Results 1 to 2 of 2
  1. #1
    Join Date
    Nov 2004

    RPC to fails Win 2003 AD DC Server

    I have a Windows 2003 (SP1) server set up as the primary Active Directory domain controller. We run an application on this server which does an RPC call to another program on the same server in order to launch this program. It is architected this way because in some installations the program that RPC calls might exist on a remote server.

    The odd thing is this application can successfuly, using RPC and DCOM, launch an application on another windows 2003 server. THat other server can launch an application back on the AD server. So RPC between servers works fine.

    The application also runs fine when launching the program locally on any server that is not a primary active directory domain controller.

    The only thing failing is when the AD server tries to launch the application locally on itself.

    THe error code (error code 3) is related to permission problems.

    Here is a test script you can use to test RPC:

    Copy the following into test.vbs:

    Const ServerIPAddress = ""

    Set process=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ServerIPAddress & "\root\cimv2:Win32_Process")

    result = process.Create ("C:\Windows\notepad.exe",null,null,processid)

    WScript.Echo "Method returned result = " & result
    WScript.Echo "Id of new process is " & processid

    If Not err = 0 then
    WScript.Echo Err.Description, "0x" & Hex(Err.Number)
    end if


    Make sure the path to notepad.exe is correct. This script runs fine on every server except if the server is an active directory domain controller.

    What is unique about a domain controller which would prevent RPC from running on and launching a local application? There are no firewall or port issues that I can find. DCOM permissions seem okay.

  2. #2
    Join Date
    Apr 2001
    I'm just guessing here, but one thing unique about an AD is that is has no local accounts.  When you DCPROMO the server to become an AD, the local SAM is deleted.

    Member servers, on the other hand, still retain their local SAM when they join a domain (you can notice this indirectly in the login box where you can select either the domain name or "local machine" for the login scope.

    Perhaps your application or RPC code is trying to use the security of a local SAM account which does not exist on the DC.

    Note: Of course, it is strongly advised NOT to run any applications or services on the DC other than AD.  (I didn't write this first because I assume you know this but still want to run the app on the DC.) Web Services - High-performance Hosting & Fully Managed Servers
    Specializing in Virtual Machine Hosting with Microsoft Virtual Server 2005 R2, Windows SharePoint Services, Microsoft SQL Server 2005, ASP.NET 2.0 hosting and Newsletter/Mailing list services

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts