locked
Permissions error - DP installation RRS feed

  • Question

  • Hi All,

    Installing DP role on remote machine (can ping without problem) and even connected with RDP.

    This remote machine is local administrator and default Administrator account is used throughout this lab setup.

    IIS , BIT, RDC roles has been installed on rDP.

    Following ports are open (even disabled the firewall, but didn't helped).

    • UDP Port 67 
    • UDP Port 68
    • UDP Port 69
    • UDP Port 4011

    See attached screenshots and advice how to troubleshoot.


    N.A.Malik

    Monday, August 24, 2015 5:12 PM

Answers

  • Hi Again,

    I have started from scratch and now DP is successfully installed (of course I followed the recommendations regarding Fire Wall mentioned in this thread). Thanks all.


    N.A.Malik

    • Marked as answer by N A Malik Friday, August 28, 2015 10:22 AM
    Friday, August 28, 2015 10:11 AM

All replies

  • 0x800706ba = The RPC server is unavailable

    Can you try from the Primary site to do a  remote wbemtest/telnet to the DP

    This look like port 135 is being block


    If you are using the windows built in Firewall simply enable audit and you will see all the drop packets easy to trouble shoot.
    Monday, August 24, 2015 5:25 PM
  • Following ports are open (even disabled the firewall, but didn't helped).

    • UDP Port 67 
    • UDP Port 68
    • UDP Port 69
    • UDP Port 4011


    There are more ports needed: https://technet.microsoft.com/en-us/library/hh427328.aspx?f=255&MSPPError=-2147217396

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, August 24, 2015 5:53 PM
  • Hi 

    Thanks for reply, well I missed to mention that I have opened the port 135 on DP.

    As well as Server Message Block (SMB) (TCP 455) on DP = = => Even tried to disable the firewall.

    This means I have enabled the ports for following:

    Client -- > Distribution Point Configured for PXE

    Site Server -- > Distribution Point

    What else is required form this article as I can it has several sections.


    N.A.Malik

    Monday, August 24, 2015 9:47 PM
  • Did you do any of the test i mention above?

    try to access the WMI using wbemtest from the primary site. Also if using the windows firewall look at the logs

    Monday, August 24, 2015 9:50 PM
  • Is there a hardware firewall in between?

    The ports you've listed in this thread simply are not sufficient. You *need* to have TCP 135, TCP 445, and TCP 49152 through 65535.

    Have you manually tested connectivity as suggested by Frederick?

    Are these systems in untrusted domains?

    Is there some other security software on the DP?

    Is the DP locked down using some non-default security settings?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, August 25, 2015 8:15 AM
  • Thanks Jason for your suggestions.

    Is there a hardware firewall in between?

    Cisco Routers , Site to Site VPN

    The ports you've listed in this thread simply are not sufficient. You *need* to have TCP 135, TCP 445, and TCP 49152 through 65535.

    I will check with 49152 to 65535

    Have you manually tested connectivity as suggested by Frederick?

    Not yet

    Are these systems in untrusted domains?

    I don't know what exactly you mean here, the rDP was joined to domain, this means it is trusted computer , correct me if I am wrong.

    Is there some other security software on the DP?

    No

    Is the DP locked down using some non-default security settings?

    No, even I tried with disabling Windows Firewall.


    N.A.Malik

    Tuesday, August 25, 2015 9:05 AM
  • the errors above look to be a problem with WMI, so try running wbemtest.exe. I believe the error is RPC is unavailable (1722).

    BasementMouse

    Tuesday, August 25, 2015 10:39 AM
  • The firewall is not the only way to lock down a system.

    Have you verified that the WMI service is even running on the DP? If so, then you need to verify the ports which may not be open across the VPN.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, August 25, 2015 1:18 PM
  • Hi Again,

    I wasn't able to test it out today due to some professional reasons, will check it out and post the results.


    N.A.Malik

    Tuesday, August 25, 2015 3:25 PM
  • Hello Again,

    WMI Service is running on the remote computer.

    And I am able to connect / access WMI using wbemtest.

    Which specific test(s) I need to perform in order to troubleshoot?


    N.A.Malik

    Wednesday, August 26, 2015 10:03 AM
  • Are you using the same account as the SCCM is using ?
    Wednesday, August 26, 2015 10:33 AM
  • Thanks for reply.

    Yes its the default Administrator account (this account is used throughout the whole lab setup).


    N.A.Malik

    Wednesday, August 26, 2015 11:23 AM
  • yeah but when you do the install of a distribution point you are normally using the computer account of the primary site. unless during the install of the DP you specified another account.

    So the primary site computer account should be in the local admin of the DP. To test this you could use the psexec trick to run as system and start wbemtest as the computer account.

    Wednesday, August 26, 2015 11:30 AM
  • when you do the install of a distribution point you are normally using the computer account of the primary site.

    Yes that correct and it was administrator as well (even Site Server and DP machines has been added in the Administrators group).

    To test this you could use the psexec trick to run as system and start wbemtest as the computer account.

    I have used PSEXEC before but didnt fully got your point what you meant. Assuming i am in command prompt via psexe, should I invoke wbemtest ? Should I run it as administrator?


    N.A.Malik

    Wednesday, August 26, 2015 3:21 PM
  • This is what am referring to

    http://verbalprocessor.com/2007/12/05/running-a-cmd-prompt-as-local-system/

    start wbemtest  and connect to the DP. If it's working we might going to need to look at other things

    Wednesday, August 26, 2015 3:32 PM
  • Hi Again,

    I have started from scratch and now DP is successfully installed (of course I followed the recommendations regarding Fire Wall mentioned in this thread). Thanks all.


    N.A.Malik

    • Marked as answer by N A Malik Friday, August 28, 2015 10:22 AM
    Friday, August 28, 2015 10:11 AM