SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager

Microsoft RPC Remote Procedure Call –  What is the use of it? Why is Windows using this very often? I was not aware of the details of the RPC mechanism :(.

RPC Unavailable errors are common in SCCM as well. I’ve blogged about one of the issues, which was again related to RPC over here ConfigMgr Primary Installation Error Attempted to perform unauthorized

Do you know RPC Dynamic Posts ? TCP 49152-65535

This time around some of the people in my organization and Microsoft were forced to read a lot about RPC. Thanks to them at least I got some more details about RPC. So I thought of creating a note for me and the people like me:) Some parts of this post contain network trace or net mount analysis this will help us to troubleshoot deep into the issues related to RPC.

What is Microsoft RPC (Remote Procedure Call)?

Microsoft Remote Procedure Call (RPC) is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process. The Microsoft RPC mechanism uses other IPC mechanisms, such as named pipes, NetBIOS, or Winsock, to establish communications between the client and the server.

Patch My PC

The RPC components make it easy for clients to call a procedure located in a remote server program. The RPC process starts on the client-side. The RPC provided by Windows is compliant with the Open Software Foundation (OSF) Distributed Computing Environment (DCE). RPC enables applications to call functions remotely.

What is RPC Endpoint mapper or Port Mapper?

When a Client communicates with a Server it performs an initial connection to Port 135 to communicate with the EPM “EndPoint Mapper”. The client has to bind to an interface first before it can call its procedures. The client has to perform a 3 way RPC  EPM handshake, once these handshakes are successful then the client will successfully bind. If the binding process was successful, it can send a request to the End Point Mapper, which it includes the UUID of the target interface.

SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call

Network trace example 3 way successful RPC EPM handshake

Client Initiates a connection on Source port 52702 (RPC Dynamic port) to the server on destination port 135 (End Point Mapper). The server replies back using source port 135 and destination port 52702. 

Tcp: Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369472, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:36, IPv4:7}
Tcp: Flags=...A..S., SrcPort=DCE endpoint resolution(135), DstPort=52702, PayloadLen=0, Seq=1169857372, Ack=722369473, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:36, IPv4:7}
Tcp: Flags=...A...., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369473, Ack=1169857373, Win=512 (scale factor 0x8) = 131072 {TCP:36, IPv4:7}

Network Trace example for Successful RPC Bind

After the 3 way handshake, it initiates an RPC Bind to the Endpoint Mapper. Successful RPC bind!

Adaptiva
MSRPC MSRPC:c/o Bind: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7}
MSRPC MSRPC:c/o Bind Ack: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x1E0D9 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7}

Microsoft clients connect to RPC Endpoint Mapper on port 135. Then the Endpoint Mapper tells the client which ports a requested service is listening on. The port numbers are assigned dynamically and can be anywhere between 1024 and 65,535.

When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers. When the remote client needs to communicate with that service, it does not know which port numbers have been assigned.

To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service), and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number that the client should use to connect to the desired service. The client then reconnects to the server using the assigned port number, and communication with the desired service begins.

RPC End Point Mapper Handshake Failure (failed) Network trace

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for RPC EPM handshake but NO acknowledgment (response) from the server as we can see in the above successful trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the FirePorts between client and server.

While opening Firewall ports, there is no need to worry about Source Ports mentioned in the network trace. Source ports are dynamic. You just need to provide Source IP and Destination IP along with destination ports. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call?  

TCP TCP:Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}
TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}
 TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}

Network Trace example for Failed Client server communication network trace on LDAP Port 389

The entry in the below net amount analysis means  Flags=…A.R.. seems to me as TCP reset or Reject (I can’t confirm this )

TCP:Flags=……S., SrcPort=52705, DstPort=LDAP(389), PayloadLen=0, Seq=914145090, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:22, IPv4:13} TCP:Flags=…A.R.., SrcPort=LDAP(389), DstPort=52705, PayloadLen=0, Seq=251831252, Ack=914145091, Win=8192 {TCP:22, IPv4:13}

Network Trace example for Failed Microsoft Global Catalog LDAP 3268 connection

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Global Catalog LDAP 3268 but NO acknowledgment (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the Firewall ports between client and server.

TCP:Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}
TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}
TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}

Network Trace example for Failed Microsoft DNS port 53

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for DNS connection on port 53 but NO acknowledgment (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the Firewall ports between client and server.

TCP:Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13}
TCP:[SynReTransmit #2312]Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13}

Network Trace example for Failed Kerberos port 88 connection

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Kerberos port 88 but NO acknowledgment (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….)  This could be because Firewall issue. You may need to open the Firewall ports between client and server. Microsoft RPC Remote Procedure Call.

TCP:Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13}
TCP:[SynReTransmit #2874]Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13}
KerberosV5 KerberosV5: {UDP:69, IPv4:13}

Following the best explanation I found about Remote Procedure Call (RPC)

If every program and service that needed to communicate over the network assigned its own port number, you can easily imagine that sooner or later two programs would conflict over the use of the same port. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

To address this, many programs use the Remote Procedure Call (RPC) protocol to request communications with a host service on a dynamically assigned port number. When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers.

When the remote client needs to communicate with that service, it does not know which port numbers have been assigned. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service), and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number that the client should use to connect to the desired service.

The client then reconnects to the server using the assigned port number, and communication with the desired service begins. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

What are the 4 Major Components of RPC?

From the Infrastructure support person perspective, I think, we need to understand the importance of EndPoint Mapper:- Explain in the first section above. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

1. MIDL compiler

2. Run-time libraries and header files

3. Name service provider (sometimes referred to as the Locator)

4. Endpoint mapper (sometimes referred to as the portmapper)

The system components or other windows services that depends on RPC service 

SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call
SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call
  1. Background Intelligent Transfer Service
  2. Cluster Service
  3. COM+ Event System
  4. COM+ System Application
  5. Cryptographic Services
  6. DHCP Server
  7. Distributed Link Tracking Client
  8. Distributed Link Tracking Server
  9. Distributed Tracking Coordinator
  10. DNS Server
  11. Error Reporting Service
  12. Fax
  13. File Replication
  14. Help and Support
  15. Human Device Interface Access
  16. IIS Admin Service
  17. Indexing Service
  18. Internet Authentication Service
  19. IPSEC Services
  20. IPv6 Helper Service
  21. Kerberos Key Distribution Center
  22. Logical Disk Manager
  23. Logical Disk Administrator Service
  24. Messenger
  25. MS Software Shadow Copy Provider
  26. Network Connections
  27. Print Spooler
  28. Protected Storage
  29. Remote Desktop Help Session Manager
  30. Remote Registry
  31. Removable Storage
  32. Resultant Set of Policy Provider
  33. Routing and Remote Access
  34. Security Accounts Manager
  35. Shell Hardware Detection
  36. Task Scheduler
  37. Telephony
  38. Telnet
  39. Terminal Services
  40. Terminal Services Session Directory
  41. Terminal Services Licensing
  42. Upload Manager
  43. Volume Shadow Copy
  44. Web Element Manager
  45. Windows Audio
  46. Windows Image Acquisition (WIA)
  47. Windows Installer
  48. Windows Internet Name Service (WINS)
  49. Windows Management Instrumentation
  50. Windows Media Services
  51. Wireless Configuration
  52. WMI Performance Adapter
  53. World Wide Web Publishing Service

More references about RPC…..

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

3 thoughts on “SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager”

  1. Hello,
    Only question,whether Posts? Should be “Do you know RPC Dynamic Posts ? TCP 49152-65535” replaced by “Do you know RPC Dynamic Ports ? TCP 49152-65535”?
    Thank you for RPC clarifying more.
    Oto

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.