What are the side effects of blocking port 135?

[Craig Householder]

We are set up with an empty root design and "Corporate" has blocked port 135
for about a month in response to blaster and other viruses. We have no
sites set up yet (not for lack of trying on my part) so all of our DC's try
and replicate with each other and fail (RPC server error).

We are now starting to see some "odd" problems with user account creation
and adding users to security groups ect....

Can anyone help me with some more information on the implications of
blocking replication so that I can try and get Corporate to open these
ports?

 

[Matjaz Ladava [MVP]]

RPC is a must for intrasite DC's replication, comunication and clients
access. Don't think there is a way to bypass RPC completely.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[Craig Householder]

Thanks Neil and Matjaz. I've explained as much and it's like banging my
head against the wall. If anyone has any more information on the possible
ramifications of this I would appreciate it.

Corporate is reluctant to even put an ACL in place to allow just DC's to
communicate on port 135. It's very frustrating!

 

[Eric Chamberlain]

We setup IPSec between the DCs for replication traffic.

 

[Romano Jerez [MS]]

RPC is needed for replication so you can't block it. What you can do is
use VPN or ipsec to encapsulate traffic between DCs. This article can
provide some guidance:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-
9767-a9166368434e&DisplayLang=en

This posting is provided "AS IS" with no warranties, and confers no rights.

Romano Jerez
Microsoft Corporation