Windows Server 2008 R2 is as Router role

How to make Windows Server 2008 R2 as LAN Router device? It is very simple for everybody if we search the related information by Google or Microsoft.

(1).Add Server Roles --- Network Policy and Access ServicesIn Server Manager, click “Add Roles” to trigger the wizard
Click “Next > “ button
Enable “Routing and Remote Access Services” check box next to click “Next > “ button
Click “Next > “ button
Enable “Routing and Remote Access Services” check box so that Remote Access Service and Routing will be selected. To click “Next” button to continues the next step.
Click “Installation” button
If no any exception, the installation almost be succeeded.
Now, the system has already added a new roles “Network Policy and Access Services”.


(2).Configure and Enable Routing and Remote Access
When you expand the “Network Policy and Access Services” tree, the red arrow down icon express this function never be enabled.
To right-click it and select “Configure and Enable Routing and Remote Access” in menu,the setup wizard will show up.
Click “Next > “ button
Select “Custom configuration” option next to click “Next > “ button
Enable “LAN routing” check box next to click “Next > “ button
Click “Finish” and “Start service” button
Now the icon become green arrow up.


(3).Verify IPv4 setting
Right-click “Routing and Remote Access” next to select “Properties” in menu
You will see this computer pay a role as IPv4 Router now.


(4).View IPv4 Routing table
To expand "IPv4” tree and right-click “Static Routes” to select “Show IP Routing Table…”
The current IPv4 Routing information will show up

In the time, the computers in 10.10.101.x and in 10.11.101.x can communicate each other. Of course, the computer default gateway need to be set on the IP of Router interface.

Open firewall port for Computer join Domain & Account logon Domain

I want to understand which firewall port need to be opened if the computer will join and log on Domain. I use Microsoft Forefront Threat Management Gateway 2010 as firewall and assign two network segment for creating DC(VBHV-DC-01 in LAN3) and Workstation(VBHV-FS-01 in LAN4) role. And the network rules is route mode from LAN4 to LAN3.To create a new Access Rule from LAN4 to LAN3 and open the following protocols:
                              Microsoft CIFS/SMB: 445/TCP
                              Kerberos-Sec: 88/TCP, 88/UDP
                              DNS: 53/TCP, 53/UDP
                              LDAP: 389/TCP, 389/UDP
                              NetBIOS Datagram: 138/UDP
                              NetBIOS Name Service: 137/UDP
                              NetBIOS Session: 139/TCP
                              NTP: 123/UDP
                              RPC Endpoint Mapper(Custom): 135/TCP
                              ADLogon/DirRep(Custom): 50000/TCP
                              RPC Netlog(Custom): 50001/TCP
For limiting the special port for RPC to a single port(50000/TCP), we need to add a registry on each domain controller.
In “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\" registry key to new a DWORD (32-bit) Value
Rename the entry from “New Value #1” to “TCP/IP Port”
Double-Click this entry and select “Decimal” option –> enter “50000” in Value data field –> click “OK” button
After finish the above correct, please reboot DC so that the registry function will enable.
To force RPC port for client RPC traffic to a specific port, I need to do the same activity in “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ ”
To new a DWORD (32-bit) Value type “REG_DWORD”, rename the entry from “New Value #1” to “DCTcpipPort” and name a Registry value “50001” next to reboot it
Now,I try to join Domain “dw.com” and the result is successful.
The computer can log on Domain “VBHV-DC-01”.
By TCPView Utility, you will see there is no any port limited now.