|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Problem After Defining Static RPC PortRPC communcation from clients always seems to go to port 1025 even though a static port isn't set in the servers' Registry. For that reason, port 1025 is open in the firewall to the DCs, along with port 135 and the other usual AD ports. We recently added new DCs to a different subnet (same site) behind another firewall using the same rules. For whatever reason, clients are tring to use port 1026 on the new DCs for RPC communication and being denied at the firewall. (The DCs on both subnets have no trouble replicating because pretty much every port is open between their 2 subnets.) To hopefully get around this problem, I created the TCP/IP Port Registry dword value of 1025 in \NTDS\Parameters per several KB articles. Once I made that change, I began to see client connections to that port. (I did this on only one DC as a test.) The problem is that after a reboot to enable the change, I get a warning entry in the Directory Services log: ************************************************* Event ID 1310 Active Directory could not use the following RPC protocol sequence. RPC protocol sequence: ncacn_ip_tcp........... .............Error value: 1740 The endpoint is a duplicate. ************************************************* I checked to confirm that the server wasn't listening on port 1025 beforehand so I'm not sure what the error means. I rebooted a second time, but the error showed up again after the reboot. When I run "repadmin /replsummary", I see no errors for that DC. When I run "rpcdump /s /i", the results look exactly the same as when I run it on a different DC. Does anyone have any ideas why it get this error? I wish I could say that's my only question, but it got me wondering why the DCs in one subnet are having the endpoint mapper direct clients to port 1025, but on the other subnet it directs clients to port 1026. (All are running Windows 2003 with SP2.) Also, I'm surprised that the endpoint mapper directs them to the same port each time, since I thought those ports were dynamic. Hello Baboon,
I will just add the port 1025 in the registry settings of the new DC HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters\RPC TCP/IP Port Assignment -- Show quoteHide quoteIsaac Oben [MCTIP:EA, MCSE] "Baboon" <Bab***@discussions.microsoft.com> wrote in message news:68F0736F-3185-45FB-A866-BD203C596D8A@microsoft.com... > We have had 4 DCs behind a firewall in a particular subnet for a few > years. > RPC communcation from clients always seems to go to > > port 1025 even though a static port isn't set in the servers' Registry. > For > that reason, port 1025 is open in the firewall to the > > DCs, along with port 135 and the other usual AD ports. We recently added > new DCs to a different subnet (same site) behind another > > firewall using the same rules. For whatever reason, clients are tring to > use port 1026 on the new DCs for RPC communication and > > being denied at the firewall. (The DCs on both subnets have no trouble > replicating because pretty much every port is open between > > their 2 subnets.) > > To hopefully get around this problem, I created the TCP/IP Port Registry > dword value of 1025 in \NTDS\Parameters per several KB > > articles. Once I made that change, I began to see client connections to > that port. (I did this on only one DC as a test.) The > > problem is that after a reboot to enable the change, I get a warning entry > in the Directory Services log: > ************************************************* > Event ID 1310 > Active Directory could not use the following RPC protocol sequence. > RPC protocol sequence: > ncacn_ip_tcp........... > ............Error value: > 1740 The endpoint is a duplicate. > ************************************************* > I checked to confirm that the server wasn't listening on port 1025 > beforehand so I'm not sure what the error means. I rebooted a > > second time, but the error showed up again after the reboot. When I run > "repadmin /replsummary", I see no errors for that DC. > > When I run "rpcdump /s /i", the results look exactly the same as when I > run > it on a different DC. Does anyone have any ideas why > > it get this error? > > I wish I could say that's my only question, but it got me wondering why > the > DCs in one subnet are having the endpoint mapper > > direct clients to port 1025, but on the other subnet it directs clients to > port 1026. (All are running Windows 2003 with SP2.) > > Also, I'm surprised that the endpoint mapper directs them to the same port > each time, since I thought those ports were dynamic. Check out an article I have on dc's and firewalls. I would specifically
define any ports to verify full connectivity. Don't just assume something is going to stay on the same port, you are just asking for wierd things to happen. http://www.pbbergs.com/windows/articles.htm Select Firewall Ports Needed for Replication -- Show quoteHide quotePaul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Baboon" <Bab***@discussions.microsoft.com> wrote in message news:68F0736F-3185-45FB-A866-BD203C596D8A@microsoft.com... > We have had 4 DCs behind a firewall in a particular subnet for a few > years. > RPC communcation from clients always seems to go to > > port 1025 even though a static port isn't set in the servers' Registry. > For > that reason, port 1025 is open in the firewall to the > > DCs, along with port 135 and the other usual AD ports. We recently added > new DCs to a different subnet (same site) behind another > > firewall using the same rules. For whatever reason, clients are tring to > use port 1026 on the new DCs for RPC communication and > > being denied at the firewall. (The DCs on both subnets have no trouble > replicating because pretty much every port is open between > > their 2 subnets.) > > To hopefully get around this problem, I created the TCP/IP Port Registry > dword value of 1025 in \NTDS\Parameters per several KB > > articles. Once I made that change, I began to see client connections to > that port. (I did this on only one DC as a test.) The > > problem is that after a reboot to enable the change, I get a warning entry > in the Directory Services log: > ************************************************* > Event ID 1310 > Active Directory could not use the following RPC protocol sequence. > RPC protocol sequence: > ncacn_ip_tcp........... > ............Error value: > 1740 The endpoint is a duplicate. > ************************************************* > I checked to confirm that the server wasn't listening on port 1025 > beforehand so I'm not sure what the error means. I rebooted a > > second time, but the error showed up again after the reboot. When I run > "repadmin /replsummary", I see no errors for that DC. > > When I run "rpcdump /s /i", the results look exactly the same as when I > run > it on a different DC. Does anyone have any ideas why > > it get this error? > > I wish I could say that's my only question, but it got me wondering why > the > DCs in one subnet are having the endpoint mapper > > direct clients to port 1025, but on the other subnet it directs clients to > port 1026. (All are running Windows 2003 with SP2.) > > Also, I'm surprised that the endpoint mapper directs them to the same port > each time, since I thought those ports were dynamic. I agree that it would be good if we could specify the port for AD RPC
communication, but after I made the Registry change, I got the error: "1740 The endpoint is a duplicate" after each boot. This was the main point of my post, which I realize was a long one. I was hoping someone would be familiar with the error as far as what may have caused it and how to fix it. I ended up rolling back the Registry change because of the error. After a subsequent reboot, the error didn't come back. Interestingly, the DC continued to use the port I had defined in the Registry even after deleting the key and rebooting. I'll take a look at your article. Thanks. Show quoteHide quote "Paul Bergson [MVP-DS]" wrote: > Check out an article I have on dc's and firewalls. I would specifically > define any ports to verify full connectivity. Don't just assume something > is going to stay on the same port, you are just asking for wierd things to > happen. > > http://www.pbbergs.com/windows/articles.htm > Select Firewall Ports Needed for Replication > > -- > Paul Bergson > MVP - Directory Services > MCTS, MCT, MCSE, MCSA, Security+, BS CSci > 2008, 2003, 2000 (Early Achiever), NT4 > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup This > posting is provided "AS IS" with no warranties, and confers no rights. > > > "Baboon" <Bab***@discussions.microsoft.com> wrote in message > news:68F0736F-3185-45FB-A866-BD203C596D8A@microsoft.com... > > We have had 4 DCs behind a firewall in a particular subnet for a few > > years. > > RPC communcation from clients always seems to go to > > > > port 1025 even though a static port isn't set in the servers' Registry. > > For > > that reason, port 1025 is open in the firewall to the > > > > DCs, along with port 135 and the other usual AD ports. We recently added > > new DCs to a different subnet (same site) behind another > > > > firewall using the same rules. For whatever reason, clients are tring to > > use port 1026 on the new DCs for RPC communication and > > > > being denied at the firewall. (The DCs on both subnets have no trouble > > replicating because pretty much every port is open between > > > > their 2 subnets.) > > > > To hopefully get around this problem, I created the TCP/IP Port Registry > > dword value of 1025 in \NTDS\Parameters per several KB > > > > articles. Once I made that change, I began to see client connections to > > that port. (I did this on only one DC as a test.) The > > > > problem is that after a reboot to enable the change, I get a warning entry > > in the Directory Services log: > > ************************************************* > > Event ID 1310 > > Active Directory could not use the following RPC protocol sequence. > > RPC protocol sequence: > > ncacn_ip_tcp........... > > ............Error value: > > 1740 The endpoint is a duplicate. > > ************************************************* > > I checked to confirm that the server wasn't listening on port 1025 > > beforehand so I'm not sure what the error means. I rebooted a > > > > second time, but the error showed up again after the reboot. When I run > > "repadmin /replsummary", I see no errors for that DC. > > > > When I run "rpcdump /s /i", the results look exactly the same as when I > > run > > it on a different DC. Does anyone have any ideas why > > > > it get this error? > > > > I wish I could say that's my only question, but it got me wondering why > > the > > DCs in one subnet are having the endpoint mapper > > > > direct clients to port 1025, but on the other subnet it directs clients to > > port 1026. (All are running Windows 2003 with SP2.) > > > > Also, I'm surprised that the endpoint mapper directs them to the same port > > each time, since I thought those ports were dynamic. > > 
Other interesting topics
Infrastructure FSMO role owner attibute not correct in root domain
What am I doing wrong? (Want to use Server 2003 R2 for Domain Cont offline KB 810859 Home directory User dis-join from domain, how to re-join again Roamin Profiles Error message: During a logon attempt, the user's security context servers loooking for group policy on dead server Quick question about two-way trust. duplicate SPN's |
|||||||||||||||||||||||
