The vRA7.2 minimal environment upgrade to 7.6 fails in the pre install script check with the following error to IaaS windows machine ( hosted with all the vRA components like DEM, Manager, Agent etc).
(15047) Applying automatic fix for PowerShellScriptExecution prerequisite failed.
(15005) Applying automatic fix for IISServer prerequisite failed.
Steps followed:
-> Powershell execution is updated in gpedit.msc
-> Management agent Service account is part of Administrators group and IIS App pools are configured with same service account
-> Restarted IaaS server and as well as installation, but same error. Also, firewall is disabled in IaaS server
Below is command logs from IaaS server
[UTC:2019-06-22 19:14:38 Local:2019-06-22 12:14:38] [run-prereq] Applying automatic fix for PowerShellScriptExecution prerequisite (Check that Group Policy enable PowerShell script execution) failed. Error: Disabled
Resolution: Group Policy should enable PowerShell script execution.
UTC:2019-06-22 19:14:38 Local:2019-06-22 12:14:38] [run-prereq] ERROR: Security error. Details: System.Security.SecurityException: Security error.
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
The Zone of the assembly that failed was:
MyComputer
[UTC:2019-06-22 19:14:38 Local:2019-06-22 12:14:38] [run-prereq] ERROR: Security error. Details: System.Security.SecurityException: Security error.
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
The Zone of the assembly that failed was:
MyComputer
[UTC:2019-06-22 19:14:38 Local:2019-06-22 12:14:38] [run-prereq] ERROR: Applying automatic fix for IISServer prerequisite (IIS Server) failed. Error: Error while applying fix for IISServer:
Security error.
Security error.
From IaaS server All log
[UTC:2019-06-22 19:18:59 Local:2019-06-22 12:18:59] [VMware.Cafe]: [sub-thread-Id="9" context="" token=""] (5638) GET config/nodes/7953ABB0-F4D5-......./commands/next-command
[UTC:2019-06-22 19:19:00 Local:2019-06-22 12:19:00] [VMware.Cafe]: [sub-thread-Id="22" context="" token=""] (5638) Response: NotFound(404) 0:00.290
Any help appreciated
The manual upgrade of the IaaS node amounts to:
a) After the Cafe virtual appliance(s) have been upgraded browse to "https://<FQDN of primary cafe node>:5480/installer/" and download both "Management Agent Installer" and "IaaS Installer" and save to a folder. Do not browse to the IP address or hostname or VIP name.
b) Login to your IaaS node as the vRA service account. This would be the same Windows account used for the initial setup of vRA. Theoretically you could use any user with local administrator access I have found that things go much better when you use the vRA service account.
c) Copy over the folder with the updates from above.
d) Launch what you downloaded for "Management Agent Installer", e.g. "vCAC-IaaSManagementAgent-Setup.msi", and upgrade the management agent.
e) Launch what you downloaded for "IaaS Installer", e.g. "setup__<FQDN of primary cafe node>@5480.exe" and upgrade the IaaS components.
f) Reboot as required.
g) Next IaaS node.
In a distributed environment there is a specific order of IaaS node upgrades.
Upgrade the IaaS Components After Upgrading vRealize Automation to the Target Release
Have upgraded vRA appliance first by excluding the IaaS components and upgraded them separately.
blah
I agree with balawiz. Having encountered problems trying to upgrade from vRA 7.3 to 7.5 with the IaaS components VMware GSS recommended disabling the autoupdate of IaaS and instead upgrade each IaaS node individually. The problem is due to the VAMI upgrade wizard not bubbling up pre-requisite check failures.
My upgrade process (distributed with NLB) from a very high level is something like:
1) Make sure vRA is healthy.
2) Gracefully shutdown all IaaS and Cafe servers.
3) Create backup/virtual machine snapshots.
4) Power up in order.
5) Disable IaaS auto-update, see below.
6) Start upgrade in VAM on primary Cafe node.
7) After the Cafe appliance(s) have been upgraded shut everything down again and create another backup/virtual machine snapshots.This way if the IaaS update bursts into flames it will not be necessary to re-update the Cafe appliance(s).
😎 Upgrade IaaS management agent and components on each IaaS node.
Note that for brevity I'm leaving out a lot of steps that VMware has documented.
Updating the vRealize Automation Appliance and IaaS Components
Thank you aenagy!
Can you explain step 8 little elaborately for distributed environment? since, I tested with installing all IaaS components in single server.
The manual upgrade of the IaaS node amounts to:
a) After the Cafe virtual appliance(s) have been upgraded browse to "https://<FQDN of primary cafe node>:5480/installer/" and download both "Management Agent Installer" and "IaaS Installer" and save to a folder. Do not browse to the IP address or hostname or VIP name.
b) Login to your IaaS node as the vRA service account. This would be the same Windows account used for the initial setup of vRA. Theoretically you could use any user with local administrator access I have found that things go much better when you use the vRA service account.
c) Copy over the folder with the updates from above.
d) Launch what you downloaded for "Management Agent Installer", e.g. "vCAC-IaaSManagementAgent-Setup.msi", and upgrade the management agent.
e) Launch what you downloaded for "IaaS Installer", e.g. "setup__<FQDN of primary cafe node>@5480.exe" and upgrade the IaaS components.
f) Reboot as required.
g) Next IaaS node.
In a distributed environment there is a specific order of IaaS node upgrades.
Upgrade the IaaS Components After Upgrading vRealize Automation to the Target Release
Thank you aenagy!
We have NSX as well and we are planning to upgrade along with this upgrade. Is your environment have NSX and did you perform the upgrade?
balawiz:
The lower environments do no have NSX integration. I am trying to upgrade a pre-production environment that does have NSX integration and is still a work in progress. I would recommend the section of the documentation in the link below.
Preparing to Upgrade vRealize Automation
I would advise that you read thoroughly all of the upgrade documentation, both the docs.vmware.com as well as the release notes for the version you are upgrading to. That being said and having encountered errors while performing upgrades (not related to NSX) I will caution that VMware doesn't always make clear the decision tree that customers need to follow. More specifically, if you find yourself needing to leverage something in the Troubleshooting the vRealize Automation Upgrade section then I highly recommend opening a SR so that GSS can provide guidance on the overall procedure. Otherwise you will be left trying to stitch together the upgrade procedure.
Good luck on your upgrade.
Thank you! I am reading the mentioned documentation and preparing the steps. We are not including NSX with vRA/vRO upgrade and planning to perform along with vSphere(vCenter) upgrade.
I did upgrade to 7.5 from 7.3 with similar problems and had to do the following
- unbundle the upgrade as the management agents on the IAAS failed to upgrade as IAAS pre-reqs failed.
- NSX enabled endpoint failed on the upgrade and had to get GSS support. Had to complete the IAAS server upgrade steps by running each cmd manually and then finally upgrade the NSX endpoint. Without GSS support couldn't have done this as need to know what upgrade cmds to tun manually.
I will probably from now on always unbundle the upgrade as gives more backout points i.e do backout snapshot post CAFE upgrade successful.
Have upgraded vRA 7.2 to 7.6 successfully by separating vRA appliance and IaaS upgrades separately. The Management agent is getting upgraded along with IaaS installer. However, IaaS website component wasn't communicating with vRA after upgrade. Had to remove and install the management agent,
balawiz:
I too encountered problems with the Management Agents not being successfully upgraded when using the IaaS Components Installer. GSS found that the identity of the Management Agent on the IaaS node was different than on the Cafe appliance(s). You can find the node identity from the Cafe appliance perspective by executing:
vra-command list-nodes --components
In the Management Agent logs, e.g. "" C:\Program Files (x86)\VMware\vCAC\Management Agent\Logs\All.log", I saw:
[UTC:2019-07-12 18:42:40 Local:2019-07-12 14:42:40] [VMware.Cafe]: [sub-thread-Id="15" context="" token=""] (31) GET config/nodes/A5891EFD-545B-4C32-9D72-FE24A0D6A120/commands/next-command
[UTC:2019-07-12 18:42:42 Local:2019-07-12 14:42:42] [VMware.Cafe]: [sub-thread-Id="18" context="" token=""] (30) Response: Unauthorized(401) 0:01.676
[UTC:2019-07-12 18:42:42 Local:2019-07-12 14:42:42] [VMware.Cafe]: [sub-thread-Id="18" context="" token=""] Http Error: Unauthorized (401)
Request:
PUT https://<FQDN of Cafe appliance>:5480/config/nodes/A5891EFD-545B-4C32-9D72-FE24A0D6A120/ping
Response:
Failure: Unauthorized
Compare the output from the Cafe command above and the line "GET config/nodes/<UUID>/commands/next-command". The <UUID> should be the same if it is not then as you mentioned un-install and re-install the Management Agent.