Wednesday, 15 February 2012

How RPC Works

How RPC Works

Hello Guys, Today will share some idea about how RPC works.

An RPC service configures itself in the registry with a universally unique identifier (UUID). UUIDs are well-known identifiers, unique for each service and common across all platforms. When an RPC service starts, it obtains a free high port and registers that port with the UUID. Some services use random high ports and  others try to use the same high ports all the time (if they are available).

Below is the the diagram that shows How RPC works.

When a client wants to communicate with a particular RPC service, it cannot determine in advance which port the service is running on. It establishes a connection to the server's portmapper service (on 135) and requests the service it wants by using the service's UUID. The portmapper returns the corresponding port number to the client and closes the connection. Finally, the client makes a new connection to the server by using the port number it received from the portmapper.Because it is impossible to know in advance which port an RPC service will use, the firewall must permit all high ports through.
When a program tries to connect to a RPC, it requests a free port from the system. The system randomly generates the port no and give it to program requesting the port no. The default dynamic range is 1024-65535. System can give out the ports available from this range randomly.
  • KEY Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters
  • Entry Name: TCPWindowSize
  • Type: DWORD
  • Value: 65535

Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000

Below are some Kb for more details about RPC Configuration in different scenarios.

How to configure RPC dynamic port allocation to work with firewalls

         If you want to specify static ports for known services on DC like 
         Netlogon, NTDS, FRS etc. then follow the articles below.

Restricting Active Directory replication traffic to a specific port

How to restrict FRS replication traffic to a specific static port

Thursday, 2 February 2012

Windows Server 2008 R2 Offline Domain Join

                                            Windows Server 2008 R2 Offline Domain Join

Hello Again,

Today will share a nice feature of windows server 2008 R2 i.e. offline domain join.With the help of this new feature you can join any system in the domain without contacting the domain controller that mean if the client is not in contact with the DC , still it can be added into the Active directory.

Offline domain join is a new process that computers that run Windows 7 or Windows Server 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network


You can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also be running Windows 7 or Windows Server 2008 R2. 

By default, Djoin.exe commands target the domain controller that runs Windows 2k8 R2.However we can also use optional /downlevel parameter if we have to target the DC that is running older version than 2008 R2.

Two steps

There are basically two steps necessary to offline domain join a computer. First, you have to create the computer account in Active Directory. This process is called “provisioning.” The easiest way to do that is on an R2 domain controller. Djoin will create a base 64-encoded metadata as text file. This file then has to be used to offline domain join the Windows 7 machine.


The command to provision the computer account on an R2 domain controller looks like this:

C:\Users\Administrator\Desktop>djoin /provision /domain /machine client1 /savefile domain_join.txt

This command will add a computer account named client1 in the AD database that can be seen on AD console.

NOTE:-If you don’t have a Windows Server 2008 R2 domain controller, you can run djoin.exe with the /downlevel parameter on a Windows 7 machine that is already a domain member.

Offline domain join

Then you have to copy that txt to the computer that has to be joined to the domain and launch this command:

C:\Users\Administrator\Desktop>djoin /requestODJ /loadfile domain_join.txt /windowspath %SystemRoot% /localos


Note:Issuing the above command on a domain controller will result in a broken Active Directory Domain Controller with the only option left is demote/promote.

After issuing the above command you need to reboot the system and the system will be in the domain now.

You can get more parameters by using djoin help

C:\Users\Administrator\Desktop>djoin //
Usage: djoin.exe [/OPTIONS]

  /PROVISION  - Provision a computer account in the domain
      /DOMAIN <Name> - <Name> of the domain to join
      /MACHINE <Name> - <Name> of the computer joining the domain
      /MACHINEOU <OU> - Optional <OU> where the account is created
      /DCNAME <DC> - Optional <DC> to target for account creation
      /REUSE - Reuse any existing account (password will be reset)
      /SAVEFILE <FilePath> - Save provisioning data to a file at <FilePath>
      /NOSEARCH - Skip account conflict detection, requires DCNAME (faster)
      /DOWNLEVEL - Support using a Windows Server 2008 DC or earlier
      /PRINTBLOB - Return base64 encoded metadata blob for an answer file
      /DEFPWD - Use default machine account password (not recommended)

  /REQUESTODJ  - Request offline domain join at next boot
      /LOADFILE <FilePath> - <FilePath> specified previously via /SAVEFILE
      /WINDOWSPATH <Path> - <Path> to the Windows directory in an offline image
      /LOCALOS - Allows /WINDOWSPATH to specify the locally running OS.
                 This command must be run as a local Administrator.
                 This option requires a reboot for changes to be applied.