Jump to content


stravze

SCCM Restricted RPC Port Question

By stravze, in Configuration Manager 2007

Recommended Posts

stravze Newbie

stravze

Posted
Posted

Hello all,

 

Was wondering if you could help me,

 

Here is some information about our infrastructure, so you understand why i'm asking this question

 

I'm trying to setup two Primary SCCM 2007 Site Servers in a hierarchy (Primary1 to Primary2)

 

Each SCCM is located in different domains (both 2008R2 root domain forests)

 

We have created two way transitive trusts between Domain1 and Domain2

 

We also have firewalls between both domains firewall1 and firewall2

 

So to allow Dynamic RPC traffic through the firewalls we have restricted RPC to use 49152 and 49153 (see MS KB)

 

http://support.microsoft.com/kb/224196

 

We have setup ACL's between Firewall1 and Firewall2 for the following:

 

Domain1_AD_Controllers and Domain2_AD_Controllers - Active_directory

Primary1 and Domain2_AD_Controllers - Active_directory

Primary2 and Domain1_AD_Controllers - Active_directory

and same on the reverse aswell

 

 

active_directory tcp-udp

group-object dns = 53

 

group-object ldap = 389 + 636

 

group-object kerberos = 88 + 464

 

group-object global_catalog = 3268 + 3269

 

group-object netbios = 137 + 138 + 139

 

group-object dc_rpc_static = 49152 + 49153

 

group-object ms_dfsr = 5722

 

group-object rpc_endpoint = 135

 

group-object smb = 445

 

group-object ntp = 123

 

 

Here is my question:

 

When trying to setup hierarchy, you have to add the other SCCM Site Server into the local Group SMS_SiteToSiteConnection_XXX and do the same on the other SCCM Site Server e.g.

SMS_SiteToSiteConnection_111 - Primary2

SMS_SiteToSiteConnection_222 - Priamry1

 

When querying the other active directory from the Site Server, the site server will connect to the domain controllers in the other domain directly to resolve computer names etc.

Primary1 and Domain2_AD_Controllers

or

Primary2 and Domain1_AD_Controllers

 

Now although at an Active Directory Level RPC is restricted to 49152 and 49153, why doesn't SCCM use these ports and uses the next available ports e.g.

49154

49155

 

Can we force SCCM to use the restricted ports because there is no point in opening RPC for 49152 to 65000

 

Hope this make sense, if not please asked away

 

regards

 

stravze

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.