Jeevan Bisht's System Center Blog

System Center Rocks !!

OpsMgr 2007 SP1: The case of failing Agent Install

OpsMgr 2007 SP1: The case of failing Agent Install

  • Comments 2
  • Likes

Recently came across an issue where we were failing to install Opsmgr 2007 SP1 Agent on new network segment. These all seems to be Windows Server 2008 Servers, eventually it turned out to be an issue not specific to 2008 in particular. To narrow down on the cause we collected the verbose MSI log

 

msiexec /i <momagent.msi> /lvoicewarmup c:\install.log

 

You probably would see these two events in your event log

 

===========================

Log Name: Application

Source: MsiInstaller

Date: 2/24/2009 10:33:51 AM

Event ID: 1033

Task Category: None

Level: Information

Keywords: Classic

User: <domain\user>

Computer: <fqdn>

Description: Windows Installer installed the product. Product Name: System Center Operations Manager 2007 Agent. Product Version: 6.0.6278.0. Product Language: 1033. Installation success or error status: 1603.

 

===========================

Log Name: Application

Source: MsiInstaller

Date: 2/24/2009 10:33:51 AM

Event ID: 11708

Task Category: None

Level: Information

Keywords: Classic

User: <domain\user>

Computer: <fqdn>

Description:

Product: System Center Operations Manager 2007 Agent -- Installation operation failed.

 

 

============

Install.log

============

MSI (s) (94:DC) [21:50:05:758]: Executing op: ActionStart(Name=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,,)

MSI (s) (94:DC) [21:50:05:758]: Executing op: CustomActionSchedule(Action=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,ActionType=3073,Source=BinaryData,Target=GrantAuditLogAccess,)

MSI (s) (94:10) [21:50:05:774]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIB46.tmp, Entrypoint: GrantAuditLogAccess

 

1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87

1: ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057

1: GrantAuditLogAccess(): ModifyEventLogAccessForNetworkService() returned 0x00000643.

 

MSI (s) (94:DC) [21:50:05:805]: User policy value 'DisableRollback' is 0

MSI (s) (94:DC) [21:50:05:805]: Machine policy value 'DisableRollback' is 0

Action ended 21:50:05: InstallFinalize. Return value 3.

 

So from the log we can see

>>1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87 : Probably it could not read the SecurityDescriptor in the first place

>>> ModifyEventLogAccessForNetworkService(): Could not grant read access to Security Log: 0x00000057

 

Cause

=====

We enumerated the following registry key

>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

 

Checked the customSD(Security Descriptor) string

Appartently 0x1 indicates read-only, which seems to be the problem to a specific user whose GUID is mentioned

"customsd"="(A;;0x1;;;S-1-5-21-542683309-1449951431-3854495092-13117)"

 

 

For More Understanding

----------------------------------

To construct an SDDL string, note that there are three distinct rights that pertain to event logs:

Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:

1= Read

2 = Write

4 = Clear

The following is a sample SDDL that shows the default SDDL string for the Application log.

 The access rights (in hexadecimal) are bold-faced for illustration:

 

O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)

 

For example,

The sixth ACE(Access Control Entry) permits Interactive Users to read and write to the log. (A;; 0x3;;;IU)

where

IU = Interactive Users

0x3 = 0x1(Read) + 0x2(Write)

 

Solution :

===========

a)       We removed the CustomSD string  from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

b)       Ran regsvr32 scecli.dll 

                 For better understanding on SDDL refer http://support.microsoft.com/kb/323076

  • Thank Jeevan!  I've been struggling with this issue on random servers for over a month trying to figure out why the SCOM agent will not install!  After applying this change, the agent installed successfully!  :)

  • I've never ever figured out this solution. Thank you very much. :)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment