Zakir / Wesley: I have also been having similar issues that both of you have detailed in your messages. I have tried several of the recommendations provided over the last few days and I am frustrated to say the least.
Through my trials (and errors) I have been able to successfully monitor 2 servers, one member server and one DC. But one three other servers I followed the same procedure as the member server and DC and I am unable to retrieve any services. And to make matters worse, when I test ZenWin via command line, all 5 of my servers reply with "bad wmi state" but 2 are retrieving service state information. I really am looking forward to getting this running since Zenoss looks like such a promising platform. But since we have a strictly Windows shop, I really need the ZenWin agent to work properly. I am also continuously trying to get this working and I will post any developments 'if' they arise. Good luck! ~ Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Durumeric, Zakir B Sent: Friday, February 09, 2007 4:07 PM To: General discussion of using zenoss system; General discussion of using zenoss system Subject: RE: [zenoss-users] Major WMI issues Hi Wesley, I completely agree on many of the points in your e-mail. In zenoss version 1.0, you did not have to be a member of any administrators group (domain nor local), just a member of remote performance monitors and everything would run under one domain account. It will not work to have the zenoss user being a local administrator and from what I gather, it's not really necessary. I'm not sure what has changed. Right now, I'm running into issues getting any domain user to work with WMI remotely. There is a way to change the permissions to the WMI provider but from the testing I have done so far, this hasn't helped solve the problem. I have tried giving the user full permissions to the WMI provider, but that didn't solve any problems. My testing with wbemtest has produced mixed results -- so I'm not sure what is working now. As well, the server that I'm running ZenWin gives me access denied errors in the zenoss logs, but I can successfully view the running Windows services, which makes me think that ZenWin is communicating with something. I'm not sure if the problem is related to zenoss or WMI. I can succesfully run the ZenWin processes under a domain account and they communicate with the zenoss server, but they cannot access the WMI on any computer. I think that there could be some hidden windows security settting that I'm missing. I'll keep working on getting this to work as it did in 1.0 (where there was one domain user that was not a member of any administrators group) and let you know what I find. Please let me know if you have any additional insights as well! Thanks, Zakir ________________________________ From: [EMAIL PROTECTED] on behalf of Wesley.Sparks Sent: Fri 2/9/2007 12:47 PM To: General discussion of using zenoss system Subject: RE: [zenoss-users] Major WMI issues I have been in the Windows world for many years and understand fully your configuration, it just doesn't work for me. The only thing I don't understand is why I can use either a domain admin or local admin account to login to WMI on these servers and run query's, but zenwin services don't work properly. If this were an issue with WMI you would think I couldn't login to WMI and run query's if the accounts didn't have rights. I run a multi-location full AD domain, all servers are members of the domain, all running server 2003 SP1 or better. I do have one server that isn't that runs IBM TSM, but I am not attempting to monitor it yet. I knew about restricted groups I just don't like how they remove all current users in a local group. I realize that is the point of it being restricted, but in the Windows world there are times when certain accounts need local admin access and others don't. I moved my server to a test OU where I applied the GPO with my restricted group settings. Either way it still won't allow me to add the domain administrators group (from the builtin OU) to the restricted group, it is like it doesn't recognize it as a group. I can add just administrators, but it doesn't get applied in the local admins group on the member server. I tested it with other accounts and they get applied fine. Any idea why? I am in the process of trying another server, but if you are correct about the domain administrators group needing local access then it won't work either. OK I tried another server and it does the same thing, zenwinmodeler gives me bad wmi state then cleans up, zenwin works from command prompt and when doing so I get the events in zen, along with a Timeout failure during WMI check event. Kristopher, you say you use domain admin accounts with success, what does your zwinuser and zwinpassword look like for the zenwin server and a non-zeniwn servers? Did you have to add your domain administrators group to the local administrators group on your servers? Thanks for sticking with me and helping out and all the information. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 08, 2007 2:16 PM To: [email protected] Subject: RE: [zenoss-users] Major WMI issues Wesley, Lets double check something on the member server: - Right click "My Computer" and click "Properties" - Click the "Computer Name" tab - Under "Full computer name" do you see "Workgroup" or "Domain" And for definition sake (from MS TechNet article): * Domain controller (DC). The computer keeps and maintains a copy of the Active Directory database and provides secure account management for domain member users and computers. * Member server. The computer is not operating as a domain controller but has joined a domain in which it has a membership account in the Active Directory database. * Stand-alone server. The computer is not operating as a domain controller or a member server in a domain. Instead, the server computer is made known to the network through a specified workgroup name, which can be shared by other computers, but is used only for browsing purposes and not to provide secured logon access to shared domain resources. If you see: - "Workgroup" then this is considered a "stand-alone" server or - "Domain" (and have not run 'dcpromo' or you can see "Local Users and Groups") this is a "member server" If you have zenwin installed on a "stand alone" server and are trying to monitor DCs or member servers, this most likely will not work; at least I could not get this configuration working. I had to run zenwin from a "member server" and not on a DC. Now, I have a bunch of "stand alone" servers segmented into several DMZs off my firewall, I had to install a separate zenwin instance on these servers and just poke some holes in your firewall to allow ports 8080 and 8081 to talk to your zenoss server. I also created separate device classes for my DMZs. For example, if I have a server called TEST1 and TEST2 inside my internal network, and have moved them to this class, my zenwin config files look like the following: winurl http://192.168.0.1:8080/zport/dmd/Devices/Server/Windows/INTERNAL zopeusername admin zopepassword zenoss zem http://192.168.0.1:8081/ Then for my servers TEST3 and TEST4 in another DMZ, I created another class and moved the devices to this class, my zenwin config files look like the following: winurl http://192.168.0.1:8080/zport/dmd/Devices/Server/Windows/DMZ1 zopeusername admin zopepassword zenoss zem http://192.168.0.1:8081/ Zenwin will only poll the devices listed in a specific class, so if you segment them you can have better control over zenwin. You might try creating a class for your DCs and member servers and another for your stand-alone servers. I feel you pain trying to get this working, it took me quite a while to figure this out; this is not a problem of zenwin, it is because MS tightened DCOM security with XP-SP2 and W2K3-SP1. But, needless to say, I look forward to a ZenAgent, http://dev.zenoss.org/trac/wiki/ZenAgent, which may help solve some of these WMI/DCOM issues. I'll also say that headaches were worth it, Zenoss is a great product once it is up and running. By the way, you never replied which versions of Windows you're using. There is a DCOM setting you have to change on Windows 2000 boxes. - Ryon ---------------------------------------------------------------------- The information contained in this e-mail and any attachments is to be considered legally privileged and confidential. If you have received this communication in error, please notify the sender and permanently delete the e-mail and any attachments immediately; you should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. We have taken every reasonable precaution to ensure the integrity of this communication and that it does not contain any malicious payload (i.e. attachments, embedded code, links, etc.). The recipient is responsible for re-verification. The Credit Union accepts no liability for any damage caused by this communication. ---------------------------------------------------------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users .................................................................................... This message (including any attachments) contains confidential and proprietary information intended only for the addressee. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete this message and attachments from your system. If you have any questions about this e-mail please notify the sender immediately. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
