So here's a little background. Our system originally started with Windows Server 2003 machines and eventually over time expanded and grew. We still have a few Server 2003's but they're being removed. Our domain controllers were recently upgraded from Server 2003 to Server 2012 R2 this summer.
While attempting to manage a remoter computer from the MMC snap in for Active Directory Users and Computers, the server at times is unable to open Computer Management for the remote workstation.
Our PDC has the following roles/features installed:
- Active Directory Domain Services
- DNS Server
- DFS
- Group Policy Management
- Remote Server Administration Tools
Whenever an admin attempts to manage a workstation (in any OU), the following error is logged only on the server:
- DCOM got error "2147944122" from the computer workstation1.contoso.com when attempting to activate the server:
{03837521-098B-11D8-9414-505054503030}
The following Firewall rules are enabled by Group Policy:
- Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow inbound remote administration exception
Beyond that, we do have several Spiceworks port exceptions enabled for TCP ports 135,445 and UDP 137.
All workstations are running Windows 7 Professional SP1 and are up-to-date as of December's Patch Tuesday. When the Firewall is disabled on any Windows 7 workstation machine, no error is logged and the Remote Management works fine. I'd also like to note we use Vipre Business Premium.
So here's my question:
Since I assume that it is a port that is being blocked by the workstation or remote machine, does anyone know which port(s) it is, or is there a better way to set this up via GPO so that all machines can be remotely managed?
I've attempted the following fixes without success:
- Port exceptions for WMI related services/executables
- Checking the Windows Firewall eventlog for blocked ports
- Used Wireshark to determine that it looks like Windows uses dynamic ports anywhere from tcp port 1024 on up including port 41975, and an exception with a range did no good.
Any help/suggestions is appreciated!
Best Answer
I did some digging, and the solution was to manually configure either the winmgmt service as a standalone server, or set static ports.
The answer as outlined by Lawrence Garvin Dec 4, 2013 1:13 PM (https://thwack.solarwinds.com/thread/60649):
"Open the Registry Editor (you'll need to use REGEDT32.EXE) and navigate to HKLM\Software\Microsoft\Rpc Create a new registry KEY named "Internet" as a subkey of "Rpc" Create three new VALUES in the "Internet" key
In the "Ports" value define the port, list of ports, or range of ports Set "PortsInternetAvailable" and "UseInternetPorts" to 'Y' to enable the use of the ports listed in the "Ports" value."
After restarting my test machine (which I was able to consistently reproduce the error) The mmc snap-in worked without error, and I was then able to deploy the registry/firewall settings via group policy preferences and administrative templates respectively.
As a side note: in the "ports" registry key, you can define the ports like you would windows firewall, 1001 or 1001-4001 (they're all tcp). Furthermore, it is reccomended by Microsoft to provide a good range of ports. To restrictive can cause an error "The parameter is incorrect. #80070057" as the RPC server doesn't have the amount of ports necessary to work normally. I gave a range of ~ 100 tcp ports as a healthy amount for a workstation with no issue.
To view the KB article: http://support2.microsoft.com/?kbid=154596