Can you add some tracceoptions: set security traceoptions file tt set security traceoptions flag all set security alg msrpc traceoptions flag all The ALG traceoption output should go to the above mentioned file. Looks like there was no dynamic gate opened for the traffic so you will need to take alook at the traceoptions to see why the mapping was not created. Also: show security resource-manager group active This should show you if the mapping is there or not. I would also suggest a packet capture together with the flow trace at the same time just to make sure that the OIDs and the port mapping is correct.

I applied the traceoptions and tried the DCPROMO. I have attached the packet captures and trace output in the zip file. I have also modified the policy slightly to include the "junos-ms-rpc-epm" application as opposed to just the "junos-ms-rpc" application-set. Also to note when I did the "show security resource-manager groups active" it told me there were 677 groups, and 0 were active.

 

admin@srx-qa> show configuration security traceoptions
file jtac-trace-for-alg size 5m files 5 world-readable;
flag all;

{primary:node0}
admin@srx-qa> show configuration security alg
h323 disable;
mgcp disable;
msrpc traceoptions flag all;
sccp disable;

{primary:node0}
admin@srx-qa> show configuration security flow traceoptions
file jtac-trace-for-alg size 2m files 5 world-readable;
flag all;
packet-filter f1 {
    source-prefix 192.168.129.101/32;
    destination-prefix 192.168.130.101/32;
}
packet-filter f2 {
    source-prefix 192.168.130.101/32;
    destination-prefix 192.168.129.101/32;
}