We recently upgraded our Domain Controllers from Windows Server 2003 to Windows Server 2012. All seemed to have gone fine: we were able to promote the first new DC, then the second; replication worked fine; dcdiag returned no errors. It looked like we were doing okay.
It wasn’t until the next day, when one of our clients reported intermittent authentication issues on a massive scale, that we realized something was amiss. We have an outgoing forest trust with this client and their users connect to our TFS services using their own domain’s accounts. Furthermore, we host Lab Management for them and the SCVMM 2012 SP1 service (the backbone to Team Foundation Server 2012 Lab Management) uses a service account from the foreign domain.
What perplexed us was the intermittent nature of these issues. It’s important to point out that we still had a 2003 DC in the mix. After several frustrating hours of troubleshooting we could see that any time a user attempted to log in and the 2003 DC was being used to authenticate the Foreign Security Principal, everything was fine. But, when the 2012 DCs were used, the call to the foreign domain would time out and we would be kept out (after 3 long attempts). Out network engineer pored over firewall logs and was able to find that attempts were being made to go over port 49162. Looking through the firewall configurations, we saw that this port was not open. It turns out that all Windows Server versions following 2003 make use of a different range of ports for Remote Procedure Calls (see below). This may have been breaking news in 2007, but it is currently buried with run-of-the-mill generic upgrade procedure information.
At this point, we had two options:
1- Fix the RPC port so that all traffic gets directed to a certain port instead of being dynamically mapped
2- Open a new range of ports to allow for communication to trusted sites
As we have other trusts in place, where clients still use older Windows Server DCs, we opted for the second so to avoid possible further headaches.
So, if you’re planning in upgrading your Domain Controllers from Windows Server 2003, make sure that you’ve got the right ports open. Here is a very good and thorough blog post about planning for such an upgrade.