SCCM 2012 Untrusted Forest Remote DP InstallationError 0x800706BA

16
Advertisement

This happens only in complex environments 🙂 . I’ve loads of remote DPs  in untrusted forests. One of the remote DP installation was not going very well. DP was not getting installed at all. Checked and confirmed all the requirements like a) Require the Site server to Initiate Connection to this Site System  b) Use another account for installing this site system (this account must have local admin rights on remote DP).

UntrustedDP

Following are the errors in distmgr.log :-

Upgrading DP with ID 33554439. Thread 0x2490. Used 1 threads out of 5.

CWmi::Connect() failed to connect to \\[“Display=\\RemoteDP.com\”]MSWNET:[“SMS_SITE=RSP”]\\RemoteDP.com\\root\CIMv2. Error = 0x800706BA

DPConnection::ConnectWMI() – Failed to connect to  RemoteDP.com.

Failed to install DP files on the remote DP. Error code = 1722

The error 0x800706BA translates to “The RPC Server is unavailable”. I tried remote WMI tests using wmimgmt.msc and wbemtest with no luck.  Telnet was not working for remote DP ip for the port 135 from the primary server. The port 135 is used for RPC services. The cause to this problem was very simple. The RPC port 135 was not opened between primary server and remote DP in untrusted forest.  We opened the port 135 and remote DP got installed successfully.

16 COMMENTS

    • I’ve replied to your post in technet forum.
      I know, you must have seen this post about Untrsuted Forest Remote DP Error 0x800706BA. As I mentioned in the post whether you tried to access wmimgrmt.msc and wbemtest.msc with domain admin user? Also worth enabling WMI logs (on DC) to check whether any error while attempting to connect to wmi from primary server. If you’ve Win2k8 and above see how to enable wmi tracing

      It seems to me like a FW issue. The error mentioned above is remote procedure call (RPC) server unavailable that can happen if the dynamic ports are NOT open other than 135.

      It worth checking following ports as well. To get more details you may need to perform network trace so that you will come to which port is blocking it,

      – tcp 135,
      – tcp/udp – 389
      – tcp 3268
      – tcp/udp – 88
      – tcp/udp – 53
      – tcp 3268
      – tcp 445
      – dynamic rpc ports for NTDS. Netlogon

    • I’ve replied to your post in technet forum.
      I know, you must have seen this post about Untrsuted Forest Remote DP Error 0x800706BA. As I mentioned in the post whether you tried to access wmimgrmt.msc and wbemtest.msc with domain admin user? Also worth enabling WMI logs (on DC) to check whether any error while attempting to connect to wmi from primary server. If you’ve Win2k8 and above see how to enable wmi tracing

      It seems to me like a FW issue. The error mentioned above is remote procedure call (RPC) server unavailable that can happen if the dynamic ports are NOT open other than 135.

  1. issue solved. It was indeed a firewall issue. Had a detailed check with the FW team. Ephemeral ports are created dynamically and assigned to each client which opens a session. In case of Windows Server 2003 both TCP and UDP ephemeral ports are within the range 1025-5000. We had to set an exception of port # between 1025 and 5000. This fixed the issue

  2. My Problem was that our DP was running on a HyperV server on a physical server. The physical servers firewall was stopped causing an issue. Started the firewall, restarted the VM and voila.

  3. Hi Anoop,
    I have same issue, Trying to install the DP role in the untrusted forest. We have port 135 and 445 open between the Primary site and server in another forest
    While installing i selected the option as mentioned in the post a) Require the Site server to Initiate Connection to this Site System b) Use another account for installing this site system (this account must have local admin rights on remote DP).

    In the Distmgr.log, getting error code as FAILED TO INSTALL DP FILES ON THE REMOTE DP. ERROR CODE = 1901.
    Please advise

    • I would take help from network team to perform network trace between DP and SCCM Primary server. Otherwise can you please let me know how are you checking the ports are open ? I would portquery utility rather than telnet ! Also make sure two way communication is in place in terms of ports !!

      • I would take help from network team to perform network trace between DP and SCCM Primary server. Otherwise can you please let me know how are you checking the ports are open ? I would portquery utility rather than telnet ! Also make sure two way communication is in place in terms of ports !!

  4. Hi Anoop,
    I have checked from both sides using telnet and Port Query tool and its open. Can you please let me know the response for the below queries
    All our servers are Windows 2012 R2

    1. Are there any other port needed ecept 135 and445 ? (only for DP)
    2. Do we need to install IIS manually on the remote DP (untrusted Forest)
    3. Do we need to open any dynamic ports ?
    4. Any ports for WMI need to be open ?

    while checking distmgr.log in cmtrace getting below errors

    1. CWmi:: Connect() failed to connect to \\servername\root\CIMv2. Error = 0X800070776
    2. DP connection::ConnectWMI() -Failed to connect to “ServerNAme”
    3. Failed to Install DP files on the remote DP.Error code -1910

    Any more help will be really appreciated.

    • 1. Are there any other port needed ecept 135 and445 ? (only for DP) ==> YES
      2. Do we need to install IIS manually on the remote DP (untrusted Forest) ==> NO
      3. Do we need to open any dynamic ports ? ==> YES…135 is useless if you have not opened dynamic ports
      4. Any ports for WMI need to be open ? NO

  5. Thanks Anoop,
    Can you please let me know what range of dynamic ports should we open ?

    Any other configuration needed like to Enable Forest discovery of untrusted forest?

    Regards
    Fahim

  6. Thanks Anoop,
    I checked with the network team an even dynamic ports are opened .
    Do I need to extend the AD schema in untrusted forest for completing the DP installation ?
    Or creating manually system management container in untrusted domain ?

    Regards
    Fahim

    • AD schema extension is not required for DP to work. There is something else. May be raise a call with Microsoft support or check the group policies. If you have a working DP in that forest or similar forest check and compare the setting of both the servers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here