Troubleshooting the Installation of the System Center Operations Manager 2007 Agent


hotfixIf you’re looking for a good resource for troubleshooting OpsMgr 2007 client agent install issues then this new KB article we published today is for you:

=====

Symptoms

The System Center Operations Manager 2007 (SCOM 2007) agent can be deployed to Windows computers either via "remote push" from a management server or it can be manually installed on a target computer using MomAgent.msi. If the installation of the agent is not successful, there are a number of troubleshooting steps that can be used depending on where the error is occurring and how the agent will be deployed.

Resolution

Verify the target computer meets the supported configuration
The initial step in troubleshooting installation of the Operations Manager agent on a Windows computer is to verify that the potential agent meets the supported hardware and software configuration. The following article lists the requirements for an Operations Manager 2007 agent:

Operations Manager 2007 R2 Supported Configurations

If the target system is a Unix/Linux computer, verify that the distribution and version are supported. Please note that support for some versions requires post-R2 cumulative updates. The following article has the supported versions of Unix/Linux:

System Center Operations Manager 2007 R2 Cross Platform Monitoring Management Packs

Troubleshooting Agent Deployment via the Discovery Wizard in the Operations Manager Console
If the agent will be deployed by means of discovery from the Operations Manager console, the agent will be installed from the management server or gateway server specified in the discovery wizard to manage the agent, not the server the operations console was connected to when it opened. Any testing, therefore, should be conducted from the management server or gateway specified when the wizard is run or a different management server/gateway should be specified during the wizard to see if the same error occurs.

  • Problem:
    The wizard does not display a list of potential agents to install.
    Cause:
    The credentials specified in the wizard during the initial discovery should have permission to search Active Directory for potential Operations Manager agents. If this account is not able to connect to Active Directory, then the Discovery Wizard will fail.
    Typical errors that appear may be:
    • Error Code: 800706BA
      Error Description: The RPC server is unavailable
    • Error Code: 80070079
      The MOM Server failed to perform specified operation on computer "name". The semaphore timeout period has expired.
    • Error Code: 80070643
      The Agent Management Operation Agent Install failed for remote computer "name"

    Possible Resolutions:

    • During discovery, specify an account that has both domain administrator permissions and is a member of the Operations Manager Admins group.
    • If the LDAP query times out, or is not able to resolve the potential agents in Active Directory, discovery can be performed via the Operations Manager Command Shell. See the following section "Troubleshooting Agent Deployment via the Operations Manager Command Shell"for additional information.
  • Problem:
    The intended target computer is not in the list of potential agents after the initial discovery runs.
    Cause:
    • The computer is already identified in the database as part of the management group.
    • The computer is listed under ‘Pending Actions’ in the Operations Console.

    Possible Resolutions:

    • If the target computer is listed in the ‘Pending Actions’ node of the ‘Administration’ space in the Operations Console, the existing action must either be approved or rejected before a new action can be performed. If the existing install settings are sufficient, approve the pending installation from the console. If the existing settings are incorrect, reject the pending action, then run the discovery wizard again.
  • Problem:
    The discovery wizard encounters one of the following errors while trying to install the agent:
    • Operation: Agent Install
      Error Code: 800706D9
    • Error Description: Unknown error 0xC000296E
    • Error Description: Unknown error 0xC0002976
    • Error Code: 80070643
      Error Description: Fatal error during installation.

    Cause:

    • The account previously specified to perform the agent installation in the discovery wizard will need to have permissions to connect remotely to the target computer and install a Windows service. This requires local administrator permissions due to the requirement to write to the registry.
    • Group policy restrictions on the management server computer account, or the account used for agent push, can prevent successful installation. Group Policy Objects in Active Directory that prevent the Management Server computer account, or the user account used by the Discovery Wizard, from remotely accessing the Windows folder, the registry, WMI or administrative shares on the target computer can prevent successful deployment of the Operations Manager agent.
    • The Windows Firewall is blocking ports between the Management Server and the target computer.
    • Required services on the target computer are not running.

    Possible Resolutions:

    • If the credentials specified in the wizard do not have local administrator permissions, add the account to the local Administrators security group on the target computer, or use an account that is already a member of that group.
    • Block group policy inheritance on the target computer, or the user account performing the installation.
    • If an agent install is failing when using a domain account to push the agent from a management server, the use of Windows administrative tools can help identify potential issues. Log onto the Management Server under the credentials in question and attempt the following tasks. If the account does not have permission to log onto the management server, the tools can be run under the credentials to be tested from a command prompt.
      • "RUNAS /user:<username> compmgmt.msc". From the ‘Action’ menu item, select ‘connect to another computer’. Browse or type in the remote computer name. Try to open event viewer and brows any of the event logs.
      • "RUNAS /user:<username>services.msc". From the ‘Action’ menu item, select ‘connect to another computer’. Browse or type in the remote computer name. Attempt to start or stop print spooler or any other service on the target computer.
      • "RUNAS /user:<username> regedt32.exe". From the File’ menu item, select ‘connect network registry’. Browse or type in the remote computer name. Try to open "HKey_Local_Machine" on the remote machine.
      • "RUNAS /user:<username>Explorer.exe". Type the following in the address bar: \\admin$
        If any of these tasks fail, try using a different account known to have Domain Administrator or Local Administrator (on the target computer) permissions. Also try the same tasks from a member server or workstation to see if the tasks fail from multiple machines.
        Failure to connect to the admin$ share may prevent the Management Server from copying setup files to the target. Failure to connect to the Windows Registry on the target can cause the Health Service to not be installed properly. Failure to connect to Service Control Manager will prevent setup from starting the service.
    • The following ports must be open between the Management Server and the target computer:
      • RPC endpoint mapper Port number: 135 Protocol: TCP/UDP
      • *RPC/DCOM High ports (2000/2003 OS) Ports 1024-5000 Protocol: TCP/UDP
      • *RPC/DCOM High ports (2008 OS) Ports 49152-65535 Protocol: TCP/UDP
      • NetBIOS name service Port number: 137 Protocol: TCP/UDP
      • NetBIOS session service Port number: 139 Protocol: TCP/UDP
      • SMB over IP Port number: 445 Protocol: TCP
      • MOM Channel Port number: 5723 Protocol: TCP/UDP
    • The following services must be enabled and running on the target computer:
      • Netlogon
      • Remote Registry
      • Windows Installer
      • Automatic Updates

The following articles provide some good background about deploying the Operations manager agent using discovery from the Management Server:

How to Deploy the Operations Manager 2007 Agent Using the Agent Setup Wizard
How does Computer Discovery Work in OpsMgr 2007?
Agent discovery and push troubleshooting in OpsMgr 2007
Console based Agent Deployment Troubleshooting table

Troubleshooting Agent Deployment via the Operations Manager Command Shell
In some situations, automatic discovery of potential agents may time out due to very large or complex Active Directory environments. Other situations may require that automatic discovery be run with an LDAP query that is more limited than what is available in the UI. In these cases, automatic discovery of computers and remote installation of the Operations Manager agent is possible via the Operations Manager command shell. The following blog posting gives the syntax required to do this:

Discovering Windows Computers via PowerShell

Troubleshooting Agent Deployment via Verbose Windows Installer Logging
If the installation of the agent on a remote computer fails during installation, a verbose Windows Installer log may be created on the management server in the following default location:

C:\Program Files\System Center Operations Manager 2007\AgentManagement\AgentLogs

The log can be used to determine if there was a specific error encountered and may be useful to further troubleshoot installation of the Operations Manager agent on the target computer.

Look for the first entry with the string "Return Value 3" in the log. The preceding few lines will usually indicate the error that Windows Installer encountered. The format will typically be in the form of "function / description of error / error return code", and can indicate permission issues, missing files or other settings that need to be changed. Examples:

  • Error message:
    ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87
    Possible cause:
    The installation account does not have permission to the security log on the target computer
  • Error message:
    ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057
    Possible cause:
    The installation account does not have permission to the security log on the target computer
  • Error message:
    Cannot open database file. System error -2147024629
    Possible cause:
    The installation account does not have permission to the system TEMP folder

There are many possible errors that can be logged here. Other individual errors can be further researched on TechNet or the Online Knowledge Base.

Troubleshooting Manual installation of the Operations Manager Agent
In cases where the Operations Manager agent cannot be deployed to a remote computer via the Discovery Wizard, the agent will need to be installed manually. This can be performed via command line using the MomAgent.msi file. The following references describe the various switches and configuration options available to perform a manual installation:

How to Deploy the Operations Manager 2007 Agent Using MOMAgent.msi from the Command Line
Windows Agent Install MSI Use Cases and Commands
Process Manual Agent Installations in Operations Manager 2007

If the agent is deployed via manual install, future Service Pack updates or cumulative updates will need to be manually deployed as well. Computers that have been manually installed will not be designated by the System Center Configuration Management service as being remotely manageable, and the option to upgrade them will not be presented in the Operations Console.

Other key considerations to account for during the manual installation of agents:

  • If the installation is being performed by a domain or local user, the account need to be a member of the local Administrators security group in Vista or later operating systems. In pre-Vista Operating Systems, users that were members of the "Power Users" security group had the permissions required to install services.
  • If the agent is being deployed via Configuration Manager, the Configuration Manager Agent service account will either need to run as Localsystem (which is the default) or under the context of a local administrator.

Errors that prevent agents from being installed manually can be identified in the Windows Installer setup logs. The following command can be used to enable verbose Windows Installer logging of the Operations Manager agent installation:
msiexec.exe /i "MOMAgent.msi" /l*v "C:\Agent\MOMAgent_install.log"

As an alternative, the following article describes how to enable verbose Windows Installer logging globally on a Windows computer:
How to enable Windows Installer logging

The log can be used to determine if there was a specific error encountered and may be useful to further troubleshoot installation of the Operations Manager agent on the target computer.

Look for the first entry with the string "Return Value 3" in the log. The preceding few lines will usually indicate the error that Windows Installer encountered. The format will typically be in the form of "function / description of error / error return code", and can indicate permission issues, missing files or other settings that need to be changed.

Examples:

  • Error message:
    ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87
    Possible cause:
    The installation account does not have permission to the security log on the target computer
  • Error message:
    ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057
    Possible cause:
    The installation account does not have permission to the security log on the target computer
  • Error message:
    Cannot open database file. System error -2147024629
    Possible cause:
    The installation account does not have permission to the system TEMP folder

There are many possible errors that can be logged here. Other individual errors can be further researched on TechNet or the Online Knowledge Base.

=====

For the most current version of this article please see the following:

2566152: Troubleshooting the Installation of the System Center Operations Manager 2007 Agent

J.C. Hornbeck | System Center Knowledge Engineer

App-V Team blog: http://blogs.technet.com/appv/
AVIcode Team blog: http://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
OOB Support Team blog: http://blogs.technet.com/oob/
Opalis Team blog: http://blogs.technet.com/opalis
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: http://blogs.technet.com/mdm/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

clip_image001 clip_image002

Comments (1)

  1. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application