Unable to connect to another computer to view/start/stop services.

I manage a domain of roughly 300 workstations. I am a member of the domain admins group. I need to connect to numerous different workstations on my network to view the services and start/stop them as necessary. To do this I have been using the services.msc snap in via Action-> Connect to another computer. I am recieving an error on many of the workstations I attempt to connect to stating:

"Unable to open service control database on <computer name>"
"Access is Denied"

Some workstations I connect to fine, and I am able to change services as I wish, however many are displaying the above error and not letting me proceed. One thing I noticed however was that if I connect using the ip address instead of the host name it allows me to view the list of services however gives me an access denied error when attempting to start/stop some of the services.

I searched the other solutions on the site but was unable to find anything specific to my problems. Any help would be appreciated. Any questions feel free to ask. Thank you.
adw123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PeteJThomasCommented:
Is either the account you're logging on with or the domain admins group a member of the local admins group on all of the PCs you manage?
0
adw123Author Commented:
Yes, the Domain Admins group is part of the local admin group.
0
PeteJThomasCommented:
I can't say i've ever had the exact same problem before, but in our domain we have a group just for the IT admins users, and we ensure that this group is added to all clients local admins group on the domain through Restricted Groups in GPO.

I've had a problem in the past where certain users have had local admin perms themselves, and have been able to remove the Domain Admins group from the local admins group. However using Restricted groups resolved this, as if they remove the IT Admins group it just adds itself back in...

Anyway, I may be getting sidetracked there, as if you're certain that the machines you're having trouble with still have this membership set, this can't be the problem... Sorry!
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

adw123Author Commented:
I'm not an expert when it comes to group policies but I believe our policy is setup to add the local admin to the domain admins. Let me explain how I'm viewing this as maybe I'm not understanding the setting correctly.

I open up my group policy to edit.
I goto:
Computer Configuration
   Windows Settings
      Security Settings
         Restricted Groups
            Open Administrator properties and the following groups under "Members of this group"
               Domain\Administrator
               Domain\Domain Admins
               Domain\Computer Admins
               Administrators

In addition to this, I am told that the image we use for our new workstations has the domain admin manually added to the local admin group. I've only been here for a few months though so I'm not certain how the image was built. Older machines may not have had this setting set. This may have something to do with me not being able to access some workstations but I am able to access others.
0
and235100Commented:
Check out the permissions on the following key on one of the workstations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Make sure that Local System has read - then try the remote snap in to this computer...
0
PeteJThomasCommented:
I'm no expert either, but if you get the chance, it may be worth actually checking the memberships of the local admins group on one of the PCs you're having problems with - If you find that instead of group/user names you're getting unresolved SSIDs etc, that would be a good indicator of the problem! Although if an expert in the area advises differently, just ignore me! :)
0
adw123Author Commented:
I went out on the floor and checked three workstations that were giving me problems. All three had the Domain Admins group added to the local admin group. I also checked the key that you had mentioned (and235100) and the permissions are set as follows.

Administrators (Full access)
Backup Operators (Read Access)
Local Service (Read Access)

The system would not recognize a Local System group/user although I assumed you meant Local Service which is there.
0
adw123Author Commented:
I am now experiencing another error message on some systems, which may mean it is more than one problem. The error I'm receiving is:

Unable to open service control manager database on <Computer Name>
Error 1722: The RPC server is unavailable.
0
and235100Commented:
Yes, apologies for that. I did mean Local Service.

I take it that you have tried removing one from the domain, rebooting it, delete from AD, then re-join it?
Just to check - you haven't got any firewalls enabled?
0
and235100Commented:
0
adw123Author Commented:
All workstations in our environment have the windows firewall enabled through our policy. We also have a hardware firewall. I don't see how the firewall can be part of the problem if I can connect to some workstations but not others if all firewalls are enabled.

I haven't tried removing then rejoining any workstations to the domain, however this really isn't an option I'd like to do. Of my 300 systems, maybe 50 are giving me problems. I rather not rejoin 50 computers if this is that is the way to solve my problem. I hate to be a pain, but Isn't there another way?
0
and235100Commented:
Could you just try rejoining one station?
This might be a security/access issue - just want to check it isn't something more global than that...
0
adw123Author Commented:
Ok, no problem, if it helps you better troubleshoot this problem. Our call center will be closing shortly. At which time I can go ahead and do this.
0
adw123Author Commented:
I went ahead and rejoined the workstation to the domain and I can now connect to the services. I have some other information as well. It appears that the ip address for this workstation was linked to 2 seperate hostnames. Pinging each name resolved to the same ip address. I went ahead and joined the workstation back as one of the original hostnames then deleted the other entry.
0
and235100Commented:
Okay - can you try deleting any duplicate A records in dnsmgmt.msc - and reboot a station or two, and try again?
0
adw123Author Commented:
I'm sorry but can you explain what an A record is exactly?
0
and235100Commented:
This might just be a DNS reference to client issue.

This explains why you can connect to a station via IP using the mmc snap-in - and of course - if DNS is not working properly - you probably will get the errors you have been facing.

Open dnsmgmt.msc on your first domain controller.
Then - under <server name>\Forward Lookup Zones\domain.<name>\ if you expand the list - you can see all the host (A) records in the right-hand pane of the window.
Click to sort by IP address - and scroll through the list, deleting any A records for stations on the same IP address.
As long as your DNS zones are AD-integrated, you won't have to repeat this on your other DCs (if applicable)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
and235100Commented:
0
adw123Author Commented:
Ok, After looking at this I understand now. If I delete both duplicate records though, will the correct records be created again when the system is restarted in the morning, or do I have to determine which host name is the valid one? After doing this with one system, this seems to be the solution I was looking for, but I don't want to haphazardly clear out all the duplicates if this may screw up my network somehow. I apologize for my limited knowledge here.
0
and235100Commented:
Clearing out any duplicates will not "screw up your network".
The valid DNS records for stations will be re-created automatically.
0
adw123Author Commented:
Thanks for your help. That seems to be working.
0
and235100Commented:
Thank you. Happy to help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.