We have had 4 DCs behind a firewall in a particular subnet for a few years.
RPC communcation from clients always seems to go to

port 1025 even though a static port isn't set in the servers' Registry. For
that reason, port 1025 is open in the firewall to the

DCs, along with port 135 and the other usual AD ports. We recently added
new DCs to a different subnet (same site) behind another

firewall using the same rules. For whatever reason, clients are tring to
use port 1026 on the new DCs for RPC communication and

being denied at the firewall. (The DCs on both subnets have no trouble
replicating because pretty much every port is open between

their 2 subnets.)

To hopefully get around this problem, I created the TCP/IP Port Registry
dword value of 1025 in \NTDS\Parameters per several KB

articles. Once I made that change, I began to see client connections to
that port. (I did this on only one DC as a test.) The

problem is that after a reboot to enable the change, I get a warning entry
in the Directory Services log:
*************************************************
Event ID 1310
Active Directory could not use the following RPC protocol sequence.
RPC protocol sequence:
ncacn_ip_tcp...........
.............Error value:
1740 The endpoint is a duplicate.
*************************************************
I checked to confirm that the server wasn't listening on port 1025
beforehand so I'm not sure what the error means. I rebooted a

second time, but the error showed up again after the reboot. When I run
"repadmin /replsummary", I see no errors for that DC.

When I run "rpcdump /s /i", the results look exactly the same as when I run
it on a different DC. Does anyone have any ideas why

it get this error?

I wish I could say that's my only question, but it got me wondering why the
DCs in one subnet are having the endpoint mapper

direct clients to port 1025, but on the other subnet it directs clients to
port 1026. (All are running Windows 2003 with SP2.)

Also, I'm surprised that the endpoint mapper directs them to the same port
each time, since I thought those ports were dynamic.

Hello Baboon,
I will just add the port 1025 in the registry settings of the new DC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters\RPC
TCP/IP Port Assignment

--
Isaac Oben [MCTIP:EA, MCSE]
"Baboon" <Baboon@discussions.microsoft.com> wrote in message
news:68F0736F-3185-45FB-A866-BD203C596D8A@microsoft.com...

Quote:

We have had 4 DCs behind a firewall in a particular subnet for a few years. RPC communcation from clients always seems to go to port 1025 even though a static port isn't set in the servers' Registry. For that reason, port 1025 is open in the firewall to the DCs, along with port 135 and the other usual AD ports. We recently added new DCs to a different subnet (same site) behind another firewall using the same rules. For whatever reason, clients are tring to use port 1026 on the new DCs for RPC communication and being denied at the firewall. (The DCs on both subnets have no trouble replicating because pretty much every port is open between their 2 subnets.) To hopefully get around this problem, I created the TCP/IP Port Registry dword value of 1025 in \NTDS\Parameters per several KB articles. Once I made that change, I began to see client connections to that port. (I did this on only one DC as a test.) The problem is that after a reboot to enable the change, I get a warning entry in the Directory Services log: ************************************************* Event ID 1310 Active Directory could not use the following RPC protocol sequence. RPC protocol sequence: ncacn_ip_tcp........... ............Error value: 1740 The endpoint is a duplicate. ************************************************* I checked to confirm that the server wasn't listening on port 1025 beforehand so I'm not sure what the error means. I rebooted a second time, but the error showed up again after the reboot. When I run "repadmin /replsummary", I see no errors for that DC. When I run "rpcdump /s /i", the results look exactly the same as when I run it on a different DC. Does anyone have any ideas why it get this error? I wish I could say that's my only question, but it got me wondering why the DCs in one subnet are having the endpoint mapper direct clients to port 1025, but on the other subnet it directs clients to port 1026. (All are running Windows 2003 with SP2.) Also, I'm surprised that the endpoint mapper directs them to the same port each time, since I thought those ports were dynamic.

Check out an article I have on dc's and firewalls. I would specifically
define any ports to verify full connectivity. Don't just assume something
is going to stay on the same port, you are just asking for wierd things to
happen.

http://www.pbbergs.com/windows/articles.htm
Select Firewall Ports Needed for Replication

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Baboon" <Baboon@discussions.microsoft.com> wrote in message
news:68F0736F-3185-45FB-A866-BD203C596D8A@microsoft.com...

Quote:

We have had 4 DCs behind a firewall in a particular subnet for a few years. RPC communcation from clients always seems to go to port 1025 even though a static port isn't set in the servers' Registry. For that reason, port 1025 is open in the firewall to the DCs, along with port 135 and the other usual AD ports. We recently added new DCs to a different subnet (same site) behind another firewall using the same rules. For whatever reason, clients are tring to use port 1026 on the new DCs for RPC communication and being denied at the firewall. (The DCs on both subnets have no trouble replicating because pretty much every port is open between their 2 subnets.) To hopefully get around this problem, I created the TCP/IP Port Registry dword value of 1025 in \NTDS\Parameters per several KB articles. Once I made that change, I began to see client connections to that port. (I did this on only one DC as a test.) The problem is that after a reboot to enable the change, I get a warning entry in the Directory Services log: ************************************************* Event ID 1310 Active Directory could not use the following RPC protocol sequence. RPC protocol sequence: ncacn_ip_tcp........... ............Error value: 1740 The endpoint is a duplicate. ************************************************* I checked to confirm that the server wasn't listening on port 1025 beforehand so I'm not sure what the error means. I rebooted a second time, but the error showed up again after the reboot. When I run "repadmin /replsummary", I see no errors for that DC. When I run "rpcdump /s /i", the results look exactly the same as when I run it on a different DC. Does anyone have any ideas why it get this error? I wish I could say that's my only question, but it got me wondering why the DCs in one subnet are having the endpoint mapper direct clients to port 1025, but on the other subnet it directs clients to port 1026. (All are running Windows 2003 with SP2.) Also, I'm surprised that the endpoint mapper directs them to the same port each time, since I thought those ports were dynamic.

I agree that it would be good if we could specify the port for AD RPC
communication, but after I made the Registry change, I got the error: "1740
The endpoint is a duplicate" after each boot. This was the main point of my
post, which I realize was a long one.

I was hoping someone would be familiar with the error as far as what may
have caused it and how to fix it.

I ended up rolling back the Registry change because of the error. After a
subsequent reboot, the error didn't come back. Interestingly, the DC
continued to use the port I had defined in the Registry even after deleting
the key and rebooting.

I'll take a look at your article.
Thanks.

"Paul Bergson [MVP-DS]" wrote:

Quote:

Check out an article I have on dc's and firewalls. I would specifically define any ports to verify full connectivity. Don't just assume something is going to stay on the same port, you are just asking for wierd things to happen. http://www.pbbergs.com/windows/articles.htm Select Firewall Ports Needed for Replication -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Baboon" <Baboon@discussions.microsoft.com> wrote in message news:68F0736F-3185-45FB-A866-BD203C596D8A@microsoft.com... We have had 4 DCs behind a firewall in a particular subnet for a few years. RPC communcation from clients always seems to go to port 1025 even though a static port isn't set in the servers' Registry. For that reason, port 1025 is open in the firewall to the DCs, along with port 135 and the other usual AD ports. We recently added new DCs to a different subnet (same site) behind another firewall using the same rules. For whatever reason, clients are tring to use port 1026 on the new DCs for RPC communication and being denied at the firewall. (The DCs on both subnets have no trouble replicating because pretty much every port is open between their 2 subnets.) To hopefully get around this problem, I created the TCP/IP Port Registry dword value of 1025 in \NTDS\Parameters per several KB articles. Once I made that change, I began to see client connections to that port. (I did this on only one DC as a test.) The problem is that after a reboot to enable the change, I get a warning entry in the Directory Services log: ************************************************* Event ID 1310 Active Directory could not use the following RPC protocol sequence. RPC protocol sequence: ncacn_ip_tcp........... ............Error value: 1740 The endpoint is a duplicate. ************************************************* I checked to confirm that the server wasn't listening on port 1025 beforehand so I'm not sure what the error means. I rebooted a second time, but the error showed up again after the reboot. When I run "repadmin /replsummary", I see no errors for that DC. When I run "rpcdump /s /i", the results look exactly the same as when I run it on a different DC. Does anyone have any ideas why it get this error? I wish I could say that's my only question, but it got me wondering why the DCs in one subnet are having the endpoint mapper direct clients to port 1025, but on the other subnet it directs clients to port 1026. (All are running Windows 2003 with SP2.) Also, I'm surprised that the endpoint mapper directs them to the same port each time, since I thought those ports were dynamic.

To resolve this, our Security people allowed port 1026 to be open to the DCs
at the firewall, along with the already open 1025. The interesting thing is
that all four of the new DCs eventually started listening on port 1025, just
like the old DCs on the other subnet.

I wish we could get them to open a larger range of ports for RPC, but that
isn't going to happen. So far this has worked, though.

Thanks.

"Paul Bergson [MVP-DS]" wrote:

Quote:

Check out an article I have on dc's and firewalls. I would specifically define any ports to verify full connectivity. Don't just assume something is going to stay on the same port, you are just asking for wierd things to happen. http://www.pbbergs.com/windows/articles.htm Select Firewall Ports Needed for Replication -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Baboon" <Baboon@discussions.microsoft.com> wrote in message news:68F0736F-3185-45FB-A866-BD203C596D8A@microsoft.com... We have had 4 DCs behind a firewall in a particular subnet for a few years. RPC communcation from clients always seems to go to port 1025 even though a static port isn't set in the servers' Registry. For that reason, port 1025 is open in the firewall to the DCs, along with port 135 and the other usual AD ports. We recently added new DCs to a different subnet (same site) behind another firewall using the same rules. For whatever reason, clients are tring to use port 1026 on the new DCs for RPC communication and being denied at the firewall. (The DCs on both subnets have no trouble replicating because pretty much every port is open between their 2 subnets.) To hopefully get around this problem, I created the TCP/IP Port Registry dword value of 1025 in \NTDS\Parameters per several KB articles. Once I made that change, I began to see client connections to that port. (I did this on only one DC as a test.) The problem is that after a reboot to enable the change, I get a warning entry in the Directory Services log: ************************************************* Event ID 1310 Active Directory could not use the following RPC protocol sequence. RPC protocol sequence: ncacn_ip_tcp........... ............Error value: 1740 The endpoint is a duplicate. ************************************************* I checked to confirm that the server wasn't listening on port 1025 beforehand so I'm not sure what the error means. I rebooted a second time, but the error showed up again after the reboot. When I run "repadmin /replsummary", I see no errors for that DC. When I run "rpcdump /s /i", the results look exactly the same as when I run it on a different DC. Does anyone have any ideas why it get this error? I wish I could say that's my only question, but it got me wondering why the DCs in one subnet are having the endpoint mapper direct clients to port 1025, but on the other subnet it directs clients to port 1026. (All are running Windows 2003 with SP2.) Also, I'm surprised that the endpoint mapper directs them to the same port each time, since I thought those ports were dynamic.