Windows 2000 RPC Name Service and Integration with Active Directory
Client processes use Name Service APIs to find RPC servers that are exported . An RPC server exports itself by using RpcNs APIs. To connect to an RPC server, a client needs a compatible binding that offers the interface and version desired and has the proper protocol sequence. It finds compatible bindings by calling the RpcNs API. RPC Name Service provides the binding required by the RPC clients to use RPC and communicate with RPC servers.
Although the RpcNs APIs do not provide for ACLs, ACLs are supported by Active Directory and can be associated with Name Service entries. The Windows 2000 implementation of RPC Name Service uses Active Directory ACL enforcement and prevents unauthorized exports that need to be instantiated. It also makes sure that clients can import based on the ACLs.
The mechanisms for associating ACLs use out-of-band data. Out-of-band data is data that travels outside the normal flow of data from one process to another. For example, stream sockets are very useful for sending a stream of bytes from one process to another. The data that flows in this manner is called inline data. However, applications at either end occasionally need to communicate with each other without interrupting the regular flow of inline data. Such communication can be achieved by sending out-of-band data, which is sent at a higher priority to the receiver on the same socket as that used for the inline transfer. The advantage of using out-of-band data is that the data goes from sender to receiver directly, without any wait at the end of the incoming data stream. Some methods of configuring ACLs to facilitate the transmission of out-of-band data by processes are as follows:
The RpcServices container is created when a domain controller is installed. By default, all RPC Name Service entries created under RpcServices inherit the ACLs of this container object. By associating a default ACL with this container, the administrator can ensure that the ACL is applied across that domain for all RPC Name Service entries.
The Active Directory Users and Computers snap-in allows you to set ACLs on arbitrary Active Directory objects.
The RPC Locator impersonates the security identifier (SID) of the child process while making directory service calls to enforce ACL verification. The export succeeds locally, but is not persistent. It is visible only if you use it in a manner that is compatible with Windows NT 4.0, such as the broadcast method discussed in the following section.
ACL failures on RPC Name Server lookups are treated as if the entry did not exist.
Windows 2000 RPC Name Service Process
All entries are instantiated as Active Directory objects. In every Windows 2000 domain there is a container object that is the root of the RPC Name Service. The distinguished name is as follows:
CN=RpcServices,CN=System,CN=Configuration,DC=< domain name >
Figure 5.3 illustrates the role of the Windows 2000 RPC Name Service with the server computer, the client computer, and Active Directory.
Figure 5.3 Windows 2000 RPC Name Service
The Windows 2000 RPC Locator looks in Active Directory if the entry is not found first in the memory cache.
If the lookup does not succeed, the RPC Locator reverts to the broadcast method used in Windows NT 4.0, notifying all nodes on the network of its existence. Broadcasting is also important for ensuring interoperability between Windows 2000 and Windows NT 4.0, because Windows NT 4.0 computers do not interact with Active Directory and can only be found through the broadcast method. If the exporting server is running Windows 2000 and the domain controller with which it is communicating is running Windows NT 4.0, the export does not persist in Active Directory.
Therefore, the broadcast method is necessary. In a Windows 2000 native-mode environment that is running only Windows 2000–based domain controllers, sending broadcasts for every unsuccessful attempt is not recommended, and you need to disable the broadcast method.
Setting the BitFlags value equal to 1 in the NameServiceFlags attribute on the RpcServices container enables RPC Locator to be compatible with Windows NT 4.0 in the domain. The broadcast method is enabled by default.Note
Windows 2000–based computers do not initiate a broadcast lookup if Active Directory Locator is enabled and the Broadcast is disabled.
Configuration from the Client Side
If the domain contains computers that are running Microsoft® Windows® NT version 3.51 or later, RPC Name Service lookups must be configured. For RPC Name Service lookups on Windows 2000, use the Active Directory Users and Computers snap-in. Also, for compatibility with Windows NT 4.0, NetBIOS is used for broadcasts.
Enable RPC Name Service lookups from Active Directory Users and Computers snap-in
From the Active Directory Users and Computers snap-in, access the View menu and select Advanced Features . Under the System container is another container listed as RpcServices. Open the RpcServices container, and right-click Properties . The RpcServices property page is displayed and contains the Enable RPC Name Service lookups for pre-Windows 2000 computers checkbox. By default, RPC name service lookups for computers running Windows NT 4.0 and earlier is enabled.
Use of RPC Locator and NetBIOS
NetBIOS is used for mail slots in the RPC Locator. The RPC Locator uses mail slots for broadcasts and uses their corresponding responses in the domain. This feature is used only to provide compatibility with Windows NT 4.0. For Windows 2000, NetBIOS is enabled on TCP/IP by default. You can choose to disable NetBIOS on a per-computer basis, or you can disable it when you configure DHCP.
For information about disabling NetBIOS over TCP/IP, see the Microsoft Windows ® 2000 TCP/IP Core Networking Guide .