OpsMGr Reporting may fail to install in large domains when the RMS SDK Service is configured to run as Local System

THIS INFORMATION IS SUPERCEDED BY https://support.microsoft.com/kb/936220/ . Please use the KB article 

There is a Knowledgebase Article in the works for publication, but as I've seen some of you affected by this issue it's time to discuss here a workaround to what may appear to be an insummountable or frustrating issue.

 In summary

 When a Root Management Server (RMS) has been confgured to have its SDK Service (OMSDK) run under Local System (configuration option during Setup and the Configuration service also runs under the same credentials) and you attempt to install OpsMr Reporting, the reporting installation may fail at the MSI setup screen displaying "Loading Management Server Action and SDK Account". The dialog containing this message may be displayed for a long period of time or the MSI installation simply rollback shortly after its display. Should the OpsMgr Reporting installation fail, confirm the following from the MOMReportingN.log (N is an incremental number) file in the installing users %temp% folder containing the MSI verbose installation log:-

Load the log file into Notepad

Search for the following phrase : SetPropertiesToManagementServerActionAndSDKAccountCA error

If this phase is found look for log entries after this occurance for either instances of :

'SetPropertiesToManagementServerActionAndSDKAccountCA error: Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException : The time limit for this request was exceeded.

OR

SetPropertiesToManagementServerActionAndSDKAccountCA error: System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException : The specified domain does not exist or cannot be contacted.

OR

SetPropertiesToManagementServerActionAndSDKAccountCA error: System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException : The specified domain does not exist or cannot be contacted.

If these entries are found in the log it is highly likely the following problem has been discovered and following workaround needs to be implemented to successfully install the reporting component.

The Problem

During the OpsMgr Reporting installation the SDK account is determined from the RMS and if the account under which the service runs is Local System, the install queries AD to determine the computer account. In a large AD domain the query may timeout and the Reporting installation roll back. If the SDK service on the RMS was configured to run as a Domain User account, the issue does not occur. Therefore, for new installations where reporting is to be installed I would recommend installing Operations Manager with and SDK account using Domain User credentials. You can always change them later.

If you are in a position where you have already installed Operations Manager with SDK Service using Local System credentials you can use the following procedure to change the SDK AND Config Service credentials on the RMS to use Domain User. After successful Reporting installation they can be changed back to Local System. NOTE: BOTH THE SDK AND CONFIG SERVICES SHOULD RUN UNDER THE SAME ACCOUNT (is that clear enough?. Don't mix and match the service credentials of these services. They either both run under Local system creds or both run under the same Domain User Creds).

Side Note: NEVER try to run the Health Service under an account other than Local System. SPN's are registered by the Health Service and you will end up with duplicate SPN's. Agends will not be able to contact the Management Server until the duplicate SPN's are removed.

The Workaround

The following steps document how to change the SDK and Configuration service accounts, both from Local System to a Domain User account or vice versa. Use these steps to change the SDK and Config services to run under a Domain User account. Once done the Reporting feature should install correctly.

IMPORTANT: Both the SDK and Configuration service accounts must use the same account for the service startup.

The steps below assume that the necessary Domain Account has already been created in Active Directory Users and Computers. It is also strongly recommended that an operational database backup be taken prior to taking these steps.

How to change the SDK and Configuration service to use a Domain Account

1) Go to Start and choose Run

2) Type services.msc and click OK

3) When the Services Snap-In opens navigate to OpsMgr SDK Service

4) Right click the OpsMgr SDK Service and click Stop

5) On the services snap-in select the OpsMgr Config Service right click and choose Stop on the context menu.

6) Select the OpsMgr SDK Service right click and choose the Properties option

7) Select the Log On tab

8) If you want this service to run under a Domain Account

9) Select the This account radio button

a. Type in a Domain Account

b. Specify the password for the domain account

c. Reconfirm the password by retyping

d. Click OK

10) Click OK on the “ The new logon name will not take effect until you stop and restart the Service ”

11) Select the OpsMgr Config Service right click and choose the Properties option

12) Select the Log On tab

13) If you want this service to run under a Domain Account

14) Select the This account radio button

a. Type in the same Domain Account as step 9 above

b. Specify the password for the domain account

c. Reconfirm the password by retyping

d. Click OK

15) Click OK on the “ The new logon name will not take effect until you stop and restart the service ”

16) Go to Start and choose Run

17) Type SQLWB and click OK to open SQL Management Studio

a. Optionally you can open SQL Management Studio by going to StartàProgramsàMicrosoft SQL Server 2005àSQL Server Management Studio

18) Specify the Server Name and instance where the Operations Manager Database is installed on the Connect to Server dialogue

19) Expand the Database node

20) Select the Operations Manager Database

21) Right click and choose the New Query option in the context menu

22) Type and execute the following stored procedure replacing DomainForSDKAcct\UserForSDKAcct with the domain and account previously created in Active Directory Users and Computers.

EXECUTE p_SetupCreateLogin 'DomainForSDKAcct\UserForSDKAcct', 'sdk_users'

Note: If SQL Server is configured for case sensitivity then you must type the account exactly as it appears in Active Directory Users and Computers.

23) Type and execute the following stored procedure replacing DomainForConfigAcct\UserForConfigAcct with the domain and account previously created in Active Directory Users and Computers. This will be the same account used for the SDK service.

EXECUTE p_SetupCreateLogin 'DomainForConfigAcct\UserForConfigAcct', 'configsvc_users'

Note: If SQL is case sensitive then you need to type the account in the exact case otherwise you will get errors for this procedure.

       24) Type and execute the following stored procedure replacing DomainForConfigAcct\UserForConfigAcct with the domain and account previously created in Active Directory Users and Computers. This will be the same account used for the SDK service.

EXECUTE p_SetupCreateLogin 'DomainForActionAcct\UserForActionAccount, 'cdbmodule_users'

         Note: If SQL is case sensitive then you need to type the account in the exact case otherwise you will get errors for this procedure.

25) On the services snap-in select the OpsMgr SDK Service right click and choose Start on the context menu.

26) In the services snap-in select OpsMgr Config Service right click and choose Start on the context menu.

27) Go to Start and choose Run

28) Type Eventvwr.msc and click OK

29) Within the Event Viewer select the Operations Manager event log

30) Examine the event log entries for the OpsMgr SDK Service and OpsMgr Config Service to check that they started and are running successfully.

How to change the SDK and Configuration service to use the Local System Account

1) Go to Start and choose Run

2) Type services.msc and click OK

3) When the Services Snap-In opens navigate to OpsMgr SDK Service

4) Right click the OpsMgr SDK Service and click Stop

5) Navigate to the OpsMgr Config Service and click Stop

6) Select the OpsMgr SDK Service right click and choose the Properties option

7) Select the Log On tab

8) If you want this service to run under a Local System

9) Select the This account radio button

a. Select the Local System account radio button

b. Click OK on the confirmation dialog.

10) Click OK on the “ The new logon name will not take effect until you stop and restart the service ”

11) Select the OpsMgr Config Service right click and choose the Properties option

12) Select the Log On tab

13) If you want this service to run under Local System

14) Select the This account radio button

a. Select the Local System account radio button

b. Click OK on the confirmation dialog.

15) Click OK on the “ The new logon name will not take effect until you stop and restart the service ”

16) Go to Start and choose Run

17) Type SQLWB and click OK to open SQL Management Studio

a. Optionally you can open SQL Management Studio by going to StartàProgramsàMicrosoft SQL Server 2005àSQL Server Management Studio

18) Specify the Server Name and instance where the Operations Manager Database is installed on the Connect to Server dialogue

19) Expand the Database node

20) Select the Operations Manager Database

21) Right click and choose the New Query option in the context menu

22) Type and execute the following stored procedure

EXECUTE p_SetupCreateLogin 'NT AUTHORITY\SYSTEM', 'sdk_users'

Note: If SQL Server is configured for case sensitivity then you must type the account exactly as it appears above.

23) Type and execute the following stored procedure

EXECUTE p_SetupCreateLogin 'NT AUTHORITY\SYSTEM', 'configsvc_users'

Note: If SQL Server is configured for case sensitivity then you must type the account exactly as it appears above.

24) Type and execute the following stored procedure

EXECUTE p_SetupCreateLogin 'NT AUTHORITY\SYSTEM', 'dbmodule_users'

Note: If SQL Server is configured for case sensitivity then you must type the account exactly as it appears above.

25) On the services snap-in select the OpsMgr SDK Service right click and choose Start on the context menu.

26) In the services snap-in select OpsMgr Config Service right click and choose Start on the context menu.

27) Go to Start and choose Run

28) Type Eventvwr.msc and click OK

29) Within the Event Viewer select the Operations Manager event log

30) Examine the event log entries for the OpsMgr SDK Service and OpsMgr Config Service to check that they started and are running successfully.

Feedback most welcome on anything I missed. When the KB is published it will supercede the information here.