2008 uses a different range for RPC, as well as for ordinary client source ports... Some light reading here: http://support.microsoft.com/kb/832017
With regard to RPC in particular, port 135 is only for negotiating the "real" port. If you have opened only port 135, but not also opened 1024-5000 (2003 defaults) or 49152+ (2008 defaults) then RPC ain't gonna work. --Steve On Wed, Oct 5, 2011 at 4:56 PM, Christopher Bodnar <[email protected]> wrote: > Think I found the answer: > > > When you logon via RDP, “Terminal Services” will contact the domain which > your account is in to query terminal services information about your account > e.g. profile path. It does this using RPC to a domain controller. > > Taken from here: > http://blog.rhysgoodwin.com/windows-admin/rdp-though-a-firewall-fails-with-the-rpc-server-is-unavaliable/ > > In our 3 different AD sites for Domain B, there are different ACLs. In Site > 1 and Site 2 port 135 is open, from those machines, I can Telnet to any > Domain A domain controller over port 135. In the Site 3, that port is not > open between the clients and the Domain A domain controllers. So if that > really is the issue, I have a few options: > > There is a registry value on the client side that I can enable that will > bypass errors like this (http://support.microsoft.com/kb/815266). I'd like > to run this by our Security group, to get their take on it. > We can have the Firewall team open that port up, between the clients and the > domain controllers. > > My only question then is why is this working on Windows 2008 systems? I've > checked and they don't seem to have that registry value > (IgnoreRegUserConfigErrors). I'm guessing there is some change that was made > between the two OS versions regarding this? > > > Chris Bodnar, MCSE, MCITP > Technical Support III > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > From: Christopher Bodnar <[email protected]> > To: "NT System Admin Issues" <[email protected]> > Date: 10/05/2011 12:58 PM > Subject: Problem with RDP to W2K3 machines in specific VLANS using > cross trust credentials > ________________________________ > > > OK, we recently setup a one-way trust between two separate W2K3 forests > using Selective Authentication. Domain A is Trusted, and Domain B is > Trusting. Domain B is in a DMZ that spans multiple subnets and sites. > Everything seems to be working fine so far except for a strange RDP problem > to W2K3 systems in one of the AD sites in Domain B. Let's say that we have 3 > AD sites in Domain B (Site 1, Site 2, Site 3). RDP to all machines using > Domain A credentials works perfectly except to W2K3 machines in Site3. > However I can connect using DameWare to those same machines and logon > interactively using Domain A credentials. And if the system is W2K8, no > issues at all. > > The error message is: > > The System cannot log you on due to the following error: > The Specified domain either does not exist or could not be contacted. > > Anyone run into something like this before? > > Thanks, > > > > Chris Bodnar, MCSE, MCITP > Technical Support III > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 ----------------------------------------- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
