Article ID: 899148
Article Last Modified on 10/11/2007
APPLIES TO
- Microsoft Windows Server 2003 SP1, when used with:
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Windows Vista Business
- Windows Vista Home Basic
- Windows Vista Enterprise
- Windows Vista Home Premium
- Windows Vista Ultimate
- Windows Vista Enterprise 64-bit Edition
- Windows Vista Home Basic 64-bit Edition
- Windows Vista Home Premium 64-bit Edition
- Windows Vista Ultimate 64-bit Edition
- Windows Vista Business 64-bit Edition
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
SYMPTOMS
Remote Procedure Call-based operations may fail if certain firewall and VPN products deny network requests. This denial occurs if the network requests come from Microsoft Windows Server 2003 Service Pack 1-based or Windows Vista-based computers. These network requests may fail on computers where you apply Windows Server 2003 Service Pack 1 (SP1) to a Windows Server 2003-based computer or your OEM or retail installation media includes SP1 updates. The following products may deny these network requests:
- Firewall or virtual private network (VPN) products from Checkpoint Software Technologies
- Microsoft Internet Security and Acceleration (ISA) Server
- Cisco VPN Client 5.0.0.0340
Note As of May 2005, the previous list includes the products that may deny these network requests. However, the previous list may not include every possible product that performs application-level filtering and that can deny network requests. Hardware and software from other manufacturers that perform application-level filtering may also deny remote procedure call (RPC) requests from computers that are running Windows Server 2003 Service Pack 1 (SP1) or Windows Vista.
CAUSE
This issue occurs because Windows Server 2003 SP1 or Windows Vista add support for some new transfer syntaxes to the RPC implementation. These new transfer syntaxes are known as "multiple transfer syntax negotiation." They help 32-bit and 64-bit computers handle larger workloads. Additionally, they frequently help 32-bit and 64-bit computers work faster.
Specifically, firewalls and VPN products that do permit more than one presentation context to be present in a bound RPC protocol data unit (PDU) may cause either of the following symptoms:
- Drop RPC frames on the network
- Prematurely close connections from Windows Server 2003 SP1-based or Windows Vista-based computers
RESOLUTION
To resolve this issue, if RPC-based operations on Windows Server 2003 SP1-based or Windows Vista-based computers fail across a VPN or a firewall immediately after you install Windows Server 2003 SP1 or Windows Vista, contact your firewall or VPN vendor to see if an updated version of their RPC filter is available. If RPC-based operations are being blocked by filters on Microsoft Internet Security and Acceleration Server (ISA) 2000, or ISA Server 2004 Standard Edition computers, see Microsoft Knowledge base article: 887222:
887222 The ISA Server RPC filter blocks RPC traffic after Windows Server 2003 Service Pack 1 is installed on a computer that is running ISA Server 2004 or ISA Server 2000
If RPC-based operations are blocked by filters on Check Point Software products, see Check Point Software SecureKnowledge article SK30784, or visit the following Checkpoint Software Web site:
WORKAROUND
To work around this issue, use either of the following methods.
Method 1
You can disable RPC filters on firewalls and VPN products if the network requirements make this possible.
Method 2
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
If you need RPC-based operations to function immediately and you cannot update firewalls and VPNs in a timely manner, install the hotfix that is described in this section and then follow these steps.
Important Windows Vista does not require a hotfix. However, you must follow these steps to modify the registry on Windows Vista-based computers.
- Click Start, click Run, type regedit, and then click OK
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc - Click the Edit menu, point to New, and then click DWORD Value.
- Type
Server2003NegotiateDisableas the name of the new DWORD Value - Right-click
Server2003NegotiateDisable, and then click Modify. - In the Value Data box, type 1, and then click OK.
Note This setting disables the bind time negotation and multiple transfer syntax negotiation. - Quit Registry Editor. Restart the computer.
- After the firewalls and VPN devices are compatible with RPC on the computer, set the value for the
Server2003NegotiateDisableentry in the registry to 0. Then, restart the computer.
Windows Server 2003 service pack information
To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003
Windows Server 2003 hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.
To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:
Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
File information
Date Version Size File name Platform ---------------------------------------------------------- 05-03-2005 5.2.3790.2436 642,048 Rpcrt4.dll x86 05-03-2005 5.2.3790.2436 1,714,688 Rpcrt4.dll x64 05-03-2005 5.2.3790.2436 2,462,208 Rpcrt4.dll IA-64
MORE INFORMATION
When this problem is present, Microsoft Outlook clients cannot connect to the Exchange server. Therefore, administrators should evaluate whether RPC filter definitions in network infrastructure devices are compatible with the Windows Server 2003 SP1 or Windows Vista RPC traffic. An administrator should do this evaluation before deployment of firewall/VPN devices, Windows Server 2003 SP1, or Windows Vista in production environments where such network devices are deployed.
Evaluation is especially appropriate where firewalls can filter RPC-based replication traffic between domain controllers. Filtration of RPC-based replication traffic between domain controllers can cause a long-term interruption of Active Directory replication.
Specifically, administrators should try to use monitoring software to make sure that all domain controllers in a forest perform incoming replication within a rolling tombstone lifetime number of days. By default, a rolling tombstone lifetime number of days is 60 days. Domain controllers that cannot perform incoming replication of knowledge of each unique delete within the previous tombstone lifetime number of days will forever be inconsistent for those changes until an administrator intervenes.
Events in the Directory Service event log that indicate that Active Directory replication is failing on Windows Server 2003-based domain controllers include the following:
- 1862: “the local DC has not recently received replication information from a number of domain controllers” (intersite)
- 1864: “the local DC has not recently received replication information from a number of domain controllers” (intrasite)
- 2042: “it has been too long since this machine last replicated with the named source” (TSL # of days)
If administrators do not have a monitoring solution, they can use enterprise administrator credentials to run the following Windows Server 2003 REPADMIN command daily:
repadmin /showrepl * /csv >showrepl.csv
Administrators can view the Showrepl.csv file in a program like Microsoft Excel that parses comma-separated text. A high priority task includes resolving replication failures on destination domain controllers that have failed incoming replication for the longest time.
Repadmin.exe is located in the Support\Tools\ Suptools.msi file on the Windows Server 2003 installation media.
For more information about how to remove lingering objects, click the following article number to view the article in the Microsoft Knowledge Base:
870695 Outdated Active Directory objects generate event ID 1988 in Windows Server 2003
For more information about programs from Checkpoint Software Technologies, visit the following Checkpoint Software Technologies Web site:
For more information about ISA Server, visit the following Microsoft Web site:
Microsoft is not aware of any router or switches that perform program–level filtering that would interfere with RPC-based operations in Windows Server 2003 SP1 or in Windows Vista.
The following error message is typically displayed by components when RPC frames with multiple transfer syntaxes are rejected by a firewall or a VPN generates Windows 32 error 1727:
This generic error code has multiple root causes and does not uniquely identify the blocking of RPC frames from Windows Server 2003 SP1-based or Windows Vista-based computers.
For information about the DCE RPC specification, visit the following Opengroup Web site:
For information about multiple transfer syntax support in the DCE RPC specification, visit the following Opengroup Web site:
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.
Additional query words: checkpoint bind time negotiation multiple transfer syntax negotiation 887222 S0X050614700037
Keywords: kbtshoot kbqfe kbprb kbconfig kbwinservnetwork kbconnectivity kbnetwork_techconfigissue kbexpertiseadvanced kbhotfixserver kbwinserv2003sp2fix KB899148
