Port 1025 RPC /Lsass.exe

Hi
We have a branch office with approx 40 users. This branch office has a 2003
server domain controller. The other servers including 2 other 2003 domain
controllers and the exchange server at in our head office.
When monitoring our firewall traffic i have noticed that the majority of
client machines in the branch office (all XP machines) are establishing
connections to our primary domain controller ( Fsmo roles holder) on port 1025
I checked what is bound to that port and it appears lsass.exe is using that
port.
Form what i have read this port is used by RPC as a random RPC port.
An article i read said that this may be used by active directory.
I was wondering if anyone knew why the clients in the branch office are
connecting to a dc in the head office and not the one in the branch office?
The branch office server is a DC/GC/DNS and DHCP server.
One thing i have noticed is that our exchange server only has the 2 DC's in
the head office set for directory access under the directory access tab in
the server properties. Could this be the reason?

Thanks

Craig

Hi Craig,

Did you set up sites in your Active Directory?

Clients use DNS to locate all domain controllers in domain. After they have
list of all domain controllers they will try to use the ones that are in
same Site (e.g. same subnet) -- but you have to set this up under Active
Directory Sites and Services.
Next thing -- client will try to talk to the DC it chose. If it can't, it
will try to talk to any available DC in any site.

You can also test your client by running

echo %logonserver%

from command line to see which server authenticated the client. Is it the
one from same site as the client? Is it from another site?

--
Mike
Microsoft MVP - Windows Security

"Craig Barraclough" <(E-Mail Removed)> wrote in
message news:2E98932C-4C58-43C9-A290-(E-Mail Removed)...
> Hi
> We have a branch office with approx 40 users. This branch office has a
> 2003
> server domain controller. The other servers including 2 other 2003 domain
> controllers and the exchange server at in our head office.
> When monitoring our firewall traffic i have noticed that the majority of
> client machines in the branch office (all XP machines) are establishing
> connections to our primary domain controller ( Fsmo roles holder) on port
> 1025
> I checked what is bound to that port and it appears lsass.exe is using
> that
> port.
> Form what i have read this port is used by RPC as a random RPC port.
> An article i read said that this may be used by active directory.
> I was wondering if anyone knew why the clients in the branch office are
> connecting to a dc in the head office and not the one in the branch
> office?
> The branch office server is a DC/GC/DNS and DHCP server.
> One thing i have noticed is that our exchange server only has the 2 DC's
> in
> the head office set for directory access under the directory access tab in
> the server properties. Could this be the reason?
>
> Thanks
>
> Craig
>

Sorry, forgot to mention that the sites are setup properly. The subnets are
assigned to the correct site and the dc is in the correct site.
I am beginning to think it is linked to exchange. I noticed when i open
outlook a connection to the exchange server is created but at the same time a
connection to the PDC is also opened on port 1025.

"Miha Pihler [MVP]" wrote:

> Hi Craig,
>
> Did you set up sites in your Active Directory?
>
> Clients use DNS to locate all domain controllers in domain. After they have
> list of all domain controllers they will try to use the ones that are in
> same Site (e.g. same subnet) -- but you have to set this up under Active
> Directory Sites and Services.
> Next thing -- client will try to talk to the DC it chose. If it can't, it
> will try to talk to any available DC in any site.
>
> You can also test your client by running
>
> echo %logonserver%
>
> from command line to see which server authenticated the client. Is it the
> one from same site as the client? Is it from another site?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Craig Barraclough" <(E-Mail Removed)> wrote in
> message news:2E98932C-4C58-43C9-A290-(E-Mail Removed)...
> > Hi
> > We have a branch office with approx 40 users. This branch office has a
> > 2003
> > server domain controller. The other servers including 2 other 2003 domain
> > controllers and the exchange server at in our head office.
> > When monitoring our firewall traffic i have noticed that the majority of
> > client machines in the branch office (all XP machines) are establishing
> > connections to our primary domain controller ( Fsmo roles holder) on port
> > 1025
> > I checked what is bound to that port and it appears lsass.exe is using
> > that
> > port.
> > Form what i have read this port is used by RPC as a random RPC port.
> > An article i read said that this may be used by active directory.
> > I was wondering if anyone knew why the clients in the branch office are
> > connecting to a dc in the head office and not the one in the branch
> > office?
> > The branch office server is a DC/GC/DNS and DHCP server.
> > One thing i have noticed is that our exchange server only has the 2 DC's
> > in
> > the head office set for directory access under the directory access tab in
> > the server properties. Could this be the reason?
> >
> > Thanks
> >
> > Craig
> >
>
>
>