Configuration Overview
To configure DCOM on all Windows Client Systems from Windows 7 on, administrators must complete the following steps:
- Verify the required services are enabled and configured to start automatically when the operating system boots.
- Enable DCOM
- Configure DCOM communications
- Configure User Accounts for DCOM
- Configure Windows Firewall
- Configure WMI
Required DCOM and WMI services
The following Windows services must be started and configured for automatic startup on the system:
- Server
- Remote Registry
- Windows Management Instrumentation
The procedure below outlines the steps required to configure the Server, Remote Registry, and WMI services for automatic startup.
- On your desktop, select Start > Run.
- Type the following: msc
- Click OK.
- In the details pane, verify the following services are started and set to automatic startup:
a. Server
b. Remote Registry
c. Windows Management Instrumentation - To change a service property, right-click on the service name, and then click Properties.
- From the Startup type list box, select Automatic.
- If the Service status is not started, click Start.
- Click OK.
- Close the Services window.
You are now ready to enable DCOM.
Enabling DCOM
- On your desktop, select Start > Run.
- Type the following: dcomcnfg
- Click OK. The Component Services window is displayed.
- Under Component Services, expand Computers, and then click My Computer.
- On the Action menu, click Properties.
- Select the Default Properties
- Configure the following Default Properties:
a. Select the Enable Distributed COM on this computer check box.
b. Using the Default Authentication Level list box, select Connect.
c. Using the Default Impersonation Level list box, select Identify. - Click OK.
You are now ready to configure the DCOM protocol.
Configuring DCOM communications
- From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
- On the Action menu, click Properties.
- Select the Default Protocols
- Configure the following options:
a. If Connection-oriented TCP/IP is listed in the DCOM Protocols window, go to Step 5.
b. If Connection-oriented TC/IP is not listed in the DCOM Protocol window, select Add.
c. From the Protocol Sequence list box, select Connection-oriented TC/IP. - Click OK.
You are now ready to configure a user account with permission to access DCOM.
Configuring user accounts for DCOM
After you have enabled DCOM, you must assign an account the proper permission to access DCOM on the host. You must select an existing account with administrative access or create a normal user account that is a member of an administrative group to access the host. The user you grant DCOM permissions is the user you must configure in the Asset Discovery WMI section.
- From the DCOM Configuration (dcomcnfg) window, expand Component Services, expand Computers, and select My Computer.
- On the Action menu, click Properties.
- Select the COM Security
- In Access Permissions, click Edit Default.
- Select the user or group requiring DCOM access.
- Configure the following user permissions:
a. Local Access - Select the Allow check box.
b. Remote Access - Select the Allow check box. - Click OK. The My Computer Properties window is displayed.
- In Launch and Activation Permissions, click Edit Default.
- Select the user or group requiring DCOM access.
- Configure the following user permissions:
a. Local Launch - Select the Allow check box.
b. Remote Launch - Select the Allow check box.
c. Local Activation - Select the Allow check box.
d. Remote Activation - Select the Allow check box. - Click OK.
- Close the Component Services window.
You are now ready to configure the Windows firewall to allow DCOM communications.
Configuring the Windows Firewall
If a firewall is located between the your Windows system and Asset Discovery, you must configure the firewall with an exception to permit DCOM communications.
Note: You must be an administrator to change Windows Firewall settings or add an exception to the Windows Firewall.
- On your desktop, select Start > Run.
- Type the following: msc.
- Click OK.
- Select Inbound Rules.
- On the Action menu, click New Rule.
- Select Custom and click Next. The Program window is displayed.
- Select All programs, and click Next. The Protocol and Ports window is displayed.
- From the Protocol type list box, select TCP and click Next.
Note: We recommend you do not limit Local and Remote ports or local IP addresses, but define firewall connection rules by remote IP address. - Under Which remote IP addresses does this rule apply to?, select These IP addresses.
- Select These IP addresses, click Add. The IP Address window is displayed.
- In the This IP address or subnet text box, type the IP address of Asset Discovery, click OK. The Action window is displayed.
- Select Allow the connection, click Next.
- Type the network profile to which the rule applies, click Next.
- Type a name and description for the firewall rule, click Finish.
- Close the Server Manager window.
You are now ready to configure Windows Management Instrumentation (WMI).
Configuring WMI user access
The user or group you configured for DCOM access must also have Windows Management Instrumentation (WMI) permission to access the Windows event logs.
- On your desktop, select Start > Run.
- Type the following: msc
- Click OK.
- Right-click on WMI Control (Local), select Properties. The WMI Control (Local) Properties window is displayed.
- Click the Security
- In Namespace navigation, expand Root, click CIMV2.
- Click Security on the bottom right. The Security for ROOT\CIMV2 window is displayed.
- Select the user or group requiring WMI access.
- Select the check boxes to add the following permissions:
a. Execute Methods - Select the Allow check box.
b. Provider Write - Select the Allow check box.
c. Enable Account - Select the Allow check box.
d. Remote Enable - Select the Allow check box.
Note: If the user or group you are configuring is a system administrator, the allow permission check boxes might be selected as the permissions are inherited. - Click OK.
- Close the WMIMGMT - WMI Control (Local) window.
Testing the connection
In order to test if WMI access is configured properly you can use the WBEMTEST tool by Microsoft that is already installed on your PC. You can launch it by opening a command line window and then call WBEMTEST.EXE. For more information on WBEMTEST check https://docs.microsoft.com/en-us/mem/configmgr/develop/core/understand/introduction-to-wbemtest.
Note that you must launch WBEMTEST on the PC where you intend to install OTbase Asset Discovery in order for the test to be meaningful.
Comments
0 comments
Please sign in to leave a comment.