Just wanted to put this here as it’s not been easy to find this information anywhere:
ADLDS registers a custom RPC port which is by default taken from the dynamic port range 49152-65535, this is NOT the same as the LDAP port specified for the instance. On ADAM the same thing applies but the dynamic port range there is 1025-5000.
This means that if you’re upgrading from ADAM to ADLDS and are using firewalls with aggressive blocking between your ADAM instances then you’ll need to update the firewall rules to allow the new dynamic port range.
Alternatively, you can also lock down each ADAM or ADLDS instance to a specific RPC port using the following registry entry:
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)
This is effectively the same as the setting for NTDS in KB224196 but needs to reference each ADLDS instance and use a separate port for each.
The DCTcpipPort entry only applies to Netlogon on DC’s and shouldn’t need to be set.
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
Understanding ADAM bind redirection
Restricting Active Directory replication traffic and client RPC traffic to a specific port
Active Directory Application Mode Tools and Settings
Active Directory Lightweight Directory Services (ADLDS) Monitoring Management Pack
ADLDS ASKDS entries: