Ok am I missing something, I can't add the domain local group Administrators to the local group of any of the member servers, how might one go about doing this, because every way I know how does not allow me. This is bordering on insanity, this shouldn't be that difficult. I get no WMI connection in my logs, which I have tested it several times from several different machines and it works fine. I am going to try a different server tomorrow.
Wesley Sparks Senior Systems Engineer CAS, Inc. (Work) 256-971-6018 (Cell) 256-503-0193 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, February 07, 2007 2:39 PM To: zenoss-users@zenoss.org Subject: RE: [zenoss-users] Major WMI issues Wesley Sparks, 1. Not exactly. On your DC, launch your "Active Directory Users and Computers" MMC and create a user (e.g. "Zenoss") in the "Users" OU. Add this user to the "Administrators" group under the "Builtin" OU. (Do not add the user to "Domain Admins" under the "Users" OU). Do this for each domain in your forest. The reason for this is all members of the "Administrators" group have access to "Launch and Activate" permissions for DCOM, the "Domain Admins" group does not. On all member servers (either standalone or a member of your domain) or any workstation for that matter, launch your "Local Users and Groups" MMC and create the same user as above (e.g. "Zenoss") under "Users". Add this user to the "Administrators" group under "Groups" in the same MMC. Also, for member servers, add the "Administrators" group for the domain into the "Administrators" group. For this new user (e.g. "Zenoss"), make sure you use the same password on all devices. 2. For all the non-zenwin servers that you are going to be monitoring, set the following (Using the "Zenoss" user as the example): Zwinpassword = mypassword Zwinuser = .\Zenoss You should set this at the "/Devices/Server/Windows" class level. So, in the Zenoss web interface, click "Devices" under "Main Views". Click the "Classes" tab, click "Server", click "Windows", click the "zProperties" tab. Enter the user and password accordingly. Once you do this, click back to the "Devices" tab and click the name of the server where you have zenwin installed . Click the "zProperties" tab and erase the Zwinpassword and Zwinuser, click the save button. 3. Regarding the zenwin config: Here is a sample config file, zope user and pass below are used if you are using the VM appliance, otherwise set accordingly. The IP address is the IP of your Zenoss server. winurl http://192.168.0.1:8080/zport/dmd/Devices/Server/Windows zopeusername admin zopepassword zenoss zem http://192.168.0.1:8081/ If you modify the zenwin config files, you do not need to re-install the services, just restart them. Also, if you had to make any changes to your DCOM or if you had to import the "Administrators" domain group into the local "Administrators" group, you will have to reboot your server. I also came up with a simple solution for monitoring my servers in multiple DMZs that I have, without having to open up all sorts of ports for DCOM on my firewall or having to define port ranges for DCOM on my servers...if you're interested. Another question, are your servers Windows 2000 or 2003? -Ryon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wesley.Sparks Sent: Wednesday, February 07, 2007 8:07 AM To: General discussion of using zenoss system Subject: RE: [zenoss-users] Major WMI issues Thanks for all the input, but mine still don't work. Couple of questions just to verify: 1. so you need a domain admin account with a username and password and a local account with the same UN and password on each box set as part of the local admins group? Just making sure I interpreted that correctly 2. so for devices other then the zenwin server do you set its zproperties zwinuser and zwinpassword to the account you used or leave them blank like the zenwin server? Service states work as long as I do it from command prompt, but the service does not work. I still can't get a second box to list windows services either, just the zenwin box. What does your zenwin configuration files look like? I will let this new config run a few hours and see if it works itself out. I have not restarted the zenwin box or the second box I am trying to monitor. If you modify the config files do you need to redo the services off of the new config files? This is the last piece I need to get working so I can switch to zen from what's up gold, it is really starting to irk me, this isn't rocket science...pardon the rant. Thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 06, 2007 12:52 PM To: zenoss-users@zenoss.org Subject: RE: [zenoss-users] Major WMI issues I have WMI successfully running in my environment (multiple server setup). To get it working, make sure you create a domain user and if applicable a local user with the same user name and password; this user needs to be a member of the administrators group (for your domain and the local group.) For your member servers, add the domain administrators group to the local administrators group. Install the zenwin service on a server that is a member server and use a local account to run the service, I could not get zenwin services working using domain accounts. After the services are installed, go into the Services MMC and view the properties of one of the services. Go to the "Log On" tab and browse for the local user created above and add it, even though it is already there, and specify the password and click OK (you should see a box stating the user has been granted log on as service permissions.) You can also manually grant log on as service permissions by GPO or running "gpedit.msc". In the Zenoss web interface, set the zWinUser and zWinPassword under "/Devices/Server/Windows" zProperties to ".\User" (User = what ever your zenwin service user is). You do not need to specify the domain, just use the period and backslash. Then, for the one server running zenwin, navigate to that specific device and delete the zWinUser and zWinPassword; otherwise you will get some errors about credentials being used locally. A few other things to check: Check TCP/IP Settings - Right click "My Network Places" on the desktop and select properties - Right click your active Local Area Connection - Double-click TCP/IP - Click Advanced - Select the WINS tab - Select "Enable NetBIOS over TCP/IP" - Click OK - Click OK - Click OK Check Existing Windows Services REQUIRED Services: - "TCP/IP NetBIOS Helper", Startup Type set to Automatic - "Windows Management Instrumentation", Startup Type set to Automatic - "WMI Performance Adapter", Startup Type set to Manual - "COM+ Event System", Startup Type set to Manual - "COM+ System Application", Startup Type set to Manual NOT Required: - "Server" service, does not need to be installed or running - "Remote Registry", does not need to be running Check DCOM Click Start -> Run Type "dcomcnfg" Expand Component Services -> Computers Right-click "My Computer", select Properties Click the "Default Properties" Tab Make sure "Enable DCOM on this computer" is checked (If if is not, check it, click ok and reboot the computer) Try starting one of your services, typically I use the "Zenoss Eventlog Monitoring" and check the zenwin log files. You should at least see it attempting to connect to all the devices you've added to "/Devices/Server/Windows". If you see an error about "Bad WMI State", and you've been able to successfully test WMI using wbemtest, leave the service running for several hours and it should clear itself up (have not been able to figure this one out). I also have an issue regarding starting the services using RDP. For some reason if I connect to the console of the server and I start the services then log off, the services will stop working properly. They show they are running, but they do not collect any info. So, I connect without using the /console switch and start the services. - Ryon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wesley.Sparks Sent: Tuesday, February 06, 2007 6:40 AM To: General discussion of using zenoss system Subject: RE: [zenoss-users] Major WMI issues I have tried the local administrator of the box and a domain user account and a domain admin account. I thought the same thing but I logged in as the user the that the services run as and it still worked from command line but not the service. I have done the wbemtest using all three of those accounts and can connect successfully and run the service query. I am assuming the service needs to use the account that is also in zproperties for the device? I am also assuming when using a domain account you use domain\username in zproperties? I was hoping someone that has successfully gotten WMI to work to post their total config so we can see if we got some config wrong somewhere. Thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Newton Sent: Tuesday, February 06, 2007 8:34 AM To: General discussion of using zenoss system Subject: Re: [zenoss-users] Major WMI issues Hi Wesley, What user are the services running under? I know that when it works from the command line, but not as a service, it's often a permission problem. -Eric Wesley.Sparks wrote: > It is proper in my files, looks like it got garbled up when I sent it. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Gardner > Sent: Monday, February 05, 2007 1:00 PM > To: General discussion of using zenoss system > Subject: Re: [zenoss-users] Major WMI issues > > > >> >> >> winurl http:/// >> > myserver/:8080/zport/dmd/Devices/Server/Windows > >> zopeusername admin >> >> zopepassword zenoss >> >> zem http:///myserver/:8080/zport/dmd/ZenEventManager >> >> >> > > Wesley > > Is the above a cut and paste from your actual file or a retype? I only > ask because there are too many slashes after http: and :8080 should be > immediately after your server name, without the slash. > > John > > _______________________________________________ zenoss-users mailing list zenoss-users@zenoss.org http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list zenoss-users@zenoss.org http://lists.zenoss.org/mailman/listinfo/zenoss-users ---------------------------------------------------------------------- The information contained in this e-mail and any attachments is to be considered legally privileged and confidential. If you have received this communication in error, please notify the sender and permanently delete the e-mail and any attachments immediately; you should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. We have taken every reasonable precaution to ensure the integrity of this communication and that it does not contain any malicious payload (i.e. attachments, embedded code, links, etc.). The recipient is responsible for re-verification. The Credit Union accepts no liability for any damage caused by this communication. ---------------------------------------------------------------------- _______________________________________________ zenoss-users mailing list zenoss-users@zenoss.org http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list zenoss-users@zenoss.org http://lists.zenoss.org/mailman/listinfo/zenoss-users ---------------------------------------------------------------------- The information contained in this e-mail and any attachments is to be considered legally privileged and confidential. If you have received this communication in error, please notify the sender and permanently delete the e-mail and any attachments immediately; you should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. We have taken every reasonable precaution to ensure the integrity of this communication and that it does not contain any malicious payload (i.e. attachments, embedded code, links, etc.). The recipient is responsible for re-verification. The Credit Union accepts no liability for any damage caused by this communication. ---------------------------------------------------------------------- _______________________________________________ zenoss-users mailing list zenoss-users@zenoss.org http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list zenoss-users@zenoss.org http://lists.zenoss.org/mailman/listinfo/zenoss-users
