I had a case of a ADDS server (Active Directory Domain Services) telling me that the RPC server was not available when running remote Powershell to the server like this:
Get-WinEvent : The RPC server is unavailable
At line:1 char:1
+ Get-WinEvent -ComputerName st1w10515 -LogName Application
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId :
System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
However if we query our server with nmap with this command:
nmap -T4 -F beardc.bear.local
You will notice that all the ports are open that should be for a typical domain controller:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
636/tcp open ldap-s
3389/tcp open ms-wbt-server
This means this problem is limited to remote commands or remote management as all the other ports are open and can be queried if this was the case the domain controller would be offline, but its not.
The clue to the issue is the commands I am using, so first we need to know what ports that should be used:
Powershell uses for HTTP port tcp/5985 and for HTTPS is uses tcp/5986
Task Scheduler, Spooler, Eventlog queries use the dynamic port ranges of TCP:49152 -65535
Therefore lets test those with tnc (Test-NetConnection) as below:
tnc -ComputerName st1w10515 -Port 49665
tnc -ComputerName st1w10515 -Port 5985
tnc -ComputerName st1w10515 -Port 4986
These tests all failed which means the remote management server cannot communicate on those ports at all.
This is starting to point to the firewall being enabled and not configured correctly as the traffic is not getting to the domain controller, with domain controllers I always use Server Core which means no GUI, but that is fine we can RDP to the server can check the settings.
netsh advfirewall show currentprofile
That should show you the state of the firewall and as you can see its enabled with BlockInbound set to enabled which means
This is the same setting as the GUI version which is this:
You have inbuilt rules for this as you can see below that cover the Dynamic ports and endpoint mappers:
However before we make changes we need to log what is being dropped so we can see if this is the cause of the issues, so lets enable logging for the dropped packets, these commands require an elevated command prompt:
netsh advfirewall set allprofiles logging droppedconnections enable
When those commands are executed it should look like this:
Now we can review the logs that is generated from this server in this pfirewall.log file, with the IP's addresses removed:
These are the ports mentioned earlier in this post, so that explains the RPC error, I do not recommend just turning off the firewall but you can enable the remote management rules to allow this to work while keeping the firewall enabled and protecting your servers:
This will then resolve the RPC issue with remote management to that Domain Controller, you should really have these settings enables with your GPO's and not allow them to manually set individually on certain Domain controllers.