Most system administrators are becoming acutely aware of port usage on their servers. The security focus is telling us we need to lock things down by default. Turning Windows Firewall on for your servers will certainly do that. For DFS there is some scattered documented things I wanted to share about locking it down.
Distributed File System (DFS) uses File Replication Services (FRS) which in turn uses Remote Procedure Calls (RPC). RPC uses 135/tcp as the contact point for services to say hello on, known as the Endpoint Mapper. From there RPC directs you to a dynamic port known as an RPC Endpoint. For those of us who hate the idea you can constrain RPC to a range using RPCCfg.exe. It still means ports are dynamic, but now they are constrained. It would be nice to do better than a dynamic port in a range. That is where a registry key and DFSRDiag comes in with the StaticRPC option. Buried in the KB832017 is a reference to the fact that you can set DFS replication to use a static RPC endpoint. After adding the registry key and running that tool you should be able to see some tangible results using RPCDump:
10.0.0.1[4998] [d049b186-814f-11d1-9a3c-00c04fc9b232] NtFrs API :NOT_PINGED
10.0.0.1[4998] [f5cc59b4-4264-101a-8c59-08002b2f8426] NtFrs Service :NOT_PINGED
10.0.0.1[4999] [897e2e5f-93f3-4376-9c9c-fd2277495c27] Frs2 Service :NOT_PINGED
(The IP addresses and port numbers have been changed to protect the innocent) From here on in all you need to do is open those ports on your firewall and DFS should start flowing.