Hi, Im having an issue which I hope someone will be able to help with. We are running two vCenter servers in seperate sites and to restrict RPC ports between them (for Linked mode which uses Lightweight Directory Services) we have followed the setup in this document;- http://support.microsoft.com/kb/929851 netsh int ipv4 set dynamicport tcp start=49152 num=500 netsh int ipv4 set dynamicport udp start=49152 num=500 The firewalls have also been locked down to the same port range. We locked down the RPC ports from 49152 to 49652 thinking that 500 ports would be more than enough for approximately 40 ESX hots and 30 VIclient sessions in each vCenter. After a couple of days we noticed that we were unable to login to the VIClient. Domain authentication was also broken with Netlogon Event ID 5719. "The RPC service was unavailable" I have noticed that in this particular build (Windows 2008 R2) it has a registry value set for HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter\MaxUserPort that has been set to 1576. Should I remove it or restrict it to match my 500 ports set with netsh? (I have no idea why its been put there and didnt think it was standard) Would this setting conflict with my port lockdown or is my issue maybe that I'm just runnnig out of RPC ports? What would be the best way to troubleshoot RPC port starvation? Thanks in advance! Any help greatly appreciated. Im going mad with this problem and I cant find much info regarding MaxUserPort in 2008 R2. Cheers, Warren

Hi Warren, Thank you for your post. Should I remove it or restrict it to match my 500 ports set with netsh? Yes, remove MaxUserPort registry entry and value. You could use command "netsh int ipv4 show dynamicport tcp" to verify the dynamic port range, use command "netstat -ano" to find if system use dynamicport 49152,49153... I suggest you add ipv6 dynamic port range compliant with ipv4 dynamic port range. If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan

Hi Warren, Thank you for your post. Should I remove it or restrict it to match my 500 ports set with netsh? Yes, remove MaxUserPort registry entry and value. You could use command "netsh int ipv4 show dynamicport tcp" to verify the dynamic port range, use command "netstat -ano" to find if system use dynamicport 49152,49153... I suggest you add ipv6 dynamic port range compliant with ipv4 dynamic port range. If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan