I have been in the Windows world for many years and understand fully your configuration, it just doesn't work for me.
The only thing I don't understand is why I can use either a domain admin or local admin account to login to WMI on these servers and run query's, but zenwin services don't work properly. If this were an issue with WMI you would think I couldn't login to WMI and run query's if the accounts didn't have rights. I run a multi-location full AD domain, all servers are members of the domain, all running server 2003 SP1 or better. I do have one server that isn't that runs IBM TSM, but I am not attempting to monitor it yet. I knew about restricted groups I just don't like how they remove all current users in a local group. I realize that is the point of it being restricted, but in the Windows world there are times when certain accounts need local admin access and others don't. I moved my server to a test OU where I applied the GPO with my restricted group settings. Either way it still won't allow me to add the domain administrators group (from the builtin OU) to the restricted group, it is like it doesn't recognize it as a group. I can add just administrators, but it doesn't get applied in the local admins group on the member server. I tested it with other accounts and they get applied fine. Any idea why? I am in the process of trying another server, but if you are correct about the domain administrators group needing local access then it won't work either. OK I tried another server and it does the same thing, zenwinmodeler gives me bad wmi state then cleans up, zenwin works from command prompt and when doing so I get the events in zen, along with a Timeout failure during WMI check event. Kristopher, you say you use domain admin accounts with success, what does your zwinuser and zwinpassword look like for the zenwin server and a non-zeniwn servers? Did you have to add your domain administrators group to the local administrators group on your servers? Thanks for sticking with me and helping out and all the information. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 08, 2007 2:16 PM To: [email protected] Subject: RE: [zenoss-users] Major WMI issues Wesley, Lets double check something on the member server: - Right click "My Computer" and click "Properties" - Click the "Computer Name" tab - Under "Full computer name" do you see "Workgroup" or "Domain" And for definition sake (from MS TechNet article): * Domain controller (DC). The computer keeps and maintains a copy of the Active Directory database and provides secure account management for domain member users and computers. * Member server. The computer is not operating as a domain controller but has joined a domain in which it has a membership account in the Active Directory database. * Stand-alone server. The computer is not operating as a domain controller or a member server in a domain. Instead, the server computer is made known to the network through a specified workgroup name, which can be shared by other computers, but is used only for browsing purposes and not to provide secured logon access to shared domain resources. If you see: - "Workgroup" then this is considered a "stand-alone" server or - "Domain" (and have not run 'dcpromo' or you can see "Local Users and Groups") this is a "member server" If you have zenwin installed on a "stand alone" server and are trying to monitor DCs or member servers, this most likely will not work; at least I could not get this configuration working. I had to run zenwin from a "member server" and not on a DC. Now, I have a bunch of "stand alone" servers segmented into several DMZs off my firewall, I had to install a separate zenwin instance on these servers and just poke some holes in your firewall to allow ports 8080 and 8081 to talk to your zenoss server. I also created separate device classes for my DMZs. For example, if I have a server called TEST1 and TEST2 inside my internal network, and have moved them to this class, my zenwin config files look like the following: winurl http://192.168.0.1:8080/zport/dmd/Devices/Server/Windows/INTERNAL zopeusername admin zopepassword zenoss zem http://192.168.0.1:8081/ Then for my servers TEST3 and TEST4 in another DMZ, I created another class and moved the devices to this class, my zenwin config files look like the following: winurl http://192.168.0.1:8080/zport/dmd/Devices/Server/Windows/DMZ1 zopeusername admin zopepassword zenoss zem http://192.168.0.1:8081/ Zenwin will only poll the devices listed in a specific class, so if you segment them you can have better control over zenwin. You might try creating a class for your DCs and member servers and another for your stand-alone servers. I feel you pain trying to get this working, it took me quite a while to figure this out; this is not a problem of zenwin, it is because MS tightened DCOM security with XP-SP2 and W2K3-SP1. But, needless to say, I look forward to a ZenAgent, http://dev.zenoss.org/trac/wiki/ZenAgent, which may help solve some of these WMI/DCOM issues. I'll also say that headaches were worth it, Zenoss is a great product once it is up and running. By the way, you never replied which versions of Windows you're using. There is a DCOM setting you have to change on Windows 2000 boxes. - Ryon ---------------------------------------------------------------------- The information contained in this e-mail and any attachments is to be considered legally privileged and confidential. If you have received this communication in error, please notify the sender and permanently delete the e-mail and any attachments immediately; you should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. We have taken every reasonable precaution to ensure the integrity of this communication and that it does not contain any malicious payload (i.e. attachments, embedded code, links, etc.). The recipient is responsible for re-verification. The Credit Union accepts no liability for any damage caused by this communication. ---------------------------------------------------------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
