VMware Cloud Community
CsNoc
Contributor
Contributor

Upgrade to vCenter Server fails at installing ADAM instance

I'm trying to upgrade a relatively fresh installation of Virtual Center server 2.5 to the latest version vCenter server 4, in which I have been has been unsucces thus far.

I've drilled it down to the installation of the ADAM instance. The adaminstall.log says this:

adamsetup 0DC.B08 0305 Enter State::GetServiceAccountPassword

adamsetup 0DC.B08 0306 STATUS: Starting Active Directory installation

adamsetup 0DC.B08 0307 STATUS: Validating user supplied options

adamsetup 0DC.B08 0308 STATUS: Determining a site in which to install

adamsetup 0DC.B08 0309 STATUS: Examining an existing Active Directory configuration set...

adamsetup 0DC.B08 030A STATUS: Configuring the local computer to host Active Directory

adamsetup 0DC.B08 030B STATUS: EVENTLOG (Error): EventLog / (Failed to read event category.):

Failed to read event text.

adamsetup 0DC.B08 030C Enter GetErrorMessage 800705DC

adamsetup 0DC.B08 030D AD Install Error (1500): An unknown error occurred while installing Active Directory.

adamsetup 0DC.B08 030E Enter State::GetOperation UNIQUE

adamsetup 0DC.B08 030F NtdsInstall() => 1500

adamsetup 0DC.B08 0310 ADAMERR_NTDS_INSTALL_FAILED

adamsetup 0DC.B08 0311 An unknown error occurred while installing Active Directory.

Error code: 0x800705dc

The event log file is corrupted.[/i]

It looks like the event log is corrupt, but looks can be deceiving, because I've tried to manualy install an instance of ADAM. One worked and one didn't.

The one that didn't work was installed using the default 'run service as "network service" '

It gave me the same error.

There were no problems when I installed the instance when running the service as an admin. So instead of looking for corrupt files, I think I should be looking at the security..

I've read a KB article telling me to add the Network Service account to the security Tab on the root of where I'm installing the instance, so I've done that, but no luck.

I've even added (and that's very much against my own security believes) the network service account to the local admin group and rebooted the machine.. but still no luck

I've search the MS KB's, but they say even less..

I've also opened a support ticket at VMWare..

Reply
0 Kudos
17 Replies
RAMESA
VMware Employee
VMware Employee

Need few clarifications-

Will you please let us know the operating system used? System where vCenter Server upgrade is tried need to have support for ADAM.

Support matrix -[http://www.vmware.com/pdf/vsphere4/r40/vsp_compatibility_matrix.pdf]

If system is in support matrix please upload the all log files under %temp%

Plus as you mentioned need to make sure that NETWORK SERVICE account on root directory.

If you have opened support ticket please provide same.

Thanks,

Ramesh

Regards, Ramesh
Reply
0 Kudos
CsNoc
Contributor
Contributor

The Operating system is Windows 2003 SP2

I've dubble checked the permissions on the root, and Network Service does have read permissions.

I've zipped the files (were more than 3) and added it to this post.

Reply
0 Kudos
admin
Immortal
Immortal

Looks like your event log file is corrupted. Could you please try fixing this problem and try re-instasllation of VC. Make sure that your dont overwrite the data this time as your database upgrade is already completed.

-Sandeep

Reply
0 Kudos
CsNoc
Contributor
Contributor

As I said, I don't think the eventlog is corrupted, because when installing the ADAM manually and telling it to run as an administrator account, it works fine. When telling it to run as a simple user or as the default (as Network Service) it gives me the corruption error.

And I've already tried reinstalling, but no luck as well.

Reply
0 Kudos
admin
Immortal
Immortal

Aren't you facing any issue in viewing the event log? And are you able to see new events in it? Especially under the ADAM?

Also can you try removing the ADAM from the control panel manually before trying the re-install? Looks like there is an instance existing on your setup.

Hope this helps :smileyblush:

-Sandeep

Reply
0 Kudos
CsNoc
Contributor
Contributor

I've gotten a bit further. I'm now able to manualy add an instance of ADAM..

What I've done is running regmon.exe during the install of a ADAM instance. I noticed that a permission denied came from 2 registry entries;

HKLM\SYSTEM\CurrentControlSet\Services\VSS

HKLM\SYSTEM\ControlSet001\Services\Eventlog

The first key (Services\VSS) was changed so that the user 'Network service' was able to modify these entries (and sub entries)

The second key was changed so that the Administrators (which already had full permission to that key) also had these permissions on the sub-keys.

I'm now failing on a different error in the setup, which is also being discussed here;

http://communities.vmware.com/thread/211289

I've had contact with the support department (they called me back regarding my ticket), and had a look around (for about 50 minutes) and asked me to send the logs.. It seems they are also trying to figure out why it isn't working as expected.

But at least I'm now having a problem that more people are having...

Reply
0 Kudos
CsNoc
Contributor
Contributor

I've kinda worked around my problem by changing the privileges under which the VMWareVCMSDS service is started to right now an administrator account during the installation..

I'll have a look later next week to see if I can change that back to the defaul netwerk service.. but for now the vCenter server software installation has finished without errors...

Reply
0 Kudos
TomHowarth
Leadership
Leadership

Are you attempting to install vCenter 4 on a machine this is a Domain Controller?

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert

VMware Communities User Moderator

Blog: www.planetvm.net

Contributing author for the upcoming book "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://my.safaribooksonline.com/9780136083214]”. Currently available on roughcuts

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
CsNoc
Contributor
Contributor

No, the server is a normal physical machine which is a member in the domain, but isn't hosting any domain related services. There was also no prior instance of ADAM installed. Also these TCP ports were not configured or in use (used netstat -na | find "LISTEN" and netstat -na | find "389")

As I wrote, for me it was definitly a user-privilege related issue. The NETWORK SERVICE account was unable to start the ADAM instance.. as soon as I used a administrator-level account it would run like a charm..

This tells me that either Windows 2003 Std (first edition) SP2 has a incompatibility with ADAM or that our Windows installation (about two month old) has some weird security settings (doubtfull, because we install all our Windows servers the same way) which prevented a smooth setup.

But I'll try en see if I can figure out which settings are required to run the service as the default "network service" account later this week.

As for the other comments, they didn't really point me in this direction and other stuff was already done.. (like reinstalling ADAM, checking the eventlog for corruption, etc, seemed to be 'normal' to me to try that before posting my problems)

Reply
0 Kudos
CsNoc
Contributor
Contributor

I've also managed to get it back running as the "network service" account. Two registry entries needed permission modification:

The first:

HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application

somehow, my "network service" account wasn't permitted to write to it anymore..

and the second:

HKLM\SYSTEM\ControlSet001\Services\Eventlog\ADAM (VMWareVCMSDS)

This was created during the install, but the Network Service account was not added to have write permissions on this and the subkeys. Changed it, and now it runs perfectly.

Reply
0 Kudos
Benoit13
Contributor
Contributor

I'm experimenting the same issue

>> My settings :

Virtual Machine, Win2003sp2 in Workgoup, new VC, added network service securities full control on the C dirive( just to test), i had the local administrators rights

add ADAM first , then start the installation with build "VMware-VIMSetup-all-4.0.0-162902"

I already opened a case on vmware support (with no relevant answers at the moment)

When i change the permisssions and add "network service" full controll on keys HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application and HKLM\SYSTEM\ControlSet001\Services\Eventlog\ADAM (VMWareVCMSDS)

all another users rights disapeared (authenticated users, power users ... ) and im not abble to restart the server

Please tell me how did you change this ?

Benoit
Reply
0 Kudos
CsNoc
Contributor
Contributor

The only users who should have access to those registry keys are

Administrators (full control)

NETWORK SERVICE (full control)

SYSTEM (special permissions (full control on this key only))

And do you mean by "not able to restart the server" that your server won't boot or that the service won't start?

Remember that during[/u] the setup I quickly went into the services console and changed the user running this service to the local admin account (so at least I got it to continue it's installing the software) and afterwards I looked for authentication/authorization issues.

Reply
0 Kudos
Benoit13
Contributor
Contributor

when i changed the permissions windows didn't start, hopefully i took a snapshot of my VM before the installation

I will try to change the permissions during the setup

but for my understanding , i think vc4 had a bug !

Benoit
Reply
0 Kudos
Benoit13
Contributor
Contributor

Finally it works ! your advise was good and resovled my issue, THX

Benoit
Reply
0 Kudos
S_D
VMware Employee
VMware Employee

Can CsNoc and Beniot13 please post your respective Service Request (SR) numbers that you filed with VMware? I'd like to look them up and see if any bugs have been filed with VMware related to your experiences. Thanks!

Reply
0 Kudos
CsNoc
Contributor
Contributor

But of course, our request number is : 1425047735

Reply
0 Kudos
bnelson
Enthusiast
Enthusiast

Thanks for posting all this troubleshooting information about the registry and C: drive permissions for NETWORK SERVICE.

Notably: with Server 2008 on a 32bit box, I had none of these issues.

x64 box Server 2008 R2 connecting to same SQL 2008 x32 server -- quite the problem child.

Brian Nelson

Hang 2 LEDs in the datacenter. The students are coming! The students are coming!
Reply
0 Kudos