OpsMgr 2007 SP1: The case of failing Agent Install


Recently came across an issue where we were failing to install Opsmgr 2007 SP1 Agent on new network segment. These all seems to be Windows Server 2008 Servers, eventually it turned out to be an issue not specific to 2008 in particular. To narrow down on the cause we collected the verbose MSI log


 


msiexec /i <momagent.msi> /lvoicewarmup c:\install.log


 


You probably would see these two events in your event log


 


===========================


Log Name: Application


Source: MsiInstaller


Date: 2/24/2009 10:33:51 AM


Event ID: 1033


Task Category: None


Level: Information


Keywords: Classic


User: <domain\user>


Computer: <fqdn>


Description: Windows Installer installed the product. Product Name: System Center Operations Manager 2007 Agent. Product Version: 6.0.6278.0. Product Language: 1033. Installation success or error status: 1603.


 


===========================


Log Name: Application


Source: MsiInstaller


Date: 2/24/2009 10:33:51 AM


Event ID: 11708


Task Category: None


Level: Information


Keywords: Classic


User: <domain\user>


Computer: <fqdn>


Description:


Product: System Center Operations Manager 2007 Agent — Installation operation failed.


 


 


============


Install.log


============


MSI (s) (94:DC) [21:50:05:758]: Executing op: ActionStart(Name=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,,)


MSI (s) (94:DC) [21:50:05:758]: Executing op: CustomActionSchedule(Action=ca_GrantAuditLogAccess.A7850EAF_DD6F_4ED6_9581_E958CBD8A522,ActionType=3073,Source=BinaryData,Target=GrantAuditLogAccess,)


MSI (s) (94:10) [21:50:05:774]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIB46.tmp, Entrypoint: GrantAuditLogAccess


 


1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87


1: ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057


1: GrantAuditLogAccess(): ModifyEventLogAccessForNetworkService() returned 0x00000643.


 


MSI (s) (94:DC) [21:50:05:805]: User policy value ‘DisableRollback’ is 0


MSI (s) (94:DC) [21:50:05:805]: Machine policy value ‘DisableRollback’ is 0


Action ended 21:50:05: InstallFinalize. Return value 3.


 


So from the log we can see


>>1: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87 : Probably it could not read the SecurityDescriptor in the first place


>>> ModifyEventLogAccessForNetworkService(): Could not grant read access to Security Log: 0x00000057


 


Cause


=====


We enumerated the following registry key


>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security


 


Checked the customSD(Security Descriptor) string


Appartently 0x1 indicates read-only, which seems to be the problem to a specific user whose GUID is mentioned


“customsd”=”(A;;0x1;;;S-1-5-21-542683309-1449951431-3854495092-13117)”


 


 


For More Understanding


———————————-


To construct an SDDL string, note that there are three distinct rights that pertain to event logs:


Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:


1= Read


2 = Write


4 = Clear


The following is a sample SDDL that shows the default SDDL string for the Application log.


 The access rights (in hexadecimal) are bold-faced for illustration:


 


O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)


 


For example,


The sixth ACE(Access Control Entry) permits Interactive Users to read and write to the log. (A;; 0x3;;;IU)


where


IU = Interactive Users


0x3 = 0x1(Read) + 0x2(Write)


 


Solution :


===========


a)       We removed the CustomSD string  from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security


b)       Ran regsvr32 scecli.dll 


                 For better understanding on SDDL refer http://support.microsoft.com/kb/323076

Comments (2)

  1. TajikiDC says:

    Thank Jeevan!  I've been struggling with this issue on random servers for over a month trying to figure out why the SCOM agent will not install!  After applying this change, the agent installed successfully!  🙂

  2. Ramazan says:

    I’ve never ever figured out this solution. Thank you very much. 🙂