WMI Deployment Recommendations
Following are the WMI deployment recommendations.
Creating a User for WMI Detail Discovery
Using WMI to query remote hosts for their configuration details requires appropriate privileges, as described
next. To easily manage these privileges, it is recommended to use a separate domain user for this purpose.
Therefore, the first step in deploying WMI Detail Discovery is to create a domain user account. This user
should not have any special administrative privileges. In fact, there is no reason for it to belong to any groups
at all.
In the event that a local administrator user is used instead of a specially created user, it is important that
DCOM configuration allows remote access and launch for administrator users. Troubleshooting tips regarding
WMI and DCOM permissions is found in the article at:
http://blogs.technet.com/askperf/archive/2007/08/14/wmi-troubleshooting-permissions.aspx
You need to create a profile and temporary folder on all machines where Detail Discovery is to be performed
by logging in to those machines.
If a local user is used rather than a domain user, follow the instructions in "Configuring the Windows Telnet
server" on page 44 regarding local security policy settings.
Firewall Settings
WMI queries involve the Microsoft RPC network protocol, which uses dynamically assigned ports on the
server side and might result in firewall‐related problems. To avoid firewall problems, you can deploy the
Collector appliance in the same network as the managed hosts without a firewall between them.
If your environment requires a firewall between the Aggregator appliance and the Collector appliance,
configure it to allow RPC traffic. This is done in two stages:
1
Configure the managed hosts to use a narrow range of dynamic ports for their RPC. For more
information, go to http://support.microsoft.com/kb/154596
2
In the firewall settings, open TCP port 135 (the port for RPC Service Control Manager) for access by the
Collector appliance.
Disabling Internal Firewall for Windows XP Service Pack 2
I
Windows XP with Service Pack 2 has a built‐in internal firewall that might block incoming
MPORTANT
RPC/DCOM requests.
The internal firewall should be turned off or partially disabled to allow direct connection to the local network.
To change the firewall configuration
1
Go to Control Panel > Security Center > Windows Firewall.
2
To fully disable the firewall, in the General tab, select Off.
3
If you want to leave the firewall enabled but still allow RPC/DCOM communication, select On in the
General tab, and in the Advanced tab, clear local network.
Setting DCOM Privileges
In the following steps, it is assumed that the domain name is MYDOMAIN and that the user used for WMI
Detail Discovery and that domain is named DOMAINUSER.
Since WMI access to a Windows host involves DCOM technology, the DOMAINUSER needs to be allowed to
perform DCOM operations on each managed host. This is already the default setting in most Windows servers
(Windows 2000 and 2003 server families), but not in Windows XP or in servers that had their defaults changed.
VMware, Inc.
Chapter 5 Discovery
41