I am trying to use certsrv.msc to connect from my workstation to the CA for administration purposes. Workstation is Win7, CA is 2008 R2 Enterprise running Enterprise Subordinate on a dedicated box.
I configured a static DCOM port by following this article, including bouncing the service and also rebooting the CA box:
http://social.technet.microsoft.com/wiki/contents/articles/1559.how-to-configure-a-static-dcom-port-for-ad-cs.aspx
The static port was opened in the firewall from my workstation to the CA. We also found that TCP 445 was required, so that has been opened as well, port 135 & other ports normally needed for autoenrollment should be open. Sniffing the firewall showed that a random high numbered port that is not the static dcom port is being attempted - this is the only port showing dropped packets & no traffic on the static port. On the CA I ran netstat & 'netstat -a' and am not seeing the static port listed anywhere.
It does not appear to me that the static dcom endpoint is working properly & that it is still randomly assigning ports. We would greatly prefer to not have the whole range opened for random port assignment. Any suggestions? Thanks in advance!