WMI Troubleshooting Guide
-
Upload
sumantekkem -
Category
Documents
-
view
213 -
download
0
Transcript of WMI Troubleshooting Guide
-
7/30/2019 WMI Troubleshooting Guide
1/8
WMI Troubleshooting Guide
When trying creating a WMI monitor, timeout error occurred.
The error "The RPC server is unavailable" occurred when I tried to create WMI monitors.
Is there a way of using a NON administrator account for WMI remote monitoring?
Q. When trying creating a WMI monitor, timeout error occurred.A.
It may be because one of the following:
The remote computer is not online. The service "Windows Management Instrumentation Driver Extensions"
(or other WMI-related service, like RPC) has been disabled on theremote computer.
Windows NT, Windows 95, and Windows 98 does not support WMI.Please download (about 3 Mb) and install WMI Core on such
computers:Download WMI Core for Windows 95, 98
Download WMI Core for Windows NT
You do not have local Administrator rights on the remote computer.By default Windows will only allow members of the Administrators or
Domain Admins group to read information from the WMI class. A firewall is blocking access to the remote computer.
The remote computer's firewall should allow DCOM protocol (RPC -
Remote Procedure Call) and remote computer management. Sharing and security model is set to "Guest only" (Windows XP, 2003).
On a Windows XP Pro or Windows 2003 Server computer, make surethat remote logons are not being coerced to the GUEST account (aka
"ForceGuest", which is enabled by default on computers that are notattached to a domain). To do this, open the Local Security Policy editor(e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand
the "Local Policies" node and select "Security Options". Now scrolldown to the setting titled "Network access: Sharing and security modelfor local accounts". If this is set to "Guest only", change it to "Classic"
and restart the computer.
You are using blank password (Windows XP).On XP Professional, accounts with blank passwords can no longer beused to log on to the computer remotely over the network.
Some connections between operating system versions are notsupported:
o You cannot connect to a computer that is running Windows XPHome Edition.
o A computer running Windows NT cannot connect to an operatingsystem later than Windows 2000, such as Windows XP or
Windows Server 2003.
o Accessing a Windows Server 2003 computer from Windows 98 or
Windows 95 is not supported.
http://www.ireasoning.com/wmi_troubleshooting.php#q1http://www.ireasoning.com/wmi_troubleshooting.php#q1http://www.ireasoning.com/wmi_troubleshooting.php#q5http://www.ireasoning.com/wmi_troubleshooting.php#q5http://www.ireasoning.com/wmi_troubleshooting.php#q10http://www.microsoft.com/downloads/details.aspx?FamilyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=c174cfb1-ef67-471d-9277-4c2b1014a31e&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=c174cfb1-ef67-471d-9277-4c2b1014a31e&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=c174cfb1-ef67-471d-9277-4c2b1014a31e&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=enhttp://www.ireasoning.com/wmi_troubleshooting.php#q10http://www.ireasoning.com/wmi_troubleshooting.php#q5http://www.ireasoning.com/wmi_troubleshooting.php#q1 -
7/30/2019 WMI Troubleshooting Guide
2/8
o Windows 2000 computers must have Service Pack 2 installed tobe able to connect to Windows XP and later operation systems.
Q. The error "The RPC server is unavailable" occurred when I tried tocreate WMI monitors.
A. first ensure that the File and Printer Sharing is enabled on the WindowsFirewall Exceptions list for the following ports:
135 (RPC) 445 (TCP)
103x (mostly 1037) 441 (RPC)
For more information about the Windows Firewall Exceptions list, refer toMicrosoft Windows XP documentation. If the issue remains unresolved even
after enabling the File and Printer Sharing on the Windows FirewallExceptions list, enable the "Allow remote administration exception" group
policy entry.
1. Click Start, click Run, type gpedit.msc, and then click OK
2. Under Console Root, expand Computer Configuration, expandAdministrative Templates, expand Network, expand Network Connections,
expand Windows Firewall, and then click Domain Profile.
3. Right-click Windows Firewall: Allow remote administration exception, and
then click Properties.
4. Click Enabled, and then click OK.
Q. Is there a way of using a NON administrator account for WMIremote monitoring?
A. By default Windows will only allow members of the Administrators orDomain Admins group to read information from the WMI class.
For Windows 2000
1. Click Start, click Run, type wmimgmt.msc in the Open box, andthen click OK.
2. Right-click WMI Control, and then click Properties.3. Click the Security tab.
4. Expand the Root folder, select the CIMV2 folder, and then clickSecurity.
5. Click Add. Type the user name you wish to use, click Check Namesto verify your entry or entries, and then click OK.
6. In the Permissions for User list, click the Allow check box next tothe following permissions:
Execute Methods
Enable Account
-
7/30/2019 WMI Troubleshooting Guide
3/8
Remote EnableRead Security
7. Click Advanced. In the Permission entries list, select the useryou added in step 5, and then click Edit.
8. In the Apply onto box, click This namespace and
subnamespaces.9. Click OK three times.
10. Quit the WMI Control snap-in.
For Windows XP / Windows 2003
1. Click Start, click Run, type wmimgmt.msc in the Open box, andthen click OK.
2. Right-click WMI Control, and then click Properties.
3. Click the Security tab.4. Expand the Root folder, select the CIMV2 folder, and then click
Security.5. Click Add. Type the user name you wish to use in the Enter the
object names to select box, click Check Names to verify your entryor entries, and then click OK.
6. In the Permissions for User list, click the Allow check box next tothe following permissions:
Execute MethodsEnable Account
Remote EnableRead Security
7. Click Advanced. In the Permission entries list, select the useryou added in step 5, and then click Edit.
8. In the Apply onto box, click This namespace andsubnamespaces.
9. Click OK three times.
10. Quit the WMI Control snap-in.11. Click Start, click Run, type dcomcnfg.exe in the Open box, and
then click OK.12. Select Component Services and then expand it. Then expand
Computers. Right-click My Computer and select Properties.13. Select the COM Security tab.
14. In the Access Permissions section, click Edit Limits....15. Click Add. Type the user name you wish to use in the Enter the
object names to select box, click Check Names to verify your entryor entries, and then click OK.
16. In the Permissions for User list, click the Allow check box nextto the following permissions:
Local AccessRemote Access
Click OK.17. In the Launch and Activation Permissions section, click Edit
Limits....18. Click Add. Type the user name you wish to use in the Enter the
-
7/30/2019 WMI Troubleshooting Guide
4/8
object names to select box, click Check Names to verify your entryor entries, and then click OK.
19. In the Permissions for User list, click the Allow check box nextto the following permissions:
Local Launch
Remote LaunchLocal Activation
Remote ActivationClick OK twice.
20. Expand My Computer and expand DCOM Config.
21. Right-click Windows Management and Instrumentation andclick Properties.
22. Click the Security tab.23. In the Access Permissions section, click Edit....
24. Click Add. Type the user name you wish to use in the Enter theobject names to select box, click Check Names to verify your entry
or entries, and then click OK.25. In the Permissions for User list, click the Allow check box next
to the following permissions:
Local AccessRemote Access
Click OK twice.26. Quit the Component Services snap-in.
27. Restart the target computer.
Note: Windows 2003 SP1 systems will not allow a user who is
not a member of the Administrators or Domain Admins group toview the Win32_Service class. Consequently, you must use anaccount in one of these groups to perform polling of NT Service
monitors. The above information will not work.
RPC Server Not Available solutionPosts 2 | Created 9/17/2008 2:49 PM bydscudder|
dscudder
Hello all,
Just thought I'd throw this out there. I had been having trouble performing WMI scans on a relatively
new installation for quite some time. One message I got with about 80 computers' last_scan_status
was "the rpc server not available". I had checked WMI security and opened port 135 TCP on my
clients. I resolved that error by also opening port 445 TCP. gpedit can accomplish this by doing the
following that I found on TechNet (allow Remote Administration Exception, plus include the ITSM
server's subnet):
http://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudder -
7/30/2019 WMI Troubleshooting Guide
5/8
1. On the Windows desktop, click Start, and then click Run.
2. In the Run dialog box, type gpedit.msc and then click OK.
3. In Local Group Policy Editor, under Console Root, expand Computer Configuration, expand
Administrative Templates, expand Network, expand Network Connections, expand Windows
Firewall, and then click Domain Profile.
4. In the Domain Profile pane, right-click Windows Firewall: Allow remote administration exception,
and then click Properties.
5. Click Enabled, and then click OK.
Posted 9/17/2008 2:49 PM |
disco2008
Here is a checklist that we published a while back, should help you out.
Remote WMI Scan Configuration Checklist
Client Side Testing/Configuration
-----------------------------------------------------
I. Test local WMI
1. Run wbemtest.exe
2. Click Connect
3. Type in root\cimv2 as the namespace and click Connect
If the IWbemServices appear and you can click on them, then we have successfully connected to
the local WMI namespace. If Wbemtest returns an error, click More Information and check the
Description property for information about this error.
II. Remote Registry Service
1. Make sure that the Remote Registry Service is set to automatic and started
2. If it isnt, start this service
http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008 -
7/30/2019 WMI Troubleshooting Guide
6/8
III. Disable the Windows Firewall, or grant Port 135
Allow for remote administration
1. Click Start, click Run, type gpedit.msc, and then click OK.
2. Under Console Root, expand Computer Configuration, expand Administrative Templates, expand
Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
3. Right-click Windows Firewall: Allow remote administration exception, and then click Properties.
4. Click Enabled, and then click OK
Grant DCOM Remote Launch permissions
1. Click Start, click Run, type DCOMCNFG, and then click OK.
2. In the Component Services dialog box, expand Component Services, expand Computers, and
then expand My Computer.
3. On the toolbar, click the Configure My Computer button.
The My Computer dialog box appears.
4. In the My Computer dialog box, click the COM Security tab.
5. Under Launch and Activate Permissions, click Edit Limits.
6. In the Launch Permission dialog box, follow these steps if your name or your group does not
appear in the Groups or user names list:
a. In the Launch Permission dialog box, click Add.
b. In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter
the object names to select box, and then click OK.
7. In the Launch Permission dialog box, select your user and group in the Group or user names box.In the Allow column under Permissions for User, select Remote Launch, and then click OK.
Open the DCOM port
Before you enable ports in Windows Firewall, make sure that the Windows Firewall: Allow local port
exceptions setting in Group Policy is enabled. To do this, follow these steps:
1. Click Start, click Run, type gpedit.msc, and then click OK.
2. Under Console Root, expand Computer Configuration, expand Administrative Templates, expand
Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
3. Right-click Windows Firewall: Allow local port exceptions, and then click Properties.
4. Click Enabled, and then click OK.
Note You can also use the Windows Firewall: Define port exceptions setting to configure local port
exceptions.
The DCOM port is TCP 135. To open the DCOM port, follow these steps:
1. Click Start, and then click Control Panel.
2. Double-click Windows Firewall, and then click the Exceptions tab.
3. Click Add Port.
-
7/30/2019 WMI Troubleshooting Guide
7/8
4. In the Name box, type DCOM_TCP135, and then type 135 in the Port number box.
5. Click TCP, and then click OK.
6. Click OK.
Note You can also type the following command at a command prompt to open a port:
netsh firewall add portopening [TCP/UDP][Port][Name]
Add a client application to the Windows Firewall Exceptions list
Before you define program exceptions in Windows Firewall, make sure that the Windows Firewall:
Allow local program exceptions setting in Group Policy is enabled:
1. Click Start, click Run, type gpedit.msc, and then click OK.
2. Under Console Root, expand Computer Configuration, expand Administrative Templates, expand
Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
3. Right-click Windows Firewall: Allow local program exceptions, and then click Properties.
4. Click Enabled, and then click OK.
Note You can also use the Windows Firewall: Define program exceptions setting to configure local
program exceptions.
To add a client application to the Windows Firewall Exceptions list, follow these steps:
1. Click Start, and then click Control Panel.
2. Double-click Windows Firewall, and then click the Exceptions tab.
3. Click Add Program.4. Locate the application that you want to add, and then click OK.
5. Click OK.
Note You can also type the following command at a command prompt to add a program to the
Windows Firewall Exception list:
netsh firewall add allowedprogram [\ProgramName] [ENABLE/DISABLE]
IV. Verifying Namespace Security
1. Click Start, and then click Run.
2. In Open, type wmimgmt.msc, and then click OK.
3. Right Click on "WMI Control (Local)"
4. Select Properties
5. Select the "Security" tab
6. Select "Root" namespace
7. Click "Security"
By default, Administrators should be granted all rights. Also click on "Advanced" and make sure that
the rights are applied to "This namespace and subnamespaces".
-
7/30/2019 WMI Troubleshooting Guide
8/8
Server Side Testing
--------------------------------
I. Test Remote WMI
1. Run wbemtest.exe
2. Click Connect
3. Type in \\clientname\cimv2 as the namespace and click Connect
If you get a The RPC server is unavailable error, then something is blocking the connection i.e.
firewall or remote registry service
II. Check Privileges
1. Make sure that the user you are using to connect to the client has the correct Privileges