Check out this article, maybe it will explain the issue you're having with "Restricted Groups".
http://www.windowsitpro.com/Article/ArticleID/42527/42527.html?Ad=1 I again did not use the "Domain Admins" group at all, nor "Restricted Groups", just imported the user I created for the zenwin services into the domain "Administrators" group. I did notice you observed a "Bad WMI" state error. In my setup, I did see these initially even though WMI worked through the wbemtest. I just let the service run for a few hours and the errors went away. Not sure exactly why this is. Might you have converted your DC from a Windows 2000 AD domain? You mentioned that you have a "domain administrators" group in your "Builtin" OU; this is not a standard W2K3 group. The "Domain Admins" group is typically in the "Users" OU. As the article discusses above, maybe when your "Restricted Groups" from your GPO get imported, there is a SID translation issue. But this still does not explain why wbemtest works and zenwin does not. This is a built from scratch domain running at full 2003 both forest and domain wide. I guess I didn't convey that properly, I have the same groups as you do, I have an Administrators group under the Builtin OU and Domain Admins under the users OU, no domain administrators under Builtin OU. So you add your zen service account to the Administrators group under the Builtin OU (that is what I did), do you also make them a part of the domain admins? Have you tried or are you logging into the server using the zenwin service account and then trying to run wbemtest? In my troubleshooting, I found that running wbemtest logged in as a domain administrator and specifying different login credentials, produced more promising results than when logging in and running it as the zenwin service user. Yes I have tried it from my workstation and from the server. Have you also verified, from the server you have zenwin installed and logging in as the zenwin service account, that you can get positive results from all the NetBIOS names of servers you've added to Zenoss, when running: net view \\myserver I read in a previous post that the devices need to be setup in Zen with there FQDN, is this still not the case or does it really matter? I know the scripts in zenwin does a lookup of the FQDN, and yes both DNS and netbios names are correct and resolve. - Ryon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wesley.Sparks Sent: Friday, February 09, 2007 10:47 AM To: General discussion of using zenoss system Subject: RE: [zenoss-users] Major WMI issues I have been in the Windows world for many years and understand fully your configuration, it just doesn't work for me. The only thing I don't understand is why I can use either a domain admin or local admin account to login to WMI on these servers and run query's, but zenwin services don't work properly. If this were an issue with WMI you would think I couldn't login to WMI and run query's if the accounts didn't have rights. I run a multi-location full AD domain, all servers are members of the domain, all running server 2003 SP1 or better. I do have one server that isn't that runs IBM TSM, but I am not attempting to monitor it yet. I knew about restricted groups I just don't like how they remove all current users in a local group. I realize that is the point of it being restricted, but in the Windows world there are times when certain accounts need local admin access and others don't. I moved my server to a test OU where I applied the GPO with my restricted group settings. Either way it still won't allow me to add the domain administrators group (from the builtin OU) to the restricted group, it is like it doesn't recognize it as a group. I can add just administrators, but it doesn't get applied in the local admins group on the member server. I tested it with other accounts and they get applied fine. Any idea why? I am in the process of trying another server, but if you are correct about the domain administrators group needing local access then it won't work either. OK I tried another server and it does the same thing, zenwinmodeler gives me bad wmi state then cleans up, zenwin works from command prompt and when doing so I get the events in zen, along with a Timeout failure during WMI check event. Kristopher, you say you use domain admin accounts with success, what does your zwinuser and zwinpassword look like for the zenwin server and a non-zeniwn servers? Did you have to add your domain administrators group to the local administrators group on your servers? Thanks for sticking with me and helping out and all the information. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 08, 2007 2:16 PM To: [email protected] Subject: RE: [zenoss-users] Major WMI issues Wesley, Lets double check something on the member server: - Right click "My Computer" and click "Properties" - Click the "Computer Name" tab - Under "Full computer name" do you see "Workgroup" or "Domain" And for definition sake (from MS TechNet article): * Domain controller (DC). The computer keeps and maintains a copy of the Active Directory database and provides secure account management for domain member users and computers. * Member server. The computer is not operating as a domain controller but has joined a domain in which it has a membership account in the Active Directory database. * Stand-alone server. The computer is not operating as a domain controller or a member server in a domain. Instead, the server computer is made known to the network through a specified workgroup name, which can be shared by other computers, but is used only for browsing purposes and not to provide secured logon access to shared domain resources. If you see: - "Workgroup" then this is considered a "stand-alone" server or - "Domain" (and have not run 'dcpromo' or you can see "Local Users and Groups") this is a "member server" If you have zenwin installed on a "stand alone" server and are trying to monitor DCs or member servers, this most likely will not work; at least I could not get this configuration working. I had to run zenwin from a "member server" and not on a DC. Now, I have a bunch of "stand alone" servers segmented into several DMZs off my firewall, I had to install a separate zenwin instance on these servers and just poke some holes in your firewall to allow ports 8080 and 8081 to talk to your zenoss server. I also created separate device classes for my DMZs. For example, if I have a server called TEST1 and TEST2 inside my internal network, and have moved them to this class, my zenwin config files look like the following: winurl http://192.168.0.1:8080/zport/dmd/Devices/Server/Windows/INTERNAL zopeusername admin zopepassword zenoss zem http://192.168.0.1:8081/ Then for my servers TEST3 and TEST4 in another DMZ, I created another class and moved the devices to this class, my zenwin config files look like the following: winurl http://192.168.0.1:8080/zport/dmd/Devices/Server/Windows/DMZ1 zopeusername admin zopepassword zenoss zem http://192.168.0.1:8081/ Zenwin will only poll the devices listed in a specific class, so if you segment them you can have better control over zenwin. You might try creating a class for your DCs and member servers and another for your stand-alone servers. I feel you pain trying to get this working, it took me quite a while to figure this out; this is not a problem of zenwin, it is because MS tightened DCOM security with XP-SP2 and W2K3-SP1. But, needless to say, I look forward to a ZenAgent, http://dev.zenoss.org/trac/wiki/ZenAgent, which may help solve some of these WMI/DCOM issues. I'll also say that headaches were worth it, Zenoss is a great product once it is up and running. By the way, you never replied which versions of Windows you're using. There is a DCOM setting you have to change on Windows 2000 boxes. - Ryon ---------------------------------------------------------------------- The information contained in this e-mail and any attachments is to be considered legally privileged and confidential. If you have received this communication in error, please notify the sender and permanently delete the e-mail and any attachments immediately; you should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. We have taken every reasonable precaution to ensure the integrity of this communication and that it does not contain any malicious payload (i.e. attachments, embedded code, links, etc.). The recipient is responsible for re-verification. The Credit Union accepts no liability for any damage caused by this communication. ---------------------------------------------------------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users ---------------------------------------------------------------------- The information contained in this e-mail and any attachments is to be considered legally privileged and confidential. If you have received this communication in error, please notify the sender and permanently delete the e-mail and any attachments immediately; you should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. We have taken every reasonable precaution to ensure the integrity of this communication and that it does not contain any malicious payload (i.e. attachments, embedded code, links, etc.). The recipient is responsible for re-verification. The Credit Union accepts no liability for any damage caused by this communication. ---------------------------------------------------------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
