Monitoring WMI Sensors Outside a Domain
If the server on which PRTG is installed is part of a domain, whereas a few target machines are not, WMI monitoring often fails with the following error:
Connection could not be established (80070005: Access Denied …)
This article lists a few possible steps to resolve this issue to successfully monitor target machines outside your Windows domain.
Basic Steps
- First of all, please check if the correct credentials are used, especially if the hostname is entered in the field Domain or Computer Name in PRTG. You can try to use localhost here, especially in the settings of the parent group (if all devices in this group are outside of the domain, of course). Please do not leave this field empty!
- Verify if any firewalls in between PRTG and the target machine(s) may be interfering with connections on port 135.
- Check the access rights to the target machine. You can either try accessing as a local user with corresponding rights or as a domain admin:
- If you want to use a local user to monitor the target machine (no matter if workgroup or domain machine), set up this user account as following.
Note: This approach does not work with a domain user!- Open the Computer/Server Management tool on the target machine.
- Navigate to System | Local Users and Groups | Groups.
- Add the local user to Distributed COM Users and to Performance Monitor Users.
- Navigate to Services and Applications below in the management panel.
- Right-click WMI Control and choose Properties.
- Select the Security tab.
- Navigate to the namespace you are interested in (for example, Root\CIMV2).
- Click the Security button.
- Add the local user and give these permissions: Execute Methods, Enable Account, and Remote Enable.
- Start DCOMCNFG.exe
- Navigate to Component Services | Computers | My Computer.
- Right-click My Computer and choose Properties.
- Select the COM Security tab.
- In section Launch and Activation Permissions click Edit Limits...
- Add the local user and allow these permissions: Local Launch, Remote Launch and Remote Activation.
- Monitoring with a local user user account should now work. Otherwise, try using a domain admin as described below.
- Check the access permissions on all computers running a PRTG probe with WMI sensors (can be local probe system, systems with remote probes, on every node in a cluster setup):
- Start DCOMCNFG.exe on each system running a PRTG probe.
- Navigate to Component Services | Computers | My Computer.
- Right-click My Computer and choose Properties.
- Select the COM Security tab.
- In section Access Permissions click Edit Limits...
- Add the group Everyone and allow the permission Remote Access.
- Confirm and restart the computer.
- The next thing you should try is to configure the PRTG Probe service to run under a domain administrator account. Sometimes the access rights of the System Account under which the PRTG Probe runs by default are not sufficient. Even though it may sound awkward to use a domain administrator account to query a machine outside of a domain, do try this, as we have actually seen cases where this option got the WMI sensors (for this particular target) to work.
- If you want to use a local user to monitor the target machine (no matter if workgroup or domain machine), set up this user account as following.
- Ensure that Remote Management is enabled on on the target server. See Microsoft TechNet: Configure Remote Management in Server Manager (Windows Server 2012)
- If the target host(s) are accessible with our WMI Tester tool, but PRTG still insists on showing the 80070005 error, try using "localhost" as "domain or computer name" in the Windows credentials section of the device's settings.
The next options have to be differentiated by the Windows version running on the target machine:
Windows 7
- Open the control panel, head to “System and Security”, and then click on “Windows Firewall”
- Click on “Advanced Settings” and then, for both Inbound and Outbound Rules, do the following:
- To enable WMI traffic passing the firewall, select all checkboxes for “Windows Management Instrumentation”. Confirm this by closing the windows.
- Open a command prompt (as administrator) and enter the following line to set another firewall group rule:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes - Eventually reboot the target machine. It should now be possible to monitor with WMI.
- Add the monitoring user to the Performance Monitor Users group
- UAC blocks some (not all) WMI counters, resulting in error 80041003: The current user does not have permission to perform the action. . You can add the following registry key to disable this feature of UAC.
Path:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemAdd a new DWORD value:
Name: LocalAccountTokenFilterPolicy
Value: 1- Note: This disables some of the protection provided by UAC. Specifically, any remote access to the server using an administrator security token is automatically elevated with full administrator rights, including access to the root folder. More information can be found here: http://support.microsoft.com/kb/951016
We have also seen cases where it was necessary to disable the UAC completely to get WMI Monitoring running.
- Note: This disables some of the protection provided by UAC. Specifically, any remote access to the server using an administrator security token is automatically elevated with full administrator rights, including access to the root folder. More information can be found here: http://support.microsoft.com/kb/951016
Windows XP/2003
- Head to “Start”->”Run…” and start the registry editor (regedit)
- Navigate to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\ - Make sure that “ForceGuest” is set to “0”
- Eventually reboot the target machine. It should now be possible to monitor with WMI.
- For further reference please see http://support.microsoft.com/default.aspx?scid=kb;en-us;290403
Windows Vista/2008 (R2)
- Open the control panel, head to the Windows firewall
- Click on “Change Settings” and then please select the “Exceptions” tab
- To enable WMI traffic passing the firewall, select the check box for “Windows Management Instrumentation (WMI)”. Confirm this with Ok.
- Open a command prompt (as administrator) and enter the following line to set another firewall group rule:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yesNote: The name of the group is language dependent and must be translated for non-English Windows versions! So, if you run this command on a German Windows version, you have to replace windows management instrumentation (wmi) by Windows-Verwaltungsinstrumentation (WMI). - Eventually reboot the target machine. It should now be possible to monitor with WMI.
- For further reference please see: http://msdn.microsoft.com/en-us/library/aa822854(VS.85).aspx
- Add the monitoring user to the Performance Monitor Users group
No comments:
Post a Comment