Summary: By default, RPC uses a dynamic port range (49152–65535), making firewall rules impractical; the range can be restricted via registry or netsh to a defined set of ports.
Remote Procedure Call (RPC) is used by Active Directory, DFS, DCOM, and many Windows services. By default, RPC allocates service endpoints from the dynamic port range (49152–65535 on Windows Server 2008+), which spans over 16,000 ports.
Firewalls cannot permit individual services without either:
Services using RPC dynamic ports include:
| Windows Version | Dynamic Range |
|---|---|
| Windows Server 2003 and earlier | 1025–5000 |
| Windows Server 2008 and later | 49152–65535 |
RPC Endpoint Mapper always listens on TCP 135. Clients query port 135 first, then receive the dynamic port assignment.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet
Create the following values (create the Internet key if it doesn't exist):
| Value Name | Type | Description |
|---|---|---|
Ports |
REG_MULTI_SZ | Port range(s), e.g. 49152-49175 |
PortsInternetAvailable |
REG_SZ | Y = use defined ports; N = exclude defined ports |
UseInternetPorts |
REG_SZ | Y = restrict to defined ports |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet
Ports = 49152-49175
PortsInternetAvailable = Y
UseInternetPorts = Y
This restricts RPC to ports 49152–49175. Firewall rule allows only these 24 ports instead of the full dynamic range.
Apply using registry export or PowerShell:
reg add "HKLM\SOFTWARE\Microsoft\Rpc\Internet" /v Ports /t REG_MULTI_SZ /d "49152-49175" /f
reg add "HKLM\SOFTWARE\Microsoft\Rpc\Internet" /v PortsInternetAvailable /t REG_SZ /d "Y" /f
reg add "HKLM\SOFTWARE\Microsoft\Rpc\Internet" /v UseInternetPorts /t REG_SZ /d "Y" /f
A restart is required for the change to take effect.
Alternative to registry — configure directly without reboot in some cases:
netsh int ipv4 set dynamicport tcp start=49152 num=24
netsh int ipv4 set dynamicport udp start=49152 num=24
⚠️ Netsh vs Registry
The netsh command modifies the Windows TCP/IP dynamic port range used for outbound connections — it does not restrict the RPC port range directly. The registry method (HKLM\SOFTWARE\Microsoft\Rpc\Internet) is the correct approach for RPC specifically. Both may need to be configured in hardened environments.
Deploy the registry values via GPO using Registry Preferences:
SOFTWARE\Microsoft\Rpc\InternetPorts49152-49175PortsInternetAvailable (REG_SZ = Y) and UseInternetPorts (REG_SZ = Y)Target the GPO to Domain Controllers OU for AD replication scenarios.
reg query "HKLM\SOFTWARE\Microsoft\Rpc\Internet"
Expected output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet
Ports REG_MULTI_SZ 49152-49175
PortsInternetAvailable REG_SZ Y
UseInternetPorts REG_SZ Y
After reboot, confirm RPC services are using only ports in the defined range:
netstat -ano | findstr LISTENING | findstr "491"
All RPC endpoints should appear within the defined range.
portqry -n <server-ip> -e 135
PortQry queries the RPC Endpoint Mapper and lists registered endpoints, showing which dynamic ports are in use.
| Environment | Minimum Ports | Recommended Range |
|---|---|---|
| DC only (AD replication) | 20–30 | 49152–49181 |
| DC + DFS + DCOM | 50–100 | 49152–49251 |
| General purpose server | 100+ | 49152–49351 |
⚠️ Range Too Narrow
Setting the range too small causes RPC errors when the available ports are exhausted. Services fail with "not enough server storage" or RPC errors. Monitor for these errors after restricting and widen the range if they occur. Microsoft recommends a minimum of 20 ports; for DCs with heavy replication load, 100+ is safer.
| Service | Port Usage |
|---|---|
| AD replication | RPC dynamic (via port 135 endpoint mapper) |
| NETLOGON | RPC dynamic |
| DFSR | RPC dynamic + fixed port 5722 (configurable) |
| SYSVOL (FRS) | RPC dynamic |
| DCOM/WMI | RPC dynamic (via port 135) |
DFSR can be assigned a dedicated fixed port to simplify firewall rules:
dfsrdiag staticrpc /port:5722 /member:dcname
This removes DFSR from the dynamic range entirely.