SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager

SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager. Microsoft RPC Remote Procedure Call –  What is the use of it? Why is Windows using this very often? I was not aware of the details of the RPC mechanism :(.

RPC unavailable errors are also common in SCCM. I’ve blogged about one of the issues, which was again related to RPC: ConfigMgr Primary Installation Error: Attempted to perform unauthorized

Do you know RPC Dynamic Posts? TCP 49152-65535—This time, some people in my organization and Microsoft were forced to read extensively about RPC. Thanks to them, I learned more details about RPC.

So, I thought of creating a note for myself and people like me. 🙂 Some parts of this post contain network trace or net mount analysis, which will help us troubleshoot deep into the issues related to RPC.

Patch My PC
Index
What is Microsoft RPC (Remote Procedure Call)?
What is an RPC Endpoint Mapper or Port Mapper?
SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call – Network Trace Example 3 Way Successful RPC EPM Handshake
Network Trace Example for Successful RPC Bind
RPC End Point Mapper Handshake Failure (Failed) Network Trace
Network Trace Example for Failed Client-Server Communication Network Trace on LDAP Port 389
Network Trace Example for Failed Microsoft Global Catalog LDAP 3268 Connection
Network Trace Example for Failed Microsoft DNS Port 53
Network Trace Example for Failed Kerberos Port 88 Connection
Following the Best Explanation I Found about Remote Procedure Calls (RPC)
What are the 4 Major Components of RPC?
SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager – Table 1

What is Microsoft RPC (Remote Procedure Call)?

Microsoft Remote Procedure Call (RPC) is an interprocess communication (IPC) mechanism that enables data exchange and the invocation of functionality in a different process. It uses other IPC mechanisms, such as named pipes, NetBIOS, or Winsock, to establish communications between the client and the server.

The RPC components make it easy for clients to call a procedure in a remote server program. The RPC process starts on the client side. The RPC provided by Windows is compliant with the Open Software Foundation (OSF) Distributed Computing Environment (DCE). RPC enables applications to call functions remotely.

Adaptiva

What is an RPC Endpoint Mapper or Port Mapper?

When a Client communicates with a Server, it performs an initial connection to Port 135 to communicate with the EPM “EndPoint Mapper”. The client must bind to an interface before it can call its procedures. The client has to perform a 3-way RPC EPM handshake; once these handshakes are successful, then the client will successfully bind. If the binding process is successful, it can send a request to the End Point Mapper, including the target interface’s UUID.

SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure CallNetwork Trace Example 3 Way Successful RPC EPM Handshake

Client Initiates a connection on Source port 52702 (RPC Dynamic port) to the server on destination port 135 (End Point Mapper). The server replies using source port 135 and destination port 52702. 

Tcp: Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369472, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:36, IPv4:7}
Tcp: Flags=...A..S., SrcPort=DCE endpoint resolution(135), DstPort=52702, PayloadLen=0, Seq=1169857372, Ack=722369473, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:36, IPv4:7}
Tcp: Flags=...A...., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=722369473, Ack=1169857373, Win=512 (scale factor 0x8) = 131072 {TCP:36, IPv4:7}

Network Trace Example for Successful RPC Bind

After the three-way handshake, it initiates an RPC Binding to the Endpoint Mapper. Successful RPC bind! Microsoft clients connect to the RPC Endpoint Mapper on port 135. Then, the Endpoint Mapper tells the client which ports a requested service is listening on. The port numbers are assigned dynamically and can be between 1024 and 65,535.

MSRPC MSRPC:c/o Bind: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7}
MSRPC MSRPC:c/o Bind Ack: IObjectExporter(DCOM) UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} Call=0x2 Assoc Grp=0x1E0D9 Xmit=0x16D0 Recv=0x16D0 {MSRPC:37, TCP:36, IPv4:7}

When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers. When the remote client needs to communicate with that service, it does not know which port numbers have been assigned.

To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service) and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number the client should use to connect to the desired service. The client then reconnects to the server using the assigned port number, and communication with the desired service begins.

RPC End Point Mapper Handshake Failure (Failed) Network Trace

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for RPC EPM handshake but NO acknowledgement (response) from the server as we can see in the above successful trace (Flags=…A..S. and Flags=…A….)  This could be because of a Firewall issue. You may need to open the FirePorts between client and server.

While opening Firewall ports, there is no need to worry about Source Ports mentioned in the network trace. Source ports are dynamic. You must provide the Source IP, Destination IP, and destination ports. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call?  

TCP TCP:Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}
TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}
 TCP TCP:[SynReTransmit #101]Flags=......S., SrcPort=52702, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2557920356, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:14, IPv4:13}

Network Trace Example for Failed Client-Server Communication Network Trace on LDAP Port 389

The entry in the below net amount analysis means  Flags=…A.R.. seems to me as TCP reset or Reject (I can’t confirm this )

TCP:Flags=……S., SrcPort=52705, DstPort=LDAP(389), PayloadLen=0, Seq=914145090, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:22, IPv4:13} TCP:Flags=…A.R.., SrcPort=LDAP(389), DstPort=52705, PayloadLen=0, Seq=251831252, Ack=914145091, Win=8192 {TCP:22, IPv4:13}

Network Trace Example for Failed Microsoft Global Catalog LDAP 3268 Connection

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Global Catalog LDAP 3268 but no acknowledgement (response) from the server, as we can see in the above trace (Flags=…A..S. and Flags=…A….). This could be because of a Firewall issue. You may need to open the Firewall ports between the client and server.

TCP:Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}
TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}
TCP:[SynReTransmit #1238]Flags=......S., SrcPort=52707, DstPort=Microsoft Global Catalog (LDAP)(3268), PayloadLen=0, Seq=54051677, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:43, IPv4:13}

Network Trace Example for Failed Microsoft DNS Port 53

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for DNS connection on port 53 but no acknowledgement (response) from the server, as we can see in the above trace (Flags=…A..S. and Flags=…A….). This could be because of a Firewall issue. You may need to open the Firewall ports between the client and server.

TCP:Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13}
TCP:[SynReTransmit #2312]Flags=......S., SrcPort=52714, DstPort=DNS(53), PayloadLen=0, Seq=2780093052, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:54, IPv4:13}

Network Trace Example for Failed Kerberos Port 88 Connection

The entry in the below net amount analysis means [SynReTransmit #101] resending the request for Kerberos port 88 but no acknowledgement (response) from the server, as we can see in the above trace (Flags=…A..S. and Flags=…A….). This could be because of a Firewall issue. You may need to open the Firewall ports between the client and the server. Microsoft RPC Remote Procedure Call.

TCP:Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13}
TCP:[SynReTransmit #2874]Flags=......S., SrcPort=52716, DstPort=Kerberos(88), PayloadLen=0, Seq=1708886965, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:65, IPv4:13}
KerberosV5 KerberosV5: {UDP:69, IPv4:13}

Following the Best Explanation I Found about Remote Procedure Calls (RPC)

Suppose every program and service that needed communication over the network assigned its port number. In that case, you can easily imagine that two programs would conflict over using the same port sooner or later. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

To address this, many programs use the Remote Procedure Call (RPC) protocol to request communications with a host service on a dynamically assigned port number. When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers.

When the remote client needs to communicate with that service, it does not know which port numbers have been assigned. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

To find out, the client connects to the server on TCP port 135 (the “well-known” port number for the RPC Endpoint Mapper service) and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number the client should use to connect to the desired service.

The client then reconnects to the server using the assigned port number, and communication with the desired service begins. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

What are the 4 Major Components of RPC?

From the Infrastructure support person’s perspective, we must understand the importance of EndPoint Mapper:- Explain in the first section above. SCCM Real-World Network Trace Examples Microsoft RPC Remote Procedure Call.

What are the 4 Major Components of RPC?
1. MIDL compiler
2. Run-time libraries and header files
3. Name the service provider (sometimes referred to as the Locator)
4. Endpoint mapper (sometimes referred to as the portmapper)
SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager – Table 2

The system components or other Windows services that depend on the RPC service. The screenshot and list below provide more details.

  1. Background Intelligent Transfer Service
  2. Cluster Service
  3. COM+ Event System
  4. COM+ System Application
  5. Cryptographic Services
  6. DHCP Server
  7. Distributed Link Tracking Client
  8. Distributed Link Tracking Server
  9. Distributed Tracking Coordinator
  10. DNS Server
  11. Error Reporting Service
  12. Fax
  13. File Replication
  14. Help and Support
  15. Human Device Interface Access
  16. IIS Admin Service
  17. Indexing Service
  18. Internet Authentication Service
  19. IPSEC Services
  20. IPv6 Helper Service
  21. Kerberos Key Distribution Center
  22. Logical Disk Manager
  23. Logical Disk Administrator Service
  24. Messenger
  25. MS Software Shadow Copy Provider
  26. Network Connections
  27. Print Spooler
  28. Protected Storage
  29. Remote Desktop Help Session Manager
  30. Remote Registry
  31. Removable Storage
  32. Resultant Set of Policy Provider
  33. Routing and Remote Access
  34. Security Accounts Manager
  35. Shell Hardware Detection
  36. Task Scheduler
  37. Telephony
  38. Telnet
  39. Terminal Services
  40. Terminal Services Session Directory
  41. Terminal Services Licensing
  42. Upload Manager
  43. Volume Shadow Copy
  44. Web Element Manager
  45. Windows Audio
  46. Windows Image Acquisition (WIA)
  47. Windows Installer
  48. Windows Internet Name Service (WINS)
  49. Windows Management Instrumentation
  50. Windows Media Services
  51. Wireless Configuration
  52. WMI Performance Adapter
  53. World Wide Web Publishing Service
SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager - Fig.1
SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager – Fig.1

More references about RPC…..

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

3 thoughts on “SCCM Real World Network Trace Examples Microsoft RPC Remote Procedure Call Configuration Manager”

  1. Hello,
    Only question,whether Posts? Should be “Do you know RPC Dynamic Posts ? TCP 49152-65535” replaced by “Do you know RPC Dynamic Ports ? TCP 49152-65535”?
    Thank you for RPC clarifying more.
    Oto

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.