views:

4232

answers:

3

When I try to connect to WMI from Powershell, ConfigMgr, or WMI explorer, I can talk to the majority of my computers, but some (maybe 30%?) return an 0x800706ba (RPC server is unavailable).

If I turn the firewall off on the remote machine, the queries start working. I have tried a bunch of different configurations of firewall settings, though, and I can't seem to figure out what the right combination of exceptions is.

Here's the relevant bits of my firewall config on the remote machine. The crazy part is that there are no drops listed in pfirewall.log when it doesn't work - but again, if I turn off the firewall on the remote computer, everything starts to behave.

I will babysit this thread since I know you'll probably need more details to diagnose this.

Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Domain profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Remote Desktop

Allowed programs configuration for Domain profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   Network Diagnostics for Windows XP / C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
3389   TCP       Enable   Remote Desktop

Standard profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Remote Desktop

Allowed programs configuration for Standard profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   McAfee Framework Service / C:\Program Files\McAfee\Common Framework\FrameworkService.exe
Enable   Network Diagnostics for Windows XP / C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
3389   TCP       Enable   Remote Desktop

Log configuration:
-------------------------------------------------------------------
File location   = C:\WINDOWS\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable

Bluetooth Network Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

Wireless Network Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

1394 Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
+1  A: 

The general fix for this is to allow the exception for "Remote Administration" which is built into the firewall. The problem is that WMI uses an RPC endpoint mapper, so multiple ports become involved. http://msdn.microsoft.com/en-us/library/aa389286(VS.85).aspx is probably the definitive discussion on the topic.

Don Jones
I do have the Remote Administration exception listed in GP for these machines - so it's odd that that's not showing up in the firewall config result. It must be superseded by another GPO or something? Thanks Don!
Doug Chase
In fact, I just checked gpresult on the remote machine and it lists our Firewall Exception GPO as being successfully applied. However, in the firewall GUI, Remote Administration is not listed as an exception. I'll try to add it manually and then give it another shot.
Doug Chase
+1  A: 

Don,

I added the Remote Administration exception via the command line with the command

netsh firewall set service type=remoteadmin mode=enable

And received an "Ok." response.

After this, if I display the firewall config, under Domain Profile, the Remote Administration exception is listed. However, under the Standard Profile, it is not listed, and it still does not appear in the firewall GUI exceptions list, and I still cannot talk to WMI.

I don't understand the distinction between the Domain and Standard profiles; why would the Standard profile setting be superseding the Domain profile setting?

Doug Chase
+1  A: 

The Domain setting should be active when the machine is logged into a domain. The Standard setting when run at other times. As a test, I'd recommend getting this set up in the GUI first - it's easier to see what's going on and confirm that things "took." I'd also add the exception to both profiles - again, as a test. Read the in-product help on the Domain and Standard modes; you'll need to look at some specifics to see which one is active on the machine and the docs offer a good walkthrough.

Don Jones