Error Message

Error adding a New Volume target for a NetApp C-mode SVM

Disconnected status of the external-engine

Dtrace with Access Denied response from function to validate target

{VaultCreateInstanceRequest::CreateInstance} Attempt [1] to create COM object failed. CLSID [{B2656BAB-30C3-4209-B628-45CECE8CE882} (AdminService.AdminLicense.1)] Server Name [EVSVR.WindowsDomain.Extension] Elapsed [0.005s] Result [Access is denied. (0x80070005)]

{VaultCreateInstanceRequest::CreateInstance} CLSID [{B2656BAB-30C3-4209-B628-45CECE8CE882} (AdminService.AdminLicense.1)] Server Name [EVSVR.WindowsDomain.Extension] Used Server Name [EVSVR.WindowsDomain.Extension] Num of attempts [1] Total elapsed [0.213s] Result [Access is denied. (0x80070005)]

NOTE: Windows Management Instrumentation (WMI) is a set of specifications for management of Windows Systems. The WBEMTest tool is used to check the connectivity and access to other Windows systems on the network.

Wbemtest.exe error

Although the corresponding prerequisites for the target platforms may have been configured accordingly, if OS specific features have been disabled following the hardening policy changes, EV will not be able to communicate with remote systems through WMI.

Using Wbemtest.exe to test the WMI access to a remote system showed that the RPC connectivity could not be established.

A thorough review of the changes implemented in the hardening policy revealed that certain key OS functions were disabled - see below:

Revocation of permissions/rights/privileges on the Vault Service Account (VSA) account inhibited normal working of Enterprise Vault:

1. VSA's dbcreator privilege was revoked on MS-SQL server.

Resolution: Privilege enabled.

2. User rights of Log on as a service, Debug programs, Replace a process-level token were revoked for VSA using GPO.

Resolution: A separate security group for VSA with required exceptions created.

3. RPC Interface Restriction in Windows registry inhibited RPC connections to remote process/systems. The Registry Key and Values are:

HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\ Microsoft\Windows NT\RPC

RestrictRemoteClients

EnableAuthEpResolution

Once the mentioned changes were reversed Enterprise Vault was able to establish the required connections to remote platforms.

It is always recommended to run the Deployment Scanner to validate the pre-requisites.

Upon the initial implementation of EV, as an archiving solution, a number of pre-requisites are documented, as well as validated by Deployment Scanner.

Additional to permissions assigned at different levels, depending on the platform being archived, some basic Operating System features are required in order to allow an inter-system communication, such as RPC & WMI.

If, at a later stage, additional security policy settings are modified, in view of implementing a hardening approach, these changes may prevent EV from communicating with remote systems at RPC or WMI levels.

These may affect any platform, whether Windows, NetApp, Celerra/VNX or CIFS compliant NAS servers. These would affect existing as well as newly defined targets.

Depending on the policy settings blocked, errors may occur as seen below.