Please help - RPC problem caused by parent domain's security settings?

Hi

Apologies for the cross-post but I'm not sure to which area this problem
really applies.

We have 5 2k3 development machines in an Active Directory domain. Thanks
to rigid in-house rules about machines on the network this domain must
be a subdomain of the main company server.

This all worked out fine until Win2K3 SP1 was released. Immediately the
installation was complete and the machine rebooted errors started
appearing in the logs relating to DCOM, plus we had missing network
connections, failing services etc etc.

I've finally figured out what I believe to be the root symptom (as
opposed to secondary symptoms) which is the dreaded "rpc endpoint
mapper" error.

Now I _believe_ this is related to some security settings enforced by
the top-level company domain, since the machines behave fine if I
reinstall up until the point when they join the domain. Furthermore if I
run secedit <http://support.microsoft.com/?scid=313222> to restore the
default settings the RPC errors disappear (until after a second reboot,
at which point something must be resetting them back again....)

I've tried the suggestions on the msdn "troubleshooting endpoint mapper
errors" page <http://support.microsoft.com/?kbid=839880> and it doesn't
help.

The site administrators are happy to make any specific changes to the AD
to fix this but need some pointers as to what to change.

So my question is does anyone know whereabouts I should start to look
for security settings which would affect the endpoint mapper? It would
have to be something which wouldn't have been a problem before 2k3 SP1,
since that's when the problem surfaced.

I did post initially regarding this - http://tinyurl.com/fnamq (google
groups thread) - but after failing to solve the problem managed to work
around it by simply not installing SP1, however this is no longer an
option. Since I've discovered more of what I believe is the root cause I
thought I'd post again, so any thoughts will be appreciated!

Cheers

Geoff

Hi Geoff,
I have not (yet) followed the link into the prior thread, but a couple
things/questions came immediately to mind.
First, there is no way that joining the machines into the AD can
impact them via policy (if they are forming a new sub-domain) except
by means of GPOs linked to the site. If joining the machines into an
existing domain, then also GPOs linked to their domain have impact.
(Well, there is a third way, i.e. if someone links a GPO for you to the
newly defined domain as soon as it is created)

So, how many GPOs does this mean you need to look at ??
If this happens when joining as a new domain, ask the enterprise admins
to provide a GPMC report of the settings in any site-linked GPO for
the site of your domain.
If you are joining into an existing domain, how many existing GPOs
do you need to deal with?

There are not (in this thread alone) many specifics of the services/apps
that fail. Are these DCOM that is remoting ? I ask as SP1 does have
a new layer of control over DCOM when the components are using the
default permissions for access and launch. Since RPC endpoint mapping
failures can be just not being able to get a response from DCOM on the
remote this may be operative (my prime candidate actually).

Is the firewall getting turned on? Is an IPsec policy getting
applied/assigned?



"Geoff Winkless" <usenet-at-geoff-dot-dj@[127.0.0.1]> wrote in message
news:43fedc1b$0$276$(E-Mail Removed).. .
> Hi
>
> Apologies for the cross-post but I'm not sure to which area this problem
> really applies.
>
> We have 5 2k3 development machines in an Active Directory domain. Thanks
> to rigid in-house rules about machines on the network this domain must be
> a subdomain of the main company server.
>
> This all worked out fine until Win2K3 SP1 was released. Immediately the
> installation was complete and the machine rebooted errors started
> appearing in the logs relating to DCOM, plus we had missing network
> connections, failing services etc etc.
>
> I've finally figured out what I believe to be the root symptom (as opposed
> to secondary symptoms) which is the dreaded "rpc endpoint mapper" error.
>
> Now I _believe_ this is related to some security settings enforced by the
> top-level company domain, since the machines behave fine if I reinstall up
> until the point when they join the domain. Furthermore if I run secedit
> <http://support.microsoft.com/?scid=313222> to restore the default
> settings the RPC errors disappear (until after a second reboot, at which
> point something must be resetting them back again....)
>
> I've tried the suggestions on the msdn "troubleshooting endpoint mapper
> errors" page <http://support.microsoft.com/?kbid=839880> and it doesn't
> help.
>
> The site administrators are happy to make any specific changes to the AD
> to fix this but need some pointers as to what to change.
>
> So my question is does anyone know whereabouts I should start to look for
> security settings which would affect the endpoint mapper? It would have to
> be something which wouldn't have been a problem before 2k3 SP1, since
> that's when the problem surfaced.
>
> I did post initially regarding this - http://tinyurl.com/fnamq (google
> groups thread) - but after failing to solve the problem managed to work
> around it by simply not installing SP1, however this is no longer an
> option. Since I've discovered more of what I believe is the root cause I
> thought I'd post again, so any thoughts will be appreciated!
>
> Cheers
>
> Geoff