I could be wrong, but IIRC, Active directory needs MSRPC for nodes joining the domain and pushing out GPO. So in AD, this can not be disabled. But as long as it is blocked from public access (ie: ports are blocked at the firewall) you should be ok. MSRPC uses port 135 and multiple random high...