Firewall blocking Discovery access to the Windows Server - Support and Troubleshooting

Firewall blocking Discovery access to the Windows Server Issue This article provides info about ways to resolve various issues that result in firewalls blocking Discovery access to Windows servers.

Table of Contents Service Mapping does not listen on all relevant ports Access to a Windows Server is denied Service Mapping fails to run commands Firewall blocking Discovery access to the Windows Server Problem A firewall blocks Remote Procedure Call (RPC) calls from the MID Server to the Microsoft Windows Server preventing the discovery process. The problem can be caused either by Windows Firewall (embedded) or an external firewall.

Symptoms At the end of the discovery and mapping process, Service Mapping displays the following error for a Windows Server: “0x800706BA - RPC Server Unavailable”.

Cause The firewall is not configured correctly to let through RPC calls from the MID Server. Typically, RPC uses a large range of ports. The MID Server initiates the RPC connection on port 135, but once the connection is established, it uses any port in the range of 1024 and up.

Resolution Perform the following steps to verify that the firewall blocks RPC calls:

On the MID Server, run the following command: wmic /NODE:target_server_ip_address /user:domain\user /password:xxxx cpu get Check the result. If you get the message that the RPC Server is unavailable, it means that the firewall between the MID Server and the Windows Server is blocking the connection. If you do not get an error message, carry on with the next step. If the Windows Server has embedded Windows Firewall, disable it temporarily and run the same command from the MID Server: wmic /NODE:target_server_ip_address /user:domain\user /password:xxxx cpu get If you get the success message, you must configure the embedded Windows Firewall to let through RPC calls from the MID Server.

If this private network uses an external firewall, contact your network administrator for assistance. Service Mapping does not listen on all relevant ports Problem Service Mapping does not listen on all relevant ports of the Windows Server it tries to discover and map.

Symptoms At the end of the discovery and mapping process, Service Mapping displays the following error for a Windows Server: “0x800706BA - RPC Server Unavailable”.

Cause The Windows Server has multiple IP addresses. Service Mapping automatically discovered only one of the IP addresses and therefore is not listening on the full range of ports. Typically, Service Mapping discovers and listens only to the application port.

Resolution Perform the following steps:

On the map, right-click on the discovery error message and select Add Management IP . Select one of the IP addresses of this Windows Server. Verify that the discovery and mapping process is completed without errors. Access to a Windows Server is denied Problem Service Mapping cannot access a Windows Server.

Symptoms At the end of the discovery and mapping process, Service Mapping displays the following error for a Windows Server: “0x80070005 – E_ACCESS_DENIED”.

Possible Cause Credentials configured for this Windows Server in the ServiceNow platform are wrong.

Resolution Verify that the user name and password for the Windows Server are correct:

Log in to the Windows Server that you must discover using remote desktop connection. If you fail to connect, the username and password for this Windows Server are wrong. Find out the correct credentials and configure them as described in the Service Mapping documentation. If you connect successfully, continue with this troubleshooting procedure. Possible Cause Access denied errors are displayed if a user is not part of the local administrators group.

Resolution Verify that this user is added to the local administrators group.

Possible Cause The EnableDCOM registry entry that controls the global activation and call policies is disabled either on the MID Server or on the Windows Server.

Resolution Perform the following steps both on the MID Server and on the Windows Server to verify that DCOM is enabled on both servers:

Navigate to the registry. Check the following registry entry on both computers: Key: HKEY LOCAL MACHINE\Software\Microsoft\Ole Name: EnableDCOM Type: REG_SZ Data: Y Possible Cause WMI is disabled or not configured properly on this Windows Server.

Resolution Check that Windows Management Instrumentation (WMI) is enabled by performing the following steps:

On the Windows Server, navigate to Start > Run . Enter wbemtest. Check that the Windows Management Instrumentation Tester application starts. If it does, WMI is enabled. In the Windows Management Instrumentation Tester window, click Connect . In the Connect window, leave the default values for Namespace and Credentials and click C onnect . Click Query . In the Query window, enter the following WMI query: Select * from Win32_ComputerSystem and click Apply . Verify that you get a reply with the computer name. Possible Cause WMI-related service or services are disabled.

Resolution Ensure that all WMI-related services can be started on demand:

In Windows Explorer, navigate to Server Manager . In the tree, select Configuration, and right-click WMI Control and select Properties . In the WMI Control Properties window , click the Security Click the Root folder and click Security . In the Security for Root window, click Advanced . In the Advanced Security Settings for Root window, > double-click Administrators In the Permission Entry for Root window, verify that all checkboxes are selected.

In the Server Manager , select Configuration > Services and verify that the status for the following services is not disabled: Remote Access Auto Connection Manager Remote Access Connection Manager Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator Remote Registry Server Windows Management Instrumentation Windows Management Instrumentation Driver Extensions WMI Performance Adapter Service Mapping fails to run commands Problem In some cases, Service Mapping may be able to connect to WMI but fails to run all or specific commands, such as netstat.

Possible Cause The Administrators group on the Windows Server has reduced DCOM rights compared to the default Windows installation.

Resolution Perform the following steps:

In the command-line shell, enter exe. In the Component Services window, navigate to Component Services > Computers . Right-click on My Computer and select Properties . Click the COM Security Click Edit Limits . In the Access Permission window, click Add . In the Select Users or Groups window, enter Distributed COM Users and click OK . In the Access Permission window, select Distributed COM Users and verify that the following permissions are allowed: Local Launch Remote Launch Local Activation Remote Activation Possible Cause Appropriate security policies are not configured correctly for the Service Mapping user or the group to which this user belongs.

Resolution Perform the following steps:

On the Windows Server that you discover, click Start > Run and enter secpol.msc.

In the Local Security Policy window, navigate to Security Settings > Local Policies > User Rights Assignment . Right-click My computer and select Properties . Right-click relevant policies and check the Service Mapping user configured for them. If necessary, click Add User or Group and add the Service Mapping user to this policy. Perform this for the following policies: Debug Programs Restore Files and Directories Logon as batch job Logon as service