RPC server unavailable to Group Policy Results Wizard

Discussion in 'Server Networking' started by Bob, Jun 6, 2006.

  1. Bob

    Bob Guest

    Hi all,

    I find that if I open only the firewall ports for "File and Printer Sharing",
    I can use RPC to connect to a network registery using RegEdit.
    I can use RPC to view another computers events using Event Viewer.
    I can't however use RPC to display the Resulting Set of Policy using the
    Group Policy Results Wizard within GPMC.

    When I take down the clients firewall, RPC works fine for all these tools.

    So the question is: What port do I need to open on the firewall to allow the
    Group Policy Results Wizard to do its job? I intend to use XP firewall GPO
    for this task (unless someone feels there is GPO more suitable).

    Thanks!
     
    Bob, Jun 6, 2006
    #1
    1. Advertisements

  2. RPC uses port 135.

    Hope this helps,
     
    Louis Vitiello Jr., Jun 7, 2006
    #2
    1. Advertisements

  3. Hello Bob,

    Thank you for posting.

    Thanks to Louis.

    RPC uses TCP 135. And you need to open 445 too.

    To do this, you can use the following command:
    netsh firewall set portopening tcp 135 RPC enable
    netsh firewall set portopening tcp 445 smb enable

    If the problem persists, please have a look at the following KB article:
    Some programs seem to stop working after you install Windows XP Service
    Pack 2
    http://support.microsoft.com/?id=842242

    Hope this helps.

    Sincerely,
    John Chen, MCSE, MCSA, MCDBA, MCSD
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    John Chen [MSFT], Jun 7, 2006
    #3
  4. Bob

    Bob Guest

    Port 135 is already open (as can be seen below):

    C:\>netsh firewall show portopening

    Port configuration for Domain profile:
    Port Protocol Mode Name
    -------------------------------------------------------------------
    135 TCP Enable Remote Procedure Call
    80 TCP Enable Virtual Server Port 80
    139 TCP Enable NetBIOS Session Service
    445 TCP Enable SMB over TCP
    137 UDP Enable NetBIOS Name Service
    138 UDP Enable NetBIOS Datagram Service

    Port configuration for Standard profile:
    Port Protocol Mode Name
     
    Bob, Jun 7, 2006
    #4
  5. Bob

    Bob Guest

    As can be seen below, Port 135 is already open. Port 445 is open via "File
    and Printer Sharing".

    C:\>netsh firewall show portopening

    Port configuration for Domain profile:
    Port Protocol Mode Name
    -------------------------------------------------------------------
    135 TCP Enable Remote Procedure Call
    80 TCP Enable Virtual Server Port 80
    139 TCP Enable NetBIOS Session Service
    445 TCP Enable SMB over TCP
    137 UDP Enable NetBIOS Name Service
    138 UDP Enable NetBIOS Datagram Service

    Port configuration for Standard profile:
    Port Protocol Mode Name
     
    Bob, Jun 7, 2006
    #5
  6. Bob

    Bob Guest

    I think I might have found the probem. Running the command shown below, it
    indicates that the "Remote admin mode" is disabled. This is shown as
    disabled regardless if the firewall is enabled or disabled. As I stated
    originally, when the firewall is disabled, I can obtain a clients RSoP so
    "Remote admin mode" apparently is not necessary. But when the firewall is
    enabled, "Remote admin mode" needs to be enabled also.

    I believe I am enabling "Remote admin mode" with GPO:
    [Computer/Administrative Templates/Network/Network Connections/Windows
    Firewall/Domain Profile/Windows Firewall: Allow remote administration
    exception]

    C:\>netsh firewall show state

    Firewall status:
    -------------------------------------------------------------------
    Profile = Domain
    Operational mode = Enable
    Exception mode = Enable
    Multicast/broadcast response mode = Enable
    Notification mode = Enable
    Group policy version = Windows Firewall
    Remote admin mode = Disable
     
    Bob, Jun 7, 2006
    #6
  7. Hi Bob,

    Thank you for your update.

    I just want to double confirm with you if the problem has been fixed by
    enabling Remote admin mode. Sorry for the inconvenience.

    Have a nice day.

    Sincerely,
    John Chen, MCSE, MCSA, MCDBA, MCSD
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    John Chen [MSFT], Jun 8, 2006
    #7
  8. Bob

    Bob Guest

    Yes, enabling Remote admin mode is "a" fix. I suppose there are other ways,
    but this one is probably the easiest to implement. It might be nice if this
    were posted in some KB article.
     
    Bob, Jun 8, 2006
    #8
  9. Thanks for the follow up!
     
    Louis Vitiello Jr., Jun 9, 2006
    #9
  10. Hi Bob,

    Thank you for your confirmation. I have written an internal KB which is the
    beginning of a KB article.

    Have a great day!

    Sincerely,
    John Chen, MCSE, MCSA, MCDBA, MCSD
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    John Chen [MSFT], Jun 9, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.