The PerfectDisk Enterprise Console uses WMI or Remote Service Control Manager to deploy PerfectDisk Clients.
The PerfectDisk Enterprise Console can use either DCOM OR a user specified TCP/IP port for non-deployment tasks such as scheduling and configuring clients.
In order to use the PerfectDisk Enterprise Console to deploy and manage PerfectDisk clients in a network environment, there are several pre-deployment tasks that must be performed. If you do not perform these tasks, it can result in the PerfectDisk Enterprise Console not being able to deploy or manage PerfectDisk in your network. This can result in errors showing up in the Task History indicating Access Denied, RPC Server unavailable, Logon Failure, etc.
In most instances, errors that occur when trying to deploy or manage the PerfectDisk Client using the PerfectDisk Enterprise Console are the result of a firewall or security configuration that prevents the Enterprise Console from communicating through the network to the PerfectDisk Client on a remote system. Below can be found information about the ports and protocols that need to be allowed access through a firewall. Please contact Raxco Technical Support if you have questions or need assistance with configuring your firewall or computer.
The Windows firewall must be configured to allow the PerfectDisk Enterprise Console and PerfectDisk to communicate through the network. The PerfectDisk Console and PerfectDisk Client communicate between computers using RPC, DCOM and WMI. This requires ports 135 and 445 to be opened and PerfectDisk must be added to the list of allowed programs to communicate through these ports. This is accomplished by adding PDAgent.exe and PDConsole.exe to the list of authorized applications and turning on Remote Administration (opens ports for RPC, DCOM and WMI) and File and Print Sharing (TCP139, TCP445, UDP137, UDP138 - allows credential validation through the network).
To configure the Windows firewall to allow the PerfectDisk Enterprise Console to communicate through the network via DCOM, enter the following commands at the command prompt:
netsh firewall add allowedprogram "path to pdconsole\PDConsole.exe" PDConsole ENABLE SUBNET
netsh firewall set service REMOTEADMIN ENABLE SUBNET
netsh firewall set service FILEANDPRINT ENABLE SUBNET
netsh firewall add portopening TCP 135 RPC_PD ENABLE SUBNT
To configure the Windows firewall to allow the PerfectDisk Client to communicate through the network, enter the following commands at the command prompt:
netsh firewall add allowedprogram "path to pdagent\PDAgent.exe" PDAgent ENABLE SUBNET
netsh firewall set service REMOTEADMIN ENABLE SUBNET
netsh firewall set service FILEANDPRINT ENABLE SUBNET
netsh firewall add portopening TCP 135 RPC_PD ENABLE SUBNET
If you have specified a specific TCP/IP port to be used for non-deployment tasks, you will need to ensure that the firewall is configured to allow access on this port.
Raxco Software provides a script that will automatically configure the Windows firewall to allow PerfectDisk to communicate through the network. You can download this script from Raxco Software.
Note: If you are managing the Windows firewall using Active Directory Group Policy, you will need to make the change at the Group Policy level. If you make it at the local system level, the firewall configuration may be reset when Active Directory refreshes the Group Policy.
If the PerfectDisk Enterprise Console is running on a Windows XP Service Pack 2 system or a Windows Server 2003 system and you wish to use the Connect using PerfectDisk feature of the Enterprise Console, the Local Security Policy for Network access: let Everyone permissions apply to anonymous users needs to be Enabled (Microsoft Knowledge Base Article 278259) in order for the remote system to communicate back to the Enterprise Console.
For Windows XP systems NOT in a domain environment, the Local Security Policy for Network access: Sharing and security model for local accounts needs to be set to Classic - Local users authenticate as themselves.
The following service needs to be started on the computer running PerfectDisk Enterprise Console:
Secondary Logon Service - Allows processes to start under alternate credentials.
The following services need to be started on the computer running PerfectDisk Enterprise Console and all managed clients:
DCOM Server Process Launcher (Windows XP/2003/Vista only) - Provides launch functionality for DCOM services.
Net Logon (Domain environments only) - Supports pass-through authentication of account logon events for computers in a domain.
Remote Procedure Call (RPC) - Provides the endpoint mapper and other miscellaneous RPC services.
Windows Management Instrumentation - Provides a common interface and object model to access management information about operating system, devices, applications and services.
Workstation - Creates and maintains client network connections to remote servers.
DCOM (Distributed COM) needs to be enabled on both the PerfectDisk Enterprise Console computer as well as all remote computers.
For Windows 2000 systems, run DCOMCNFG.
For Windows XP/2003 systems, go to Administrative Tools->Component Services and expand Component Services/Computers. Right mouse click on My Computer and select Properties.
For both Windows 2000 and Windows XP/2003 systems, click the Default Properties tab and make sure that Enable Distributed COM on this Computer is selected.
The Coordinated Universal Time (UTC) time on a remote system can not be more than 5 minutes different than the UTC time on the PerfectDisk Enterprise Console computer. UTC is an international standard 24-hour timekeeping system used by Windows. If the UTC time is too far apart, the Kerberos authentication protocol will not work (Microsoft Technet Article).
For additional help in diagnosing issues with deploying and managing PerfectDisk using the PerfectDisk Enterprise Console, please visit the PerfectDisk Enterprise Console Support Site.