Troubleshooting the Installation of the System Center Operations Manager 2007 Agent

Article
09/01/2011

If you’re looking for a good resource for troubleshooting OpsMgr 2007 client agent install issues then this new KB article we published today is for you:

=====

Symptoms

The System Center Operations Manager 2007 (SCOM 2007) agent can be deployed to Windows computers either via "remote push" from a management server or it can be manually installed on a target computer using MomAgent.msi. If the installation of the agent is not successful, there are a number of troubleshooting steps that can be used depending on where the error is occurring and how the agent will be deployed.

Resolution

Verify the target computer meets the supported configuration
The initial step in troubleshooting installation of the Operations Manager agent on a Windows computer is to verify that the potential agent meets the supported hardware and software configuration. The following article lists the requirements for an Operations Manager 2007 agent:

Operations Manager 2007 R2 Supported Configurations

If the target system is a Unix/Linux computer, verify that the distribution and version are supported. Please note that support for some versions requires post-R2 cumulative updates. The following article has the supported versions of Unix/Linux:

System Center Operations Manager 2007 R2 Cross Platform Monitoring Management Packs

Troubleshooting Agent Deployment via the Discovery Wizard in the Operations Manager Console
If the agent will be deployed by means of discovery from the Operations Manager console, the agent will be installed from the management server or gateway server specified in the discovery wizard to manage the agent, not the server the operations console was connected to when it opened. Any testing, therefore, should be conducted from the management server or gateway specified when the wizard is run or a different management server/gateway should be specified during the wizard to see if the same error occurs.

Problem:
The wizard does not display a list of potential agents to install.
Cause:
The credentials specified in the wizard during the initial discovery should have permission to search Active Directory for potential Operations Manager agents. If this account is not able to connect to Active Directory, then the Discovery Wizard will fail.
Typical errors that appear may be:
- Error Code: 800706BA
  Error Description: The RPC server is unavailable
- Error Code: 80070079
  The MOM Server failed to perform specified operation on computer "name". The semaphore timeout period has expired.
- Error Code: 80070643
  The Agent Management Operation Agent Install failed for remote computer "name"
Possible Resolutions:
- During discovery, specify an account that has both domain administrator permissions and is a member of the Operations Manager Admins group.
- If the LDAP query times out, or is not able to resolve the potential agents in Active Directory, discovery can be performed via the Operations Manager Command Shell. See the following section "Troubleshooting Agent Deployment via the Operations Manager Command Shell" for additional information.
Problem:
The intended target computer is not in the list of potential agents after the initial discovery runs.
Cause:
- The computer is already identified in the database as part of the management group.
- The computer is listed under 'Pending Actions' in the Operations Console.
Possible Resolutions:
- If the target computer is listed in the 'Pending Actions' node of the 'Administration' space in the Operations Console, the existing action must either be approved or rejected before a new action can be performed. If the existing install settings are sufficient, approve the pending installation from the console. If the existing settings are incorrect, reject the pending action, then run the discovery wizard again.
Problem:
The discovery wizard encounters one of the following errors while trying to install the agent:
- Operation: Agent Install
  Error Code: 800706D9
- Error Description: Unknown error 0xC000296E
- Error Description: Unknown error 0xC0002976
- Error Code: 80070643
  Error Description: Fatal error during installation.
Cause:
- The account previously specified to perform the agent installation in the discovery wizard will need to have permissions to connect remotely to the target computer and install a Windows service. This requires local administrator permissions due to the requirement to write to the registry.
- Group policy restrictions on the management server computer account, or the account used for agent push, can prevent successful installation. Group Policy Objects in Active Directory that prevent the Management Server computer account, or the user account used by the Discovery Wizard, from remotely accessing the Windows folder, the registry, WMI or administrative shares on the target computer can prevent successful deployment of the Operations Manager agent.
- The Windows Firewall is blocking ports between the Management Server and the target computer.
- Required services on the target computer are not running.
Possible Resolutions:
- If the credentials specified in the wizard do not have local administrator permissions, add the account to the local Administrators security group on the target computer, or use an account that is already a member of that group.
- Block group policy inheritance on the target computer, or the user account performing the installation.
- If an agent install is failing when using a domain account to push the agent from a management server, the use of Windows administrative tools can help identify potential issues. Log onto the Management Server under the credentials in question and attempt the following tasks. If the account does not have permission to log onto the management server, the tools can be run under the credentials to be tested from a command prompt.
  - "RUNAS /user:<username> compmgmt.msc". From the 'Action' menu item, select 'connect to another computer'. Browse or type in the remote computer name. Try to open event viewer and brows any of the event logs.
  - "RUNAS /user:<username>services.msc". From the 'Action' menu item, select 'connect to another computer'. Browse or type in the remote computer name. Attempt to start or stop print spooler or any other service on the target computer.
  - "RUNAS /user:<username> regedt32.exe". From the File' menu item, select 'connect network registry'. Browse or type in the remote computer name. Try to open "HKey_Local_Machine" on the remote machine.
  - "RUNAS /user:<username>Explorer.exe". Type the following in the address bar: \\admin$
    If any of these tasks fail, try using a different account known to have Domain Administrator or Local Administrator (on the target computer) permissions. Also try the same tasks from a member server or workstation to see if the tasks fail from multiple machines.
    Failure to connect to the admin$ share may prevent the Management Server from copying setup files to the target. Failure to connect to the Windows Registry on the target can cause the Health Service to not be installed properly. Failure to connect to Service Control Manager will prevent setup from starting the service.
- The following ports must be open between the Management Server and the target computer:
  - RPC endpoint mapper Port number: 135 Protocol: TCP/UDP
  - *RPC/DCOM High ports (2000/2003 OS) Ports 1024-5000 Protocol: TCP/UDP
  - *RPC/DCOM High ports (2008 OS) Ports 49152-65535 Protocol: TCP/UDP
  - NetBIOS name service Port number: 137 Protocol: TCP/UDP
  - NetBIOS session service Port number: 139 Protocol: TCP/UDP
  - SMB over IP Port number: 445 Protocol: TCP
  - MOM Channel Port number: 5723 Protocol: TCP/UDP
- The following services must be enabled and running on the target computer:
  - Netlogon
  - Remote Registry
  - Windows Installer
  - Automatic Updates

The following articles provide some good background about deploying the Operations manager agent using discovery from the Management Server:

How to Deploy the Operations Manager 2007 Agent Using the Agent Setup Wizard
How does Computer Discovery Work in OpsMgr 2007?
Agent discovery and push troubleshooting in OpsMgr 2007
Console based Agent Deployment Troubleshooting table

Troubleshooting Agent Deployment via the Operations Manager Command Shell
In some situations, automatic discovery of potential agents may time out due to very large or complex Active Directory environments. Other situations may require that automatic discovery be run with an LDAP query that is more limited than what is available in the UI. In these cases, automatic discovery of computers and remote installation of the Operations Manager agent is possible via the Operations Manager command shell. The following blog posting gives the syntax required to do this:

Discovering Windows Computers via PowerShell

Troubleshooting Agent Deployment via Verbose Windows Installer Logging
If the installation of the agent on a remote computer fails during installation, a verbose Windows Installer log may be created on the management server in the following default location:

C:\Program Files\System Center Operations Manager 2007\AgentManagement\AgentLogs

The log can be used to determine if there was a specific error encountered and may be useful to further troubleshoot installation of the Operations Manager agent on the target computer.

Look for the first entry with the string "Return Value 3" in the log. The preceding few lines will usually indicate the error that Windows Installer encountered. The format will typically be in the form of "function / description of error / error return code", and can indicate permission issues, missing files or other settings that need to be changed. Examples:

Error message:
ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87
Possible cause:
The installation account does not have permission to the security log on the target computer
Error message:
ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057
Possible cause:
The installation account does not have permission to the security log on the target computer
Error message:
Cannot open database file. System error -2147024629
Possible cause:
The installation account does not have permission to the system TEMP folder

There are many possible errors that can be logged here. Other individual errors can be further researched on TechNet or the Online Knowledge Base.

Troubleshooting Manual installation of the Operations Manager Agent
In cases where the Operations Manager agent cannot be deployed to a remote computer via the Discovery Wizard, the agent will need to be installed manually. This can be performed via command line using the MomAgent.msi file. The following references describe the various switches and configuration options available to perform a manual installation:

How to Deploy the Operations Manager 2007 Agent Using MOMAgent.msi from the Command Line
Windows Agent Install MSI Use Cases and Commands
Process Manual Agent Installations in Operations Manager 2007

If the agent is deployed via manual install, future Service Pack updates or cumulative updates will need to be manually deployed as well. Computers that have been manually installed will not be designated by the System Center Configuration Management service as being remotely manageable, and the option to upgrade them will not be presented in the Operations Console.

Other key considerations to account for during the manual installation of agents:

If the installation is being performed by a domain or local user, the account need to be a member of the local Administrators security group in Vista or later operating systems. In pre-Vista Operating Systems, users that were members of the "Power Users" security group had the permissions required to install services.
If the agent is being deployed via Configuration Manager, the Configuration Manager Agent service account will either need to run as Localsystem (which is the default) or under the context of a local administrator.

Errors that prevent agents from being installed manually can be identified in the Windows Installer setup logs. The following command can be used to enable verbose Windows Installer logging of the Operations Manager agent installation:
msiexec.exe /i "MOMAgent.msi" /l*v "C:\Agent\MOMAgent_install.log"

As an alternative, the following article describes how to enable verbose Windows Installer logging globally on a Windows computer:
How to enable Windows Installer logging

The log can be used to determine if there was a specific error encountered and may be useful to further troubleshoot installation of the Operations Manager agent on the target computer.

Examples:

Error message:
ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87
Possible cause:
The installation account does not have permission to the security log on the target computer
Error message:
ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057
Possible cause:
The installation account does not have permission to the security log on the target computer
Error message:
Cannot open database file. System error -2147024629
Possible cause:
The installation account does not have permission to the system TEMP folder

There are many possible errors that can be logged here. Other individual errors can be further researched on TechNet or the Online Knowledge Base.

=====

For the most current version of this article please see the following:

2566152: Troubleshooting the Installation of the System Center Operations Manager 2007 Agent

J.C. Hornbeck | System Center Knowledge Engineer

Troubleshooting the Installation of the System Center Operations Manager 2007 Agent

Symptoms

Resolution

Additional resources