PDFs


This page applies to an earlier version of the AppDynamics App IQ Platform.
See the latest version of the documentation.


Skip to end of metadata
Go to start of metadata

To monitor Windows-based machine hardware with AppDynamics Database Visibility, AppDynamics uses Windows Management Instrumentation (WMI) to remotely gather the metrics. WMI is often complicated to troubleshoot when the Database Agent is running on a Linux or Unix-like machine. This topic identifies requirements for the target machine configuration that can help you avoid some problems and pitfalls. It also provide some additional considerations regarding using WMI to monitor a SQL Server database agent and preventing unauthorized remote access to WMI.

Named Windows Account:

The user specified in the collector configuration that the AppDynamics Database Agent uses to connect to the target machine is referred to as "named Windows account."

The following are required when the Database Agent is hosted on AIX, Linux or Solaris platforms to monitor Windows 7 and higher systems. 

The following are required when the Database Agent is hosted on AIX, Linux or Solaris platforms to monitor Windows 2012 and higher systems. 

Requirements to Monitor Windows 7 and Higher Systems (agent running on Unix-like platform)

The following are required when the Database Agent is hosted on AIX, Linux or Solaris platforms to monitor Windows 7 and higher systems.

Ensure User Account Meets Minimum Security Requirements When Using WMI

Enable Security Options for Windows Systems that are part of a Domain

Ensure the named Windows account has the correct permissions for WMI Control.

  1. Run the wmimgmt.msc program.
  2. Right click the WMI Control icon on the left and click Properties.
  3. Click the Security tab.
  4. Click the root node of the tree, and click Security.
  5. Ensure that the named user account running the Database Agent has the relevant permissions. 

    The minimum permissions that your remote Windows account needs for the Database Agent are:

    • Execute Methods
    • Enable Account
    • Remote Enable 

If the named Windows account does not have all of these permissions, you might see an access denied error or the following error: 

Error=800706BA The RPC server is unavailable. SWbemLocator 

or  

Error=80070005 Access is denied SWbemLocator 

Enable Classic Security Options for Local (non-domain) Windows Systems

Applies to Windows computers that are not part of a domain.

  1. Open the Control panel, and go to Administrative Tools > Local Security Policy
    The  Local Security Settings window appears.
  2. Go to Local Policies > Security Options.
  3. Change the value of "Network access: Sharing and security model for local accounts." to Classic.

Enable Remote Registry Access

The Remote Registry service must be running on the target machine. If the Remote register service is off, you will see the following error:

Message not found for errorCode: 0xC0000034

or 

Access is denied

By default Windows 7 and above systems will still deny remote access to the registry, even if the Remote Registry service is started.

To test this, try to connect to the slave registry via regedit on another machine. If you get a error similar to Access is denied, run powershell as an administrator on the slave, and execute Enable-PSRemoting. Restart the machine and try launching the slave again.

Grant Access to WBEM Scripting Locator

The Database Agent requires full access to the WBEM Scripting Locator. On the target system allow full access to the WBEM Scripting Locator as follows: 

  1. As an Administrator on the target machine, launch regedit.
  2. Locate the registry key:
    76A64158-CB41-11D1-8B02-00600806D9B6  in HKEY_CLASSES_ROOT\CLSID
  3. Right click the key and click Permissions.
  4. Click Advanced, and then on the Owner tab change the owner to the Administrators group. Click Apply.
  5. On the Permissions tab change the permissions for the Administrators group to Full Control. Click Apply.
  6. Close regedit.
  7. Restart the Remote Registry Service, using Administrative Tools > Services.

Configure the Firewall

WMI uses RPC which listens on port 135 but then allocates a dynamic port for subsequent communication. Configure your Firewall to always allow the TCP port 135 exception and follow the dynamic RPC ports. If there is a problem with the firewall, port 135 then you will probably see this error:

ERROR: Message not found for errorCode: 0xC0000001

For more information, see How to configure RPC dynamic port allocation to work with firewalls.

Additional Requirements to Monitor Windows 2012 and Higher Systems (agent running on Unix-like platform)

In addition to the requirements described in Requirements to Monitor Windows 7 and Higher Systems, the following are also required when the Database Agent is hosted on AIX, Linux or Solaris platforms to monitor Windows 2012 and higher systems. 

Grant Full Control Permissions to Select Registry Keys

For the Database Agent running on AIX, Linux or Solaris to monitor Windows 2012 (64-bit) and above systems, complete the following changes on the target system.

  1. As an Administrator on the target machine, launch regedit.
  2. Change the permissions for both of the following registry keys to Full Control:
    72C24DD5-D70A-438B-8A42-98424B88AFB8 in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
    76A64158-CB41-11D1-8B02-00600806D9B6 in HKEY_CLASSES_ROOT\CLSID
  3. Find the following registry key: 
    72C24DD5-D70A-438B-8A42-98424B88AFB8 in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
  4. Right click and click Permissions.
  5. Change the owner to the Administrators group.
  6. Change the permissions for the Administrators group to Full Control.
  7. Change owner back to TrustedInstaller. User is "NT Service\Trusted Installer" on local machine.
  8. Repeat steps 4 to 6 above for the following registry key:
     76A64158-CB41-11D1-8B02-00600806D9B6  in HKEY_CLASSES_ROOT\CLSID.
  9. Close regedit.
  10. Restart the Remote Registry service, using Administrative Tools > Services.

General Considerations for all Platforms

These topics apply to the Database Agent running on Windows systems.

Use Windows Authentication for Microsoft SQL Server

To use Windows Authentication for the Database Agent to connect to a Microsoft SQL Server database instance, you must use a command similar to following to start the Database Agent; specifying the path to the Database Agent authentication library.

Windows 64-bit

java -Djava.library.path="C:\dbagent404\auth\x64" -jar db-agent.jar

Windows 32-bit

java -Djava.library.path="C:\dbagent404\auth\x86" -jar db-agent.jar

Also, the Windows account used to start the Database Agent must be a Windows user who can authenticate with the database server.

Prevent Unauthorized Remote Access to WMI

For Windows 2003 R2 SP2

You may want to setup extra security in the Windows Distributed Component Object Model (DCOM) to prevent unauthorized users from accessing WMI remotely. The following prevents users other than those configured as follows from remotely accessing the WMI. You can configure the named Windows account as follows:

  1. On the target machine, add the named Windows account to the Performance Monitor Users group
  2. In Services and Applications, bring up the properties dialog of WMI Control. On the Security tab, highlight Root/CIMV2, click Security > Add Performance Monitor Users and enable the options: Enable Account and Remote Enable.
  3. Run dcomcnfg. Click Component Services  > Computers  > My Computer  > Properties  > COM Security, and then click Edit Limits for both Access Permissions and Launch and Activation Permissions. Add Performance Monitor Users and allow remote access, remote launch, and remote activation permissions.
  4. In Component Services > Computers > My Computer > DCOM Config > Windows Management Instrumentation, give Remote Launch and Remote Activation privileges to the Performance Users Group.