locked
WMI doesn't work between exchange servers (over different subnet) RRS feed

  • Question

  • We currently have two exchange servers (2010) running on VM's that are on different subnets (routing between them works).  The issue that I am having is that the DAG keeps giving error, and the failover cluster seems to complain A lot.  After looking into it, and running some validation checks on the failover cluster, WMI doesn't seem to work between those two servers. 

    I know that WMI is on and running on both exchange servers because tests from any other server, even across the subnet, work just fine, seems like just the two exchange servers can't access each other.   We tracked the packets to see if network traffic was making it across the WAN, and the packets get to the other exchange server, and then I get the error (The RPC server is unavailable).

    Does anyone have any ideas on why this is.   

    I am very unfamiliar with Failover clustering and DAG.   Due to that I may even be tracking a red herring with this WMI issue.

    Thursday, February 20, 2014 1:41 PM

Answers

  • Hello All, 

    After Miss Wang's Help, and watching packets on the network on my side, I finally figured the issue out. 

    WMI negotiates a connection using port 135, it then sends the command CreateInstance, which creates a New connection in a different, much higher, port range (regular ports for most servers on my network started at 4915x)

    The exchange servers were using port 6007 for the secondary connection.  After testing Telnet to that port, and being actively refused, rather than timing out, we started checking other things.

    Turns out that our checkpoints between the two sites were miss configured  we were allowing ANY traffic, which doesn't for some reason mean all traffic. 

    This was indeed a networking issue, not a WMI service issue.

    Thanks for your help.

    • Marked as answer by VisioDei Tuesday, February 25, 2014 2:12 PM
    Tuesday, February 25, 2014 2:12 PM

All replies

  • Check if the windows firewall is running on the DAG members.  Disable it if it is.  Make sure the DNS information for the DAG and DAG members is correct.
    Thursday, February 20, 2014 1:49 PM
  • Firewall is off, 

    DNS information for the DAG is correct (as far as I understand it), please define correctly (new to DAG), the exchange servers are synchronizing correctly, and people can log into both just fine, both through OWA and through outlook.

    All other computers on the networks can and do WMI correctly (used wbemtest) to both exchange servers. 

    Exchange servers change WMI using wbemtest even using the IP addresses.

    Thursday, February 20, 2014 2:47 PM
  • What is the VM host running?  Is it HyperV, VMware?
    Thursday, February 20, 2014 3:08 PM
  • VMware
    Thursday, February 20, 2014 3:27 PM
  • You usually see these types of issues with some sort of hardware or software firewall blocking the RPC communications or network issues. 

    Are there other VM's running on the VMware hosts using the same Subnet that you tested WMI communications with?

    Have you tested with RPCPing? 

    Thursday, February 20, 2014 3:36 PM
  • I used rpcping /s "my second exchange server name"

    doing this from the first exchange server yields

    Completed 1 calls in 94 ms
    10 T/S or  94.000 ms/T

    seems to indicate that it is working.

    We have two ESX hosts running a cluster in one location, and two ESX hosts running a cluster in the other. 

    There are around 30 servers in total between the two locations, these locations are connected Via a private WAN. 

    All servers from both sites, can communicate to the exchange server on their own subnet without issue however, they all fail to communicate across the subnet to the other exchange server. 

    I don't think that this is a networking issue. 

    PACKETS REACH the exchange server on the other subnet, AND are answered, but the connection is Turned down. 

    (If I type in a user/password that doesn't have permissions to WMI, I get access denied error, if I type in a domain Admin account I get RPC server not available.)

    • Edited by VisioDei Thursday, February 20, 2014 5:18 PM
    Thursday, February 20, 2014 5:14 PM
  • Hi,

    From your description, I would like to verify the following things for troubleshooting:

    1. Please make sure that TMG servers do not interfere with all protocols required between the Exchange servers.

    2. Please ensure that the TCP/IP NetBIOS helper service, Distributed File System service and Remote Registry service are automatic and started.  The Kerberos Key Distribution Center (KDC) should be Started and Automatic.

    What's more, here is an article for your reference.

    Windows Server Troubleshooting: "The RPC server is unavailable"

    http://social.technet.microsoft.com/wiki/contents/articles/4494.windows-server-troubleshooting-the-rpc-server-is-unavailable.aspx

    Hope it helps.

    If you need further assistance, please feel free to let me know.

    Best regards,
    Amy


    Amy Wang
    TechNet Community Support

    Monday, February 24, 2014 2:50 AM
    Moderator
  • Hello miss Wang, 

    Thanks for your reply. 

    We are not running a TMG server.

    TCP/IP NetBIOS helper service, and Remote registry service are started and automatic on both exchange servers

    Distributed File System service does not exist on either of the exchange servers, nor does it exist on a number of the other other servers we are running that I checked. 

    Nor is there a service called Kerberos anything.....

    I read through that article once again, and fine nothing in there that helps me troubleshoot my issue. 

    Again, RPC and WMI ARE running Just fine, I can connect to the exchange servers from all of the servers and computers I have tested out, so long as I am on the same subnet. 

    I can even go so far as to connect across the WAN to another server (say server a1 to server b1)  The issue is simply that over the subnet the exchange server cannot be reached via WMI.

    This is very confusing to me.

    Monday, February 24, 2014 2:54 PM
  • Hello All, 

    After Miss Wang's Help, and watching packets on the network on my side, I finally figured the issue out. 

    WMI negotiates a connection using port 135, it then sends the command CreateInstance, which creates a New connection in a different, much higher, port range (regular ports for most servers on my network started at 4915x)

    The exchange servers were using port 6007 for the secondary connection.  After testing Telnet to that port, and being actively refused, rather than timing out, we started checking other things.

    Turns out that our checkpoints between the two sites were miss configured  we were allowing ANY traffic, which doesn't for some reason mean all traffic. 

    This was indeed a networking issue, not a WMI service issue.

    Thanks for your help.

    • Marked as answer by VisioDei Tuesday, February 25, 2014 2:12 PM
    Tuesday, February 25, 2014 2:12 PM