Your security guys will not like the answer but you will have to open all ports above 1024. RPC uses a random port. Or you could assign a static port and have them open that up. Check out this KB.
http://support.microsoft.com/kb/832017/ When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are frequently dynamically assigned to system services as required; TCP/IP and UDP/IP ports that are higher than port 1024 are used. These are frequently informally referred to as "random RPC ports." In these cases, RPC clients rely on the RPC endpoint mapper to tell them which dynamic port(s) were assigned to the server. For some RPC-based services, you can configure a specific port instead of letting RPC assign one dynamically. You can also restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. For more information about this topic, see the "References" section of this article. On Wed, May 20, 2009 at 8:54 AM, Christopher Bodnar < [email protected]> wrote: > This is a W2K3 Standard server joining a 2003 functional level forest. We > have a number of DMZ’s here. All with different ACL’s that our security > group manages. We just built a few machines in one of them and can’t join > one of our domains from there. I know it’s a firewall issue because we can > join it to a different domain from there successfully. But I’d love to be > able to go to the security group with the specific port/ports that need to > be opened. The symptoms. When you put in the domain name on the client to > join the domain, it prompts you for credentials, it eventually comes back > with this error: > > > > “There are no more endpoints available from the endpoint mapper” > > > > The NetSetup.log file shows this: > > > > 05/19 16:50:17 NetpGetComputerObjectDn: Unable to bind to DS on '\\ > MYDC1.SomeDomain.com <http://mydc1.somedomain.com/>': 0x6d9 > > > > I’ve verified the following ports using Telnet from the client to the DC > it’s validating against: > > > > 135 > > 389 > > 636 > > 3268 > > 53 > > 445 > > > > I have Googled and found a number of hits that talk about RPC > communication, but I see nothing to indicate that is the issue. I also can > successfully map to the IPC$ of the DC from the client. For example this > works: > > > > Net Use \\mydc1\ipc$ > > > > I setup Network Monitor on the client and was hoping to see some > re-transmit’s on a specific port. But no luck. I’m definitely not the best > at evaluating a capture, but it seems OK. I see the Kerberos communication, > and don’t see any errors there. Also the computer account does get created > in the domain, but there is a circle with a red “X” over the computer icon > in Users and Computers (meaning it’s disabled). If I enable the computer > account and try it again, same thing happens. > > > > > > > > Any help is appreciated. > > > > Thanks > > > > > > Chris Bodnar, MCSE > Sr. Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > > > > > ------------------------------ > > *This message, and any attachments to it, may contain information that is > privileged, confidential, and exempt from disclosure under applicable law. > If the reader of this message is not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or > communication of this message is strictly prohibited. If you have received > this message in error, please notify the sender immediately by return e-mail > and delete the message and any attachments. Thank you. * > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
