Is the Windows Peer Name Resolution Protocol service required for SAM monitoring on Workstations?

joedissmeyer

+ aLTeReGo‌

I have a question for the developers.

Does the Windows "Peer Name Resolution Protocol" service need to be in good working order for SAM application monitoring to work properly on a Windows workstation?

I ask because of the following scenario. This might be long so please bear with me...

We are monitoring a great deal of Windows 7 Pro workstations using both WMI and the SAM Polling Agent and have been investigating a lot of strange issues with our environment.

To provide some context on the problem, I'll explain how we are monitoring these nodes.

Two SAM app templates are applied to each node that do the following:

• WMI Process Monitor for "ACS32.exe" --- This is a simple component monitor to verify that ACS32.exe is running at all times. Standard CPU and memory thresholds are in place. An alert email notification will trigger when the thresholds are breached, or if the process is not found ('down').
• Windows Powershell Monitor -- Runs a script that parses the ACS32.exe application log file for a very specfic error entry and stores the count as a statistic. The threshold for this component is the count. If the statistic is >= 1 for a single poll then go critical.

Our main problem is the WMI process monitor on these nodes. In the SolarWinds web console we see a lot of them stuck in "Initial poll in progress".

Screenshot:

I've seen plenty of posts here on Thwack that explain widespread problems with "initial poll in progress". However this is a different case in our situation because it is not a widespread problem. It is only a problem on our Windows 7 Pro workstations so the root cause screams to me, "The problem is the Windows config! Blame Windows!". Plus our entire Orion environment was just rebuilt from scratch on new 2012 R2 servers so I am hesitant to blame SolarWinds... I'll continue with the story.

We Damewared into the node and looked at the local Event Viewer and immediately saw errors related to the PNRP service.

Screenshot:

When we open up the Windows Services MMC console (Start > Run > services.msc) and try to manually start the service the same error appears.

Screenshot:

We found the fix to this error and have our own process:

• Using an account that has administrative rights to the PC, UNC to the following path:
• \\HOSTNAME\c$\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking.
• Rename IDSTORE.ISS to IDSTORE.ISS.OLD.
• Start the Peer Name Resolution Protocol service and a new IDSTORE file will automatically be created.
• Stop the SolarWinds Agent service (net stop solarwindsagent)
• Start the SolarWinds Agent service (net start solarwindsagent)
• Wait a few minutes then check the SolarWinds web console to verify monitoring is working as expected.

It seems that after fixing the errors with the PNRP service all of our monitoring for the node starts working on it's own. Not only that, other interesting and good things started happening to this node. Refreshing the event viewer after running the PNRP fix showed the following:

• Windows Updates from WSUS started getting applied to the node (Updates had apparently been failing for several months according to the Windows Update history)
• Updated Group Policy changes were being applied, which had also been failing for several months
• The node was able to communicate with DNS and the A record updated for the node.
• New SCCM client updates deployed to the node
• And other domain related and DCOM errors simply went away.

I had never heard of the PNRP service before so I did some research into what this is.

First, it appears this service is something that is NOT installed/enabled on Windows Servers. I only see this service on Windows workstations.

There is a description of the service in the MMC console. It says:

"Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). If disabled, some peer-to-peer and collaborative applications, such as Remote Assistance, may not function."

There is one dependency of PNRP called "Peer Networking Identity Manager". The description of that service says,

"Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services.  If disabled, the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services may not function, and some applications, such as HomeGroup and Remote Assistance, may not function correctly."

**** "and some applications"..... this interests me.

Searching the web for PRNP issues reveals articles that talk about fixing issues with trying to join HomeGroups and little else. We obviously don't use HomeGroups in a corporate domain environment.

I did some digging around with our IT Sec group and desktop support teams who manage and deploy our Windows workstations and they said that they do disable the PNRP service since they couldn't find a reason why it would need to be enabled. It is a mandate from our security group to disable any "unneeded" Windows services in MDT/SCCM for security reasons.

Beyond that, I cannot find any articles or blog posts about the possible implications of disabling the PNRP service in Windows.

So this makes me wonder --- On Windows workstations (not servers), is the PNRP used in any way for SAM monitoring to work?

aLTeReGo

SAM has no reliance upon Peer Name Resolution Protocol. PNRP is specific exclusively to IPv6 networks, so if you're running IPv4 then this service is very unlikely related to your issue.

without digging into the debug logs of your Orion server it's difficult to say with any degree of certainty what exactly the issue is. I will however say that for monitoring workstations in general, especially those on a DHCP scope, you would be far better off using the agent included in SAM 6.2 rather than trying to monitor those hosts via WMI.