cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ntoupin
Engaged Sweeper
Hello, we have just got into this product yesterday, currently trying out the trial premium version at a K-12 School District.

Currently we have it running active scanning, one large problem being it found 164 PC's, 28 Servers, but 409 have errors.

Every error for every computer is the same:
Cannot connect to DCOM port 135 : Firewalled? 6/8/2010 9:20:22 AM
The RPC server is unavailable 0x800706BA 6/8/2010 9:20:22 AM


The IP is correct and matches the DNS, we have gone through the "troubleshooting guide"..

http://www.lansweeper.com/kb/The-RPC-server-is-unavailable.aspx

Doing the firewall fix:
call netsh firewall set service RemoteAdmin enable
call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
call netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=WMI
call netsh firewall add allowedprogram program=%windir%\system32\dllhost.exe name=Dllhost

seems to remove the first error of "Cannot connect to DCOM port 135 : Firewalled?" which is fine because we can use GP to change the firewall settings to fix that error.


So next we move onto the second error using this guide..
http://www.lansweeper.com/kb/WMI-Access-is-denied.aspx

All services are running correctly, the dcomcnfg is correct for it.

Moving onto the Diagnostic testing.. here's the report:

10372 09:41:41 (0) ** WMIDiag v2.0 started on Tuesday, June 08, 2010 at 09:23.
10373 09:41:41 (0) **
10374 09:41:41 (0) ** Copyright (c) Microsoft Corporation. All rights reserved - January 2007.
10375 09:41:41 (0) **
10376 09:41:41 (0) ** This script is not supported under any Microsoft standard support program or service.
10377 09:41:41 (0) ** The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
10378 09:41:41 (0) ** implied warranties including, without limitation, any implied warranties of merchantability
10379 09:41:41 (0) ** or of fitness for a particular purpose. The entire risk arising out of the use or performance
10380 09:41:41 (0) ** of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
10381 09:41:41 (0) ** or anyone else involved in the creation, production, or delivery of the script be liable for
10382 09:41:41 (0) ** any damages whatsoever (including, without limitation, damages for loss of business profits,
10383 09:41:41 (0) ** business interruption, loss of business information, or other pecuniary loss) arising out of
10384 09:41:41 (0) ** the use of or inability to use the script or documentation, even if Microsoft has been advised
10385 09:41:41 (0) ** of the possibility of such damages.
10386 09:41:41 (0) **
10387 09:41:41 (0) **
10388 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10389 09:41:41 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------------------------------------------------
10390 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10391 09:41:41 (0) **
10392 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10393 09:41:41 (0) ** Windows XP - No service pack - 32-bit (2600) - User 'BMR\BMRTEK' on computer 'MESLAB15'.
10394 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10395 09:41:41 (0) ** INFO: Environment: .................................................................................................. 1 ITEM(S)!
10396 09:41:41 (0) ** INFO: => 7 incorrect shutdown(s) detected on:
10397 09:41:41 (0) ** - Shutdown on 04 April 2010 07:41:45 (GMT+4).
10398 09:41:41 (0) ** - Shutdown on 08 May 2010 08:32:29 (GMT+4).
10399 09:41:41 (0) ** - Shutdown on 11 May 2010 12:37:44 (GMT+4).
10400 09:41:41 (0) ** - Shutdown on 29 May 2010 23:53:49 (GMT+4).
10401 09:41:41 (0) ** - Shutdown on 01 June 2010 13:49:31 (GMT+4).
10402 09:41:41 (0) ** - Shutdown on 06 June 2010 05:32:54 (GMT+4).
10403 09:41:41 (0) ** - Shutdown on 08 June 2010 08:59:28 (GMT+4).
10404 09:41:41 (0) **
10405 09:41:41 (0) ** System drive: ....................................................................................................... C: (Disk #0 Partition #0).
10406 09:41:41 (0) ** Drive type: ......................................................................................................... IDE (WDC WD800JD-00LSA0).
10407 09:41:41 (0) ** There are no missing WMI system files: .............................................................................. OK.
10408 09:41:41 (0) ** There are no missing WMI repository files: .......................................................................... OK.
10409 09:41:41 (0) ** WMI repository state: ............................................................................................... N/A.
10410 09:41:41 (0) ** BEFORE running WMIDiag:
10411 09:41:41 (0) ** The WMI repository has a size of: ................................................................................... 24 MB.
10412 09:41:41 (0) ** - Disk free space on 'C:': .......................................................................................... 53890 MB.
10413 09:41:41 (0) ** - INDEX.BTR, 7356416 bytes, 6/8/2010 9:09:37 AM
10414 09:41:41 (0) ** - INDEX.MAP, 3616 bytes, 6/8/2010 9:09:37 AM
10415 09:41:41 (0) ** - OBJECTS.DATA, 17375232 bytes, 6/8/2010 9:09:37 AM
10416 09:41:41 (0) ** - OBJECTS.MAP, 8508 bytes, 6/8/2010 9:09:37 AM
10417 09:41:41 (0) ** AFTER running WMIDiag:
10418 09:41:41 (0) ** The WMI repository has a size of: ................................................................................... 24 MB.
10419 09:41:41 (0) ** - Disk free space on 'C:': .......................................................................................... 53877 MB.
10420 09:41:41 (0) ** - INDEX.BTR, 7356416 bytes, 6/8/2010 9:37:25 AM
10421 09:41:41 (0) ** - INDEX.MAP, 3616 bytes, 6/8/2010 9:37:25 AM
10422 09:41:41 (0) ** - OBJECTS.DATA, 17375232 bytes, 6/8/2010 9:37:25 AM
10423 09:41:41 (0) ** - OBJECTS.MAP, 8508 bytes, 6/8/2010 9:37:25 AM
10424 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10425 09:41:41 (0) ** Windows Firewall: ................................................................................................... NOT INSTALLED.
10426 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10427 09:41:41 (0) ** DCOM Status: ........................................................................................................ OK.
10428 09:41:41 (0) ** WMI registry setup: ................................................................................................. OK.
10429 09:41:41 (0) ** WMI Service has no dependents: ...................................................................................... OK.
10430 09:41:41 (0) ** RPCSS service: ...................................................................................................... OK (Already started).
10431 09:41:41 (0) ** WINMGMT service: .................................................................................................... OK (Already started).
10432 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10433 09:41:41 (0) ** WMI service DCOM setup: ............................................................................................. OK.
10434 09:41:41 (2) !! WARNING: WMI DCOM components registration is missing for the following EXE/DLLs: .................................... 3 WARNING(S)!
10435 09:41:41 (0) ** - C:\WINNT\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{D71EE747-F455-4804-9DF6-2ED81025F2C1}\InProcServer32)
10436 09:41:41 (0) ** - C:\WINNT\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{ED51D12E-511F-4999-8DCD-C2BAC91BE86E}\InProcServer32)
10437 09:41:41 (0) ** - C:\WINNT\SYSTEM32\WBEM\WBEMPROX.DLL (\CLSID\{4C6055D8-84B9-4111-A7D3-6623894EEDB3}\InProcServer32)
10438 09:41:41 (0) ** => WMI System components are not properly registered as COM objects, which could make WMI to
10439 09:41:41 (0) ** fail depending on the operation requested.
10440 09:41:41 (0) ** => For a .DLL, you can correct the DCOM configuration by executing the 'REGSVR32.EXE <Filename.DLL>' command.
10441 09:41:41 (0) **
10442 09:41:41 (0) ** WMI ProgID registrations: ........................................................................................... OK.
10443 09:41:41 (0) ** WMI provider DCOM registrations: .................................................................................... OK.
10444 09:41:41 (0) ** WMI provider CIM registrations: ..................................................................................... OK.
10445 09:41:41 (0) ** WMI provider CLSIDs: ................................................................................................ OK.
10446 09:41:41 (0) ** WMI providers EXE/DLL availability: ................................................................................. OK.
10447 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10448 09:41:41 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
10449 09:41:41 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!
10450 09:41:41 (0) ** - REMOVED ACE:
10451 09:41:41 (0) ** ACEType: &h0
10452 09:41:41 (0) ** ACCESS_ALLOWED_ACE_TYPE
10453 09:41:41 (0) ** ACEFlags: &h0
10454 09:41:41 (0) ** ACEMask: &h1
10455 09:41:41 (0) ** DCOM_RIGHT_EXECUTE
10456 09:41:41 (0) **
10457 09:41:41 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
10458 09:41:41 (0) ** Removing default security will cause some operations to fail!
10459 09:41:41 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
10460 09:41:41 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
10461 09:41:41 (0) **
10462 09:41:41 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
10463 09:41:41 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has been REMOVED!
10464 09:41:41 (0) ** - REMOVED ACE:
10465 09:41:41 (0) ** ACEType: &h0
10466 09:41:41 (0) ** ACCESS_ALLOWED_ACE_TYPE
10467 09:41:41 (0) ** ACEFlags: &h0
10468 09:41:41 (0) ** ACEMask: &h1
10469 09:41:41 (0) ** DCOM_RIGHT_EXECUTE
10470 09:41:41 (0) **
10471 09:41:41 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
10472 09:41:41 (0) ** Removing default security will cause some operations to fail!
10473 09:41:41 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
10474 09:41:41 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
10475 09:41:41 (0) **
10476 09:41:41 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
10477 09:41:41 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been REMOVED!
10478 09:41:41 (0) ** - REMOVED ACE:
10479 09:41:41 (0) ** ACEType: &h0
10480 09:41:41 (0) ** ACCESS_ALLOWED_ACE_TYPE
10481 09:41:41 (0) ** ACEFlags: &h0
10482 09:41:41 (0) ** ACEMask: &h1
10483 09:41:41 (0) ** DCOM_RIGHT_EXECUTE
10484 09:41:41 (0) **
10485 09:41:41 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
10486 09:41:41 (0) ** Removing default security will cause some operations to fail!
10487 09:41:41 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
10488 09:41:41 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
10489 09:41:41 (0) **
10490 09:41:41 (0) **
10491 09:41:41 (0) ** DCOM security warning(s) detected: .................................................................................. 0.
10492 09:41:41 (0) ** DCOM security error(s) detected: .................................................................................... 3.
10493 09:41:41 (0) ** WMI security warning(s) detected: ................................................................................... 0.
10494 09:41:41 (0) ** WMI security error(s) detected: ..................................................................................... 0.
10495 09:41:41 (0) **
10496 09:41:41 (1) !! ERROR: Overall DCOM security status: ................................................................................ ERROR!
10497 09:41:41 (0) ** Overall WMI security status: ........................................................................................ OK.
10498 09:41:41 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
10499 09:41:41 (0) ** INFO: WMI permanent SUBSCRIPTION(S): ................................................................................ 2.
10500 09:41:41 (0) ** - ROOT/SUBSCRIPTION, MSFT_UCScenarioControl.Name="Microsoft WMI Updating Consumer Scenario Control".
10501 09:41:41 (0) ** 'SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'MSFT_UCScenario''
10502 09:41:41 (0) ** - ROOT/SUBSCRIPTION, NTEventLogEventConsumer.Name="SCM Event Log Consumer".
10503 09:41:41 (0) ** 'select * from MSFT_SCMEventLogEvent'
10504 09:41:41 (0) **
10505 09:41:41 (0) ** WMI TIMER instruction(s): ........................................................................................... NONE.
10506 09:41:41 (0) ** WMI ADAP status: .................................................................................................... OK.
10507 09:41:41 (0) ** WMI MONIKER CONNECTIONS: ............................................................................................ OK.
10508 09:41:41 (0) ** WMI CONNECTIONS: .................................................................................................... OK.
10509 09:41:41 (0) ** WMI GET operations: ................................................................................................. OK.
10510 09:41:41 (0) ** WMI MOF representations: ............................................................................................ OK.
10511 09:41:41 (0) ** WMI QUALIFIER access operations: .................................................................................... OK.
10512 09:41:41 (0) ** WMI ENUMERATION operations: ......................................................................................... OK.
10513 09:41:41 (0) ** WMI EXECQUERY operations: ........................................................................................... OK.
10514 09:41:41 (2) !! WARNING: WMI GET VALUE operation errors reported: ................................................................... 5 WARNING(S)!
10515 09:41:41 (0) ** - Root, Instance: __EventProviderCacheControl=@, Property: ClearAfter='00000000000010.000000:000' (Expected default='00000000000030.000000:000').
10516 09:41:41 (0) ** - Root, Instance: __ObjectProviderCacheControl=@, Property: ClearAfter='00000000000200.000000:000' (Expected default='00000000000030.000000:000').
10517 09:41:41 (0) ** - Root, Instance: __EventSinkCacheControl=@, Property: ClearAfter='00000000000010.000000:000' (Expected default='00000000000015.000000:000').
10518 09:41:41 (0) ** - Root, Instance: __EventConsumerProviderCacheControl=@, Property: ClearAfter='00000000000010.000000:000' (Expected default='00000000000030.000000:000').
10519 09:41:41 (0) ** - Root, Instance: __PropertyProviderCacheControl=@, Property: ClearAfter='00000000000200.000000:000' (Expected default='00000000000030.000000:000').
10520 09:41:41 (0) **
10521 09:41:41 (0) ** WMI WRITE operations: ............................................................................................... NOT TESTED.
10522 09:41:41 (0) ** WMI PUT operations: ................................................................................................. NOT TESTED.
10523 09:41:41 (0) ** WMI DELETE operations: .............................................................................................. NOT TESTED.
10524 09:41:41 (0) ** WMI static instances retrieved: ..................................................................................... 10071.
10525 09:41:41 (0) ** WMI dynamic instances retrieved: .................................................................................... 0.
10526 09:41:41 (0) ** WMI instance request cancellations (to limit performance impact): ................................................... 0.
10527 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10528 09:41:41 (0) ** # of Event Log events BEFORE WMIDiag execution since the last 20 day(s):
10529 09:41:41 (0) ** DCOM: ............................................................................................................. 0.
10530 09:41:41 (0) ** WINMGMT: .......................................................................................................... 0.
10531 09:41:41 (0) ** WMIADAPTER: ....................................................................................................... 0.
10532 09:41:41 (0) **
10533 09:41:41 (0) ** # of additional Event Log events AFTER WMIDiag execution:
10534 09:41:41 (0) ** DCOM: ............................................................................................................. 0.
10535 09:41:41 (0) ** WINMGMT: .......................................................................................................... 0.
10536 09:41:41 (0) ** WMIADAPTER: ....................................................................................................... 0.
10537 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10538 09:41:41 (0) ** WMI Registry key setup: ............................................................................................. OK.
10539 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10540 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10541 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10542 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10543 09:41:41 (0) **
10544 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10545 09:41:41 (0) ** ------------------------------------------------------ WMI REPORT: END -----------------------------------------------------------
10546 09:41:41 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
10547 09:41:41 (0) **
10548 09:41:41 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work properly!. Check 'C:\DOCUMENTS AND SETTINGS\BMRTEK\LOCAL SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_MESLAB15_2010.06.08_09.23.10.LOG' for details.
10549 09:41:41 (0) **
10550 09:41:41 (0) ** WMIDiag v2.0 ended on Tuesday, June 08, 2010 at 09:41 (W:67 E:11 S:1).


After that the second error still remains so we went ahead with the VBS script to repair the WMI. This seemed to have fixed whatever the problem was and made the single computer scan-able.

The problem being, we do not want to have to go through this entire process on 400+ PC's.. Is there an easier way to deploy the WMI repair to fix the problem or something remotely?

Thanks.

1 ACCEPTED SOLUTION
Hemoco
Lansweeper Alumni
It looks like the default permissions for administrators have been removed.

If you use computer images to deploy it's a common problem is the "base" image has this problem.

I've never tried it but maybe you can run the wmi repair script in a startup script.

View solution in original post

12 REPLIES 12
Hemoco
Lansweeper Alumni
Did you check for dns problems?
fqdn <> IP address
Lansweeper wrote:
Did you check for dns problems?
fqdn <> IP address


Yes we checked and found no DNS issues.
stoneriveruser
Engaged Sweeper
We're having a similar problem except we have several machines that we haven't been able to get to scan at all, here's what we've tried.

Verified the machine is on and connected to the network (directly or VPN)

Verified that lansweeper has admin access to the machine.

Run the Firewall fixes per: http://lansweeper.com/kb/The-RPC-server-is-unavailable.aspx (and set group policy to apply them as well as manually applying where needed)

Verified DCOM and repaired WMI per: http://lansweeper.com/kb/WMI-Access-is-denied.aspx

But still nothing. The machines in question are running through our Cisco VPN but other machines just like them were able to be scanned through the VPN without issue. The machine that lansweeper is on can access port 135 on the machines in question just fine (telnet computername 135 doesn't timeout).

They are all running Windows XP Pro SP2/3 and machines built just like them are working but they aren't. Any ideas?
stoneriveruser wrote:

But still nothing. The machines in question are running through our Cisco VPN but other machines just like them were able to be scanned through the VPN without issue. The machine that lansweeper is on can access port 135 on the machines in question just fine (telnet computername 135 doesn't timeout)


Are you able to scan the machines not using the cisco vpn?
Lansweeper wrote:
stoneriveruser wrote:

But still nothing. The machines in question are running through our Cisco VPN but other machines just like them were able to be scanned through the VPN without issue. The machine that lansweeper is on can access port 135 on the machines in question just fine (telnet computername 135 doesn't timeout)


Are you able to scan the machines not using the cisco vpn?


Yes we have no issues scanning machines not connected through the VPN (directly connected to the local network). We have no issues with scanning some machines that connect through the VPN..

Doing some digging in DCOM, this is the common thread I've found between two machines with issues being scanned through the VPN..


Event Type: Information
Event Source: MSDTC
Event Category: Disk
Event ID: 2444
Date: 6/21/2010
Time: 1:04:54 PM
User: N/A
Computer: COMPUTERA
Description:
MS DTC started with the following settings: Security Configuration (OFF = 0 and ON = 1): Network Administration of Transactions = 0, Network Clients = 0, Inbound Distributed Transactions using Native MSDTC Protocol = 0, Outbound Distributed Transactions using Native MSDTC Protocol = 0, Transaction Internet Protocol (TIP) = 0, XA Transactions = 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: MSDTC
Event Category: Disk
Event ID: 2444
Date: 6/21/2010
Time: 11:38:11 AM
User: N/A
Computer: COMPUTERB
Description:
MS DTC started with the following settings: Security Configuration (OFF = 0 and ON = 1): Network Administration of Transactions = 0, Network Clients = 0, Inbound Distributed Transactions using Native MSDTC Protocol = 0, Outbound Distributed Transactions using Native MSDTC Protocol = 0, Transaction Internet Protocol (TIP) = 0, XA Transactions = 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Hemoco
Lansweeper Alumni
Did you try creating a group policy to change the firewall settings?
Hemoco
Lansweeper Alumni
You can try psexec for this (sysinternals freeware)
The write a batch script to run them against a text file of computers.
ntoupin
Engaged Sweeper
Lansweeper wrote:
You can try psexec for this (sysinternals freeware)
The write a batch script to run them against a text file of computers.

Sounds good, it's currently working to get rid of one of the errors (135 firewalled) but not "The RPC server is unavailable 0x800706BA"

Which is odd as both the WMI repair and the firewall.cmd were run (opening 135 as well as the other settings in the .cmd)..

Went through the entire troubleshooting guide and all seems correct, all settings are correct, all fixes tried, however some still remain with the problem The RPC server is unavailable 0x800706BA.

Turning off windows firewall completely is currently the only fix that seems to work, however we don't want to have to turn off windows firewall completely..

Not sure what in windows firewall is blocking it since all the fixes have been done..


Edit: If it helps, I've attached the windows firewall log for when a LStrigger was run.


In the log..

10.64.1.62 = Computer trying to get scanned

The local server running lansweeper server is 10.0.6.50 which doesn't even seem to show up on the log..

Hemoco
Lansweeper Alumni
Another suggestions:
A custom action in lansweeper which uses psexec to run the wmi repair script on a target computer.
This way you can go to the non-working computer in lansweeper and click on the action.