Microsoft RPC Remote Procedure Call and End Point Mapper Details with Network Trace Examples

Microsoft RPC Remote Procedure Call –  What is the use of it ? Why is windows using this very often ? I was not aware of the details of RPC mechanism windows active directory  Microsoft RPC Remote Procedure Call and End Point Mapper Details with Network Trace Examples . RPC Unavailable errors are common in SCCM as well. I’ve blogged about one of the issue which was again related to RPC over here ConfigMgr Primary Installation Error Attempted to perform unauthorized

This time around some of the people in my organization and Microsoft forced to read a lot about RPC. Thanks to them at least I got some more details about RPC. So I thought creating a note for me and the people like me:) Some parts of this post contains network trace or net mount analysis this will help us to troubleshoot deep into the issues related to RPC.

What is Microsoft RPC (Remote Procedure Call)?

Microsoft Remote Procedure Call (RPC) is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process. The Microsoft RPC mechanism uses other IPC mechanisms, such as named pipes, NetBIOS, or Winsock, to establish communications between the client and the server.

The RPC components make it easy for clients to call a procedure located in a remote server program. The RPC process starts on the client side. The RPC provided by Windows is compliant with the Open Software Foundation (OSF) Distributed Computing Environment (DCE). RPC enables applications to call functions remotely.

What is RPC Endpoint mapper or Port Mapper?

When a Client communicates with a Server it performs and initial connection to Port 135 to communicate with the EPM “EndPoint Mapper”. The client has to bind to an interface first before it can call it’s procedures. Client has to perform 3 way RPC  EPM handshake, once these handshakes are successful then  the client will successfully bind. If the bind process was successful, it can send a request to the End Point Mapper, in which it includes the UUID of the target interface.

Network trace example 3 way successful RPC EPM handshake

Client Initiates a connection on Source port 52702 (RPC Dynamic port) to the server on destination port 135 (End Point Mapper). Server replies back using source port 135 and destination port 52702. 

Tcp: Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369472, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:36, IPv4:7}
Tcp: Flags=...A..S., SrcPort=DCE endpoint resolution(135), DstPort=52702, PayloadLen=0, Seq=1169857372, Ack=722369473, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:36, IPv4:7}
Tcp: Flags=...A...., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369473, Ack=1169857373, Win=512 (scale factor 0x8) = 131072 {TCP:36, IPv4:7}

Network Trace example for Successful RPC Bind

After the 3 way handshake it initiates an RPC Bind to the Endpoint Mapper. Successful RPC bind !

MSRPC MSRPC:c/o Bind: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7}
MSRPC MSRPC:c/o Bind Ack: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x1E0D9 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7}

Microsoft clients connect to RPC Endpoint Mapper on port 135. Then the Endpoint Mapper tells the client which port a requested service is listening on. The port numbers are assigned dynamically and can be anywhere between 1024 and 65,535.

When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers. When the remote client needs to communicate with that service, it does not know which port numbers have been assigned.

To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service), and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number that the client should use to connect to the desired service. The client then reconnects to the server using the assigned port number, and communication with the desired service begins.

RPC End Point Mapper Handshake Failure (failed) Network trace

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for RPC EPM handshake but NO acknowledgement (response) from the server as we can see in the above successful trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the FirePorts between client and server.

While opening Firewall ports, there is no need to worry from Source Ports mentioned in the network trace. Source ports are dynamic. You just need provide Source IP and Destination IP along with destination ports.  

TCP TCP:Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}
TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}
 TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}

Network Trace example for Failed Client server communication network trace on LDAP Port 389

The entry in the below net amount analysis means  Flags=…A.R.. seems to me as TCP reset or Reject (I can’t confirm this )

TCP:Flags=……S., SrcPort=52705, DstPort=LDAP(389), PayloadLen=0, Seq=914145090, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:22, IPv4:13} TCP:Flags=…A.R.., SrcPort=LDAP(389), DstPort=52705, PayloadLen=0, Seq=251831252, Ack=914145091, Win=8192 {TCP:22, IPv4:13}

Network Trace example for Failed Microsoft Global Catalog LDAP 3268 connection

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Global Catalog LDAP 3268 but NO acknowledgement (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the FirePorts between client and server.

TCP:Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}
TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}
TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}

Network Trace example for Failed Microsoft DNS port 53

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for DNS connection on port 53 but NO acknowledgement (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the FirePorts between client and server.

TCP:Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13}
TCP:[SynReTransmit #2312]Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13}

Network Trace example for Failed Kerberos port 88 connection

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Kerberos port 88 but NO acknowledgement (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the FirePorts between client and server.

TCP:Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13}
TCP:[SynReTransmit #2874]Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13}
KerberosV5 KerberosV5: {UDP:69, IPv4:13}

Following the best explanation I found about Remote Procedure Call (RPC)

If every program and service that needed to communicate over the network assigned its own port number, you can easily imagine that sooner or later two programs would conflict over the use of the same port. To address this, many programs use the Remote Procedure Call (RPC) protocol to request communications with a host service on a dynamically assigned port number. When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers. When the remote client needs to communicate with that service, it does not know which port numbers have been assigned.

To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service), and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number that the client should use to connect to the desired service. The client then reconnects to the server using the assigned port number, and communication with the desired service begins.

What are the 4 Major Components of RPC?

From Infrastructure support person perspective, I think, we need to understand the importance of EndPoint Mapper :- Explain in the first section above.

1.MIDL compiler

2. Run-time libraries and header files

3. Name service provider (sometimes referred to as the Locator)

4. Endpoint mapper (sometimes referred to as the port mapper)

The system components or other windows services which depends on RPC service 

windows active directory  Microsoft RPC Remote Procedure Call and End Point Mapper Details with Network Trace Examples

  1. Background Intelligent Transfer Service
  2. Cluster Service
  3. COM+ Event System
  4. COM+ System Application
  5. Cryptographic Services
  6. DHCP Server
  7. Distributed Link Tracking Client
  8. Distributed Link Tracking Server
  9. Distributed Tracking Coordinator
  10. DNS Server
  11. Error Reporting Service
  12. Fax
  13. File Replication
  14. Help and Support
  15. Human Device Interface Access
  16. IIS Admin Service
  17. Indexing Service
  18. Internet Authentication Service
  19. IPSEC Services
  20. IPv6 Helper Service
  21. Kerberos Key Distribution Center
  22. Logical Disk Manager
  23. Logical Disk Administrator Service
  24. Messenger
  25. MS Software Shadow Copy Provider
  26. Network Connections
  27. Print Spooler
  28. Protected Storage
  29. Remote Desktop Help Session Manager
  30. Remote Registry
  31. Removable Storage
  32. Resultant Set of Policy Provider
  33. Routing and Remote Access
  34. Security Accounts Manager
  35. Shell Hardware Detection
  36. Task Scheduler
  37. Telephony
  38. Telnet
  39. Terminal Services
  40. Terminal Services Session Directory
  41. Terminal Services Licensing
  42. Upload Manager
  43. Volume Shadow Copy
  44. Web Element Manager
  45. Windows Audio
  46. Windows Image Acquisition (WIA)
  47. Windows Installer
  48. Windows Internet Name Service (WINS)
  49. Windows Management Instrumentation
  50. Windows Media Services
  51. Wireless Configuration
  52. WMI Performance Adapter
  53. World Wide Web Publishing Service

More details on RPC services via TechNet http://technet.microsoft.com/en-us/library/hh125927(v=ws.10).aspx#BKMK_rpcss

More references about RPC…..

RPC Architecture

http://technet.microsoft.com/en-us/library/cc738291(v=ws.10).aspx

RPC Some More Details

http://technet.microsoft.com/en-us/library/cc732839(v=ws.10).aspx

How to configure RPC dynamic port allocation to work with firewalls

http://support.microsoft.com/kb/154596/en-us

Service overview and network port requirements for Windows

http://support.microsoft.com/kb/832017/

More Details about RPC

http://msdn.microsoft.com/en-us/library/windows/desktop/aa378651(v=vs.85).aspx

Service overview and network port requirements for Windows

Posted in: Active Directory, Windows
Visit Us On TwitterVisit Us On FacebookVisit Us On Google PlusVisit Us On YoutubeVisit Us On LinkedinCheck Our Feed