu appears during the boot process you can select the new entry to boot a checked environment or select the entry you were using to boot the free build.
•
/LASTKNOWNGOOD
•
Causes the system to boot as if the LastKnownGood boot option was selected.
•
/MAXMEM=
•
Limits Windows to ignore (not use) physical memory beyond the amount indicated. The number is interpreted in megabytes. Example: /MAXMEM=32 would limit the system to using the first 32 MB of physical memory even if more were present.
•
/MAXPROCSPERCLUSTER=
•
For the standard x86 multiprocessor HAL (Halmps.dll), forces cluster-mode Advanced Programmable Interrupt Controller (APIC) addressing (not supported on systems with an 82489DX external APIC interrupt controller).
•
/MININT
•
This option is used by Windows PE (Preinstallation Environment) and causes the Configuration Manager to load the Registry SYSTEM hive as a volatile hive such that changes made to it in memory are not saved back to the hive image.
•
/NODEBUG
•
Prevents kernel-mode debugging from being initialized. Overrides the specification of any of the three debug-related switches, /DEBUG, /DEBUGPORT, and /BAUDRATE.
•
/NOEXECUTE
•
This option is only available on 32-bit versions of Windows when running on processors supporting no-execute protection. It enables no-execute protection (also known as Data Execution Protection - DEP), which results in the Memory Manager marking pages containing data as no-execute so that they cannot be executed as code. This can be useful for preventing malicious code from exploiting buffer overflow bugs with unexpected program input in order to execute arbitrary code. No-execute protection is always enabled on 64-bit versions of Windows on processors that support no-execute protection. There are several options you can specify with this switch:
•
/NOEXECUTE=OPTIN Enables DEP for core system images and those specified in the DEP configuration dialog.
•
/NOEXECUTE=OPTOUT Enables DEP for all images except those specified in the DEP configuration dialog.
•
/NOEXECUTE=ALWAYSON Enables DEP on all images.
•
/NOEXECUTE=ALWAYSOFF Disables DEP.
•
/NOGUIBOOT
•
Instructs Windows not to initialize the VGA video driver responsible for presenting bitmapped graphics during the boot process. The driver is used to display boot progress information, so disabling it will disable the ability of Windows to show this information.
•
/NOLOWMEM
•
Requires that the /PAE switch be present and that the system have more than 4 GB of physical memory. If these conditions are met, the PAE-enabled version of the Windows kernel, Ntkrnlpa.exe, won't use the first 4 GB of physical memory. Instead, it will load all applications and device drivers, and allocate all memory pools, from above that boundary. This switch is useful only to test device driver compatibility with large memory systems.
•
/NOPAE
•
Forces Ntldr to load the non-Physical Address Extension (PAE) version of the Windows kernel, even if the system is detected as supporting x86 PAEs and has more than 4 GB of physical memory.
•
/NOSERIALMICE=[COMx COMx,y,z...]
•
Obsolete Windows NT 4 qualifier-replaced by the absence of the /FASTDETECT switch. Disables serial mouse detection of the specified COM ports. This switch was used if you had a device other than a mouse attached to a serial port during the startup sequence. Using /NOSERIALMICE without specifying a COM port disables serial mouse detection on all COM ports. See Microsoft Knowledge Base article Q131976 for more information.
•
/NUMPROC=
•
Specifies the number of CPUs that can be used on a multiprocessor system. Example: /NUMPROC=2 on a four-way system will prevent Windows from using two of the four processors.
•
/ONECPU
•
Causes Windows to use only one CPU on a multiprocessor system.
•
/PAE
•
Causes Ntldr to load Ntkrnlpa.exe, which is the version of the x86 kernel that is able to take advantage of x86 PAEs. The PAE version of the kernel presents 64-bit physical addresses to device drivers, so this switch is helpful for testing device driver support for large memory systems.
•
/PCILOCK
•
Stops Windows from dynamically assigning IO/IRQ resources to PCI devices and leaves the devices configured by the BIOS. See Microsoft Knowledge Base article Q148501 for more information.
•
/RDPATH=
•
Specifies the path to a System Disk Image (SDI) file, which can be on the network, that the system will use to boot from. Often used in conjunction with the /RDIMAGEOFFSET= flag to indicate to NTLDR where in the file the system image starts.
•
/REDIRECT
•
Introduced with Windows XP. Used to cause Windows to enable Emergency Management Services (EMS) that reports boot information and accepts system management commands through a serial port. Specify serial port and baudrate used in conjunction with EMS with redirect= and redirectbaudrate= lines in the [boot loader] section of the Boot.ini file.
•
/SAFEBOOT:
•
Specifies options for a safe boot. You should never have to specify this option manually, since Ntldr specifies it for you when you use the F8 menu to perform a safe boot. (A safe boot is a boot in which Windows only loads drivers and services that are specified by name or group under the Minimal or Network registry keys under HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot.) Following the colon in the option you must specify one of three additional switches: MINIMAL, NETWORK, or DSREPAIR. The MINIMAL and NETWORK flags correspond to safe boot with no network and safe boot with network support, respectively. The DSREPAIR (Directory Services Repair) switch causes Windows to boot into a mode in which it restores the Active Directory directory service from a backup medium you present. An additional option you can append is (ALTERNATESHELL), which tells Windows to use the program specified by the HKLM\SYSTEM\CurrentControlSet\ SafeBoot\AlternateShell value as the graphical shell rather than to use the default, which is Windows Explorer.
•
/SCSIORDINAL:
•
Directs Windows to the SCSI ID of the controller. (Adding a new SCSI device to a system with an on-board SCSI controller can cause the controller's SCSI ID to change.) See Microsoft Knowledge Base article Q103625 for more information.
•
/SDIBOOT=
•
Used in Windows XP Embedded systems to have Windows boot from a RAM disk image stored in the specified System Disk Image (SDI) file.
•
/SOS
•
Causes Windows to list the device drivers marked to load at boot time and then to display the system version number (including the build number), amount of physical memory, and number of processors.
•
/TIMERES=
•
Sets the resolution of the system timer on the standard x86 multiprocessor HAL (Halmps.dll). The argument is a number interpreted in hundreds of nanoseconds, but the rate is set to the closest resolution the HAL supports that isn't larger than the one requested. The HAL supports the following resolutions: Hundreds of nanoseconds Milliseconds (ms) 9766 0.98 19532 2.00 39063 3.90 78125 7.80 The default resolution is 7.8 ms. The system timer resolution affects the resolution of waitable timers. Example: /TIMERES=21000 would set the timer to a resolution of 2.0 ms.
•
/USERVA=
•
This switch is only supported on Windows XP and Windows Server 2003. Like the /3GB switch, this switch gives applications a larger address space. Specify the amount in MB between 2048 and 3072. This switch has the same application requirements as the /3GB switch and requires that the /3GB switch be present. Applies to 32-bit systems only.
•
/WIN95
•
Directs Ntldr to boot the Consumer Windows boot sector stored in Bootsect.w40. This switch is pertinent only on a triple-boot system that has MS-DOS, Consumer Windows, and Windows installed. See Microsoft Knowledge Base article Q157992 for more information.
•
/WIN95DOS
•
Directs Ntldr to boot the MS-DOS boot sector stored in Bootsect.dos. This switch is pertinent only on a triple-boot system that has MS-DOS, Consumer Windows, and Windows installed. See Microsoft Knowledge Base article Q157992 for more information.
•
/YEAR=
•
Instructs the Windows core time function to ignore the year that the computer's real-time clock reports and instead use the one indicated. Thus, the year used in the switch affects every piece of software on the system, including the Windows kernel. Example: /YEAR=2001. (This switch was created to assist in Y2K testing.)
Thanks to Jonas Fischer for pointing out the PCILOCK and NOSERIALMICE switches. Thanks to Rob Green for information on the FASTDETECT switch.