Microsoft RPC Remote Procedure Call – What is the use of it? Why is Windows using this very often? I was not aware of the details of the RPC mechanism :(.
RPC Unavailable errors are common in SCCM as well. I’ve blogged about one of the issues, which was again related to RPC over here ConfigMgr Primary Installation Error Attempted to perform unauthorized.
Do you know RPC Dynamic Posts ? TCP 49152-65535
This time around some of the people in my organization and Microsoft were forced to read a lot about RPC. Thanks to them at least I got some more details about RPC. So I thought of creating a note for me and the people like me:) Some parts of this post contain network trace or net mount analysis this will help us to troubleshoot deep into the issues related to RPC.
What is Microsoft RPC (Remote Procedure Call)?
Microsoft Remote Procedure Call (RPC) is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process. The Microsoft RPC mechanism uses other IPC mechanisms, such as named pipes, NetBIOS, or Winsock, to establish communications between the client and the server.
The RPC components make it easy for clients to call a procedure located in a remote server program. The RPC process starts on the client-side. The RPC provided by Windows is compliant with the Open Software Foundation (OSF) Distributed Computing Environment (DCE). RPC enables applications to call functions remotely.
What is RPC Endpoint mapper or Port Mapper?
When a Client communicates with a Server it performs an initial connection to Port 135 to communicate with the EPM “EndPoint Mapper”. The client has to bind to an interface first before it can call its procedures. The client has to perform a 3 way RPC EPM handshake, once these handshakes are successful then the client will successfully bind. If the binding process was successful, it can send a request to the End Point Mapper, which it includes the UUID of the target interface.
SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call
Network trace example 3 way successful RPC EPM handshake
Client Initiates a connection on Source port 52702 (RPC Dynamic port) to the server on destination port 135 (End Point Mapper). The server replies back using source port 135 and destination port 52702.
Tcp: Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369472, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:36, IPv4:7} Tcp: Flags=...A..S., SrcPort=DCE endpoint resolution(135), DstPort=52702, PayloadLen=0, Seq=1169857372, Ack=722369473, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:36, IPv4:7} Tcp: Flags=...A...., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369473, Ack=1169857373, Win=512 (scale factor 0x8) = 131072 {TCP:36, IPv4:7}
Network Trace example for Successful RPC Bind
After the 3 way handshake, it initiates an RPC Bind to the Endpoint Mapper. Successful RPC bind!
MSRPC MSRPC:c/o Bind: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7} MSRPC MSRPC:c/o Bind Ack: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x1E0D9 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7}
Microsoft clients connect to RPC Endpoint Mapper on port 135. Then the Endpoint Mapper tells the client which ports a requested service is listening on. The port numbers are assigned dynamically and can be anywhere between 1024 and 65,535.
When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers. When the remote client needs to communicate with that service, it does not know which port numbers have been assigned.
To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service), and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number that the client should use to connect to the desired service. The client then reconnects to the server using the assigned port number, and communication with the desired service begins.
RPC End Point Mapper Handshake Failure (failed) Network trace :
The entry in the below net amount analysis means [SynReTransmit #101] resending the request for RPC EPM handshake but NO acknowledgment (response) from the server as we can see in the above successful trace (Flags=…A..S. and Flags=…A….) This could be because Firewall issue. You may need to open the FirePorts between client and server.
While opening Firewall ports, there is no need to worry about Source Ports mentioned in the network trace. Source ports are dynamic. You just need to provide Source IP and Destination IP along with destination ports. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call?
TCP TCP:Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13} TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13} TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}
Network Trace example for Failed Client server communication network trace on LDAP Port 389
The entry in the below net amount analysis means Flags=…A.R.. seems to me as TCP reset or Reject (I can’t confirm this )
TCP:Flags=……S., SrcPort=52705, DstPort=LDAP(389), PayloadLen=0, Seq=914145090, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:22, IPv4:13} TCP:Flags=…A.R.., SrcPort=LDAP(389), DstPort=52705, PayloadLen=0, Seq=251831252, Ack=914145091, Win=8192 {TCP:22, IPv4:13}
Network Trace example for Failed Microsoft Global Catalog LDAP 3268 connection
The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Global Catalog LDAP 3268 but NO acknowledgment (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….) This could be because Firewall issue. You may need to open the Firewall ports between client and server.
TCP:Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13} TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13} TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}
Network Trace example for Failed Microsoft DNS port 53
The entry in the below net amount analysis means [SynReTransmit #101] resending the request for DNS connection on port 53 but NO acknowledgment (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….) This could be because Firewall issue. You may need to open the Firewall ports between client and server.
TCP:Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13} TCP:[SynReTransmit #2312]Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13}
Network Trace example for Failed Kerberos port 88 connection
The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Kerberos port 88 but NO acknowledgment (response) from the server as we can see in the above trace (Flags=…A..S. and Flags=…A….) This could be because Firewall issue. You may need to open the Firewall ports between client and server. Microsoft RPC Remote Procedure Call.
TCP:Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13} TCP:[SynReTransmit #2874]Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13} KerberosV5 KerberosV5: {UDP:69, IPv4:13}
Following the best explanation I found about Remote Procedure Call (RPC)
If every program and service that needed to communicate over the network assigned its own port number, you can easily imagine that sooner or later two programs would conflict over the use of the same port. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.
To address this, many programs use the Remote Procedure Call (RPC) protocol to request communications with a host service on a dynamically assigned port number. When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers.
When the remote client needs to communicate with that service, it does not know which port numbers have been assigned. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.
To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service), and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number that the client should use to connect to the desired service.
The client then reconnects to the server using the assigned port number, and communication with the desired service begins. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.
What are the 4 Major Components of RPC?
From the Infrastructure support person perspective, I think, we need to understand the importance of EndPoint Mapper:- Explain in the first section above. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.
1. MIDL compiler
2. Run-time libraries and header files
3. Name service provider (sometimes referred to as the Locator)
4. Endpoint mapper (sometimes referred to as the portmapper)
The system components or other windows services that depends on RPC service
- Background Intelligent Transfer Service
- Cluster Service
- COM+ Event System
- COM+ System Application
- Cryptographic Services
- DHCP Server
- Distributed Link Tracking Client
- Distributed Link Tracking Server
- Distributed Tracking Coordinator
- DNS Server
- Error Reporting Service
- Fax
- File Replication
- Help and Support
- Human Device Interface Access
- IIS Admin Service
- Indexing Service
- Internet Authentication Service
- IPSEC Services
- IPv6 Helper Service
- Kerberos Key Distribution Center
- Logical Disk Manager
- Logical Disk Administrator Service
- Messenger
- MS Software Shadow Copy Provider
- Network Connections
- Print Spooler
- Protected Storage
- Remote Desktop Help Session Manager
- Remote Registry
- Removable Storage
- Resultant Set of Policy Provider
- Routing and Remote Access
- Security Accounts Manager
- Shell Hardware Detection
- Task Scheduler
- Telephony
- Telnet
- Terminal Services
- Terminal Services Session Directory
- Terminal Services Licensing
- Upload Manager
- Volume Shadow Copy
- Web Element Manager
- Windows Audio
- Windows Image Acquisition (WIA)
- Windows Installer
- Windows Internet Name Service (WINS)
- Windows Management Instrumentation
- Windows Media Services
- Wireless Configuration
- WMI Performance Adapter
- World Wide Web Publishing Service
More references about RPC…..
- More details on RPC services via TechNet http://technet.microsoft.com/en-us/library/hh125927(v=ws.10).aspx#BKMK_rpcss
- RPC Architecture – http://technet.microsoft.com/en-us/library/cc738291(v=ws.10).aspx
- RPC Some More Details – http://technet.microsoft.com/en-us/library/cc732839(v=ws.10).aspx
- How to configure RPC dynamic port allocation to work with firewalls – http://support.microsoft.com/kb/154596/en-us
- Service overview and network port requirements for Windows – http://support.microsoft.com/kb/832017/
- More Details about RPC – http://msdn.microsoft.com/en-us/library/windows/desktop/aa378651(v=vs.85).aspx
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
thank you, awesome
Hello,
Only question,whether Posts? Should be “Do you know RPC Dynamic Posts ? TCP 49152-65535” replaced by “Do you know RPC Dynamic Ports ? TCP 49152-65535”?
Thank you for RPC clarifying more.
Oto
Ports 😉 obviously