DFS-R uses authenticated and encrypted RPC for all replication traffic. The UUID of the RPC interface for the Distributed File System Replication protocol is 897e2e5f-93f3-4376-9c9c-fd2277495c27. The RPC interface version number is 1.0.
All traffic MUST be authenticated and encrypted using LAN Manager or Kerberos over TCP/IP, which requires that the client specify to use the protocol sequence associated with RPC over TCP/IP, and requires that the client specify packet privacy and authentication negotiation.
Both the client and the server MUST require authentication and encryption.
The following is a summary of the relevant parameters:
Protocol sequence: Ncacn_ip_tcp
Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
Authentication service (one of): RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_KERBEROS, or RPC_C_AUTHN_WINNT
A server can specify a static port for all DFS-R RPC traffic, or it can use dynamic endpoints and rely on the endpoint mapper to relay inbound requests that use the endpoint GUID into the DFS-R service.<1>
As part of mutual authentication, a client MUST furthermore specify its principal name when establishing a binding handle to allow a server to authenticate RPC calls. This part of the negotiation is handled opaquely by an RPC runtime that supports principal names, such as the Remote Procedure Call Extensions runtime. Recall that principal names are managed in AD.