Fix SCCM Untrusted Forest Remote DP Installation Error 0x800706BA ConfigMgr Endpoint Manager. This happens only in complex environments :). I’ve loads of remote DPs in untrusted forests. One of the remote DP installations was not going very well. DP was not getting installed at all.
Fix SCCM Untrusted Forest Remote DP Installation Error 0x800706BA
Checked and confirmed all the requirements like a) Require the Site server to Initiate Connection to this Site System b) Use another account for installing this site system (this account must have local admin rights on remote DP).
Following are the errors in distmgr.log:-
They were upgrading DP with ID 33554439. Thread 0x2490. Used 1 thread out of 5.
CWmi::Connect() failed to connect to \\[“Display=\\RemoteDP.com\”]MSWNET:[“SMS_SITE=RSP”]\\RemoteDP.com\\root\CIMv2. Error = 0x800706BA
DPConnection::ConnectWMI() – Failed to connect to RemoteDP.com.
Failed to install DP files on the remote DP. Error code = 1722
Fix Error 0x800706BA
The error 0x800706BA translates to “The RPC Server is unavailable.”
I tried remote WMI tests using wmimgmt.msc and wbemtest with no luck. Telnet was not working for remote DP IP for port 135 from the primary server. Port 135 is used for RPC services.
The cause of this problem was very simple. The RPC port 135 was not opened between the primary server and remote DP in an untrusted forest. We opened port 135, and remote DP got installed successfully.
More Details on SCCM Firewall ports – SCCM Firewall Ports Download The List Of ConfigMgr Firewall Ports HTMD Blog (anoopcnair.com)
Resources
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Anoop, if you have seen this,
http://social.technet.microsoft.com/Forums/systemcenter/en-US/0322417f-cc8c-474a-89ed-ca040f56ab9e/error-while-configuring-remote-dp-on-sccm2012-on-different-forest the issue is similar, i get it in where there is trust established, and the ports are opened. I am able to telnet to and from remote DP and Primary server on port 135.
Just the issue is that the Remote DP is acting as a DC :(.
Have you seen such a problem?
I’ve replied to your post in technet forum.
I know, you must have seen this post about Untrsuted Forest Remote DP Error 0x800706BA. As I mentioned in the post whether you tried to access wmimgrmt.msc and wbemtest.msc with domain admin user? Also worth enabling WMI logs (on DC) to check whether any error while attempting to connect to wmi from primary server. If you’ve Win2k8 and above see how to enable wmi tracing
It seems to me like a FW issue. The error mentioned above is remote procedure call (RPC) server unavailable that can happen if the dynamic ports are NOT open other than 135.
It worth checking following ports as well. To get more details you may need to perform network trace so that you will come to which port is blocking it,
– tcp 135,
– tcp/udp – 389
– tcp 3268
– tcp/udp – 88
– tcp/udp – 53
– tcp 3268
– tcp 445
– dynamic rpc ports for NTDS. Netlogon
I’ve replied to your post in technet forum.
I know, you must have seen this post about Untrsuted Forest Remote DP Error 0x800706BA. As I mentioned in the post whether you tried to access wmimgrmt.msc and wbemtest.msc with domain admin user? Also worth enabling WMI logs (on DC) to check whether any error while attempting to connect to wmi from primary server. If you’ve Win2k8 and above see how to enable wmi tracing
It seems to me like a FW issue. The error mentioned above is remote procedure call (RPC) server unavailable that can happen if the dynamic ports are NOT open other than 135.
issue solved. It was indeed a firewall issue. Had a detailed check with the FW team. Ephemeral ports are created dynamically and assigned to each client which opens a session. In case of Windows Server 2003 both TCP and UDP ephemeral ports are within the range 1025-5000. We had to set an exception of port # between 1025 and 5000. This fixed the issue
Great to know that! !
My Problem was that our DP was running on a HyperV server on a physical server. The physical servers firewall was stopped causing an issue. Started the firewall, restarted the VM and voila.
Hi Anoop, we have a same situation here but the ports 80, 445 and 135 are opened in both sides. Please help me.
Hi Anoop,
I have same issue, Trying to install the DP role in the untrusted forest. We have port 135 and 445 open between the Primary site and server in another forest
While installing i selected the option as mentioned in the post a) Require the Site server to Initiate Connection to this Site System b) Use another account for installing this site system (this account must have local admin rights on remote DP).
In the Distmgr.log, getting error code as FAILED TO INSTALL DP FILES ON THE REMOTE DP. ERROR CODE = 1901.
Please advise
I would take help from network team to perform network trace between DP and SCCM Primary server. Otherwise can you please let me know how are you checking the ports are open ? I would portquery utility rather than telnet ! Also make sure two way communication is in place in terms of ports !!
I would take help from network team to perform network trace between DP and SCCM Primary server. Otherwise can you please let me know how are you checking the ports are open ? I would portquery utility rather than telnet ! Also make sure two way communication is in place in terms of ports !!
Hi Anoop,
I have checked from both sides using telnet and Port Query tool and its open. Can you please let me know the response for the below queries
All our servers are Windows 2012 R2
1. Are there any other port needed ecept 135 and445 ? (only for DP)
2. Do we need to install IIS manually on the remote DP (untrusted Forest)
3. Do we need to open any dynamic ports ?
4. Any ports for WMI need to be open ?
while checking distmgr.log in cmtrace getting below errors
1. CWmi:: Connect() failed to connect to \\servername\root\CIMv2. Error = 0X800070776
2. DP connection::ConnectWMI() -Failed to connect to “ServerNAme”
3. Failed to Install DP files on the remote DP.Error code -1910
Any more help will be really appreciated.
1. Are there any other port needed ecept 135 and445 ? (only for DP) ==> YES
2. Do we need to install IIS manually on the remote DP (untrusted Forest) ==> NO
3. Do we need to open any dynamic ports ? ==> YES…135 is useless if you have not opened dynamic ports
4. Any ports for WMI need to be open ? NO
Thanks Anoop,
Can you please let me know what range of dynamic ports should we open ?
Any other configuration needed like to Enable Forest discovery of untrusted forest?
Regards
Fahim
Here you go https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista-and-in-windows-server-2008
Thanks Anoop,
I checked with the network team an even dynamic ports are opened .
Do I need to extend the AD schema in untrusted forest for completing the DP installation ?
Or creating manually system management container in untrusted domain ?
Regards
Fahim
AD schema extension is not required for DP to work. There is something else. May be raise a call with Microsoft support or check the group policies. If you have a working DP in that forest or similar forest check and compare the setting of both the servers.