Re: RPC and IPSec
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 24 Mar 2006 11:12:47 -0600
If you haven't told the DC to reply in a range then I don't know why it
should reply to that range, but I haven't worked with this situation before.
On which machine did you define the port range? If it is on the client then
the server knows nothing of this and is going to give you a random high
port, which it sounds like it did.
Are you sure you don't have a firewall blocking your client from attaching
to the DC?
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com
This posting is provided "AS IS" with no warranties, and confers no rights.
"Trond E. Gjelsvik-Bakke" <TrondEGjelsvikBakke@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:BF654B17-0224-4A19-8C34-4F9A471EA29C@xxxxxxxxxxxxxxxx
Hello.
I have impemented the IPSec policy in the domain controller GPO.
Both of my DC's has this IPSec policy.
When the client is trying to join the domain, I can see that it is
connecting to one of the DC on port 135. The DC is then replying with port
1025, and when the client then tries to connect the DC again on 1025 it
fails
!!
This is because the DC's RPC range is defined to 57901-57950 trough IPSec.
Do I need to alter the RPC port range in registry on my DC's to make this
work ??
TEGB
"Paul Bergson" wrote:
This is an rpc error. The machine that the client is trying to attach to
should be the one telling the client which rpc port to use. The client
machine is provided this info on the initial connection off of port 135.
I'm a little confused on your details but have you defined the port
restrictions on ALL your source machines that this client is goint to
attach
to and have any firewalls, that may be setup between, have these ports
opened up. Have you made any other mods to machines rpc definitions such
as
the one in the description in the link below?
Dynamic allocation of rpc port range
http://support.microsoft.com/kb/154596/en-us
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Trond E. Gjelsvik-Bakke" <Trond E.
Gjelsvik-Bakke@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53174CBF-DED6-45F1-9DDA-0F0AD9F07986@xxxxxxxxxxxxxxxx
Hello.
I have implementet IPSec on my DC's. The IPSec is as described in
Windows
Security Resource Kit. I hav used recommended IPSec filters for domain
controllers with DNS.
I have made som adjustments, as I have one Administration LAN that I
have
been given full access.
When I put a client on some other LAN, and try to join this client to
the
domain I get an error: "There are no more endpoints avaliable to the
endpoint
mapper"
The join then fails !!
I guess that this has something to do with IPSec rule:
Predifined RPC Range - TCP - ANY - 57901-57950 - ANY - ME - ALLOW - YES
This rule is, if I'm not wrong, limiting the ports used by RPC.
If I remove the IPSec or move the client into the Administrative LAN -
It
Joins.
Does anyone have some solution on this ??
.
- References:
- Re: RPC and IPSec
- From: Paul Bergson
- Re: RPC and IPSec
- From: Trond E. Gjelsvik-Bakke
- Re: RPC and IPSec
- Prev by Date: Re: last 3 dates when users changed password
- Next by Date: Re: How do I undo these inetorgperson schema change?
- Previous by thread: Re: RPC and IPSec
- Next by thread: Re: RPC and IPSec
- Index(es):
Relevant Pages
|
