Troubleshoot client agent installation issues of Operations Manager

What does this guide do?

Troubleshoots issues that the client agent of System Center 2012 Operations Manager (OpsMgr 2012 and OpsMgr 2012 R2) can’t be installed.

Who is it for?

Admins of System Center 2012 Operations Manager who help resolve client agent installation issues.

How does it work?

We’ll begin by asking if the necessary prerequisites for a successful installation are met. If there is no problem with meeting all the prerequisites, we’ll take you through a series of steps that are specific to your situation to resolve your issue.

Estimated time of completion:

15-30 minutes.

First Step: Verify the target computer meets the supported configuration

It is not uncommon for client installation issues to be caused by clients that do not have the necessary prerequisites. Therefore, the first step in troubleshooting any installation issues with the Operations Manager agent is to verify that the potential client computer meets the supported hardware and software configuration. The following articles lists the requirements for a System Center Operations Manager 2007 (OpsMgr 2007) client and a System Center 2012 Operations Manager (OpsMgr 2012 and OpsMgr 2012 R2) client:

Operations Manager 2007 R2 Supported Configurations

Operations Manager 2012 Supported Configurations

If the target system is a Unix/Linux computer, verify that both the distribution and version are supported. Please note that support for some versions of Operations Manager 2007 require post-R2 cumulative updates. The following articles have the supported versions of Unix/Linux:

System Center Operations Manager 2007 R2 Cross Platform Monitoring Management Packs

System Center Operations Manager 2012 Supported Unix and Linux Operating System Versions


Did this solve your problem?

First Step: Verify the target computer meets the supported configuration

It is not uncommon for client installation issues to be caused by clients that do not have the necessary prerequisites. Therefore, the first step in troubleshooting any installation issues with the Operations Manager agent is to verify that the potential client computer meets the supported hardware and software configuration. The following articles lists the requirements for a System Center Operations Manager 2007 (OpsMgr 2007) client and a System Center 2012 Operations Manager (OpsMgr 2012 and OpsMgr 2012 R2) client:

Operations Manager 2007 R2 Supported Configurations

Operations Manager 2012 Supported Configurations

If the target system is a Unix/Linux computer, verify that both the distribution and version are supported. Please note that support for some versions of Operations Manager 2007 require post-R2 cumulative updates. The following articles have the supported versions of Unix/Linux:

System Center Operations Manager 2007 R2 Cross Platform Monitoring Management Packs

System Center Operations Manager 2012 Supported Unix and Linux Operating System Versions


Did this solve your problem?

The wizard does not display a list of potential agents to install

If the wizard does not display a list of potential agents to install, the most likely problem is that the account is having trouble accessing Active Directory. The credentials specified in the wizard during the initial discovery should have permission to search Active Directory for potential Operations Manager agents, and if this account is not able to connect to Active Directory then the Discovery Wizard will fail.

Typical errors include the following:

  • Error Code: 800706BA
    Error Description: The RPC server is unavailable.
  • Error Code: 80070079
    The MOM Server failed to perform specified operation on computer "name". The semaphore timeout period has expired.
  • Error Code: 800706433
    The Agent Management Operation Agent Install failed for remote computer "name"

Possible Resolutions:

During discovery, specify an account that has both domain administrator permissions and is a member of the Operations Manager Admins group.

Also, if the LDAP query times out or is not able to resolve the potential agents in Active Directory, discovery can be performed via the Operations Manager Command Shell. Select the "Troubleshooting Agent Deployment via the Operations Manager Command Shell" radio button for additional information.


Did this solve your problem?

Troubleshooting Agent Deployment via the Discovery Wizard in the Operations Manager Console

If the agent will be deployed via discovery from the Operations Manager console, be aware the agent will be installed from the management server or gateway server specified in the discovery wizard to manage the agent, not the server the operations console was connected to when it opened. Therefore, any testing should be conducted from the management server or gateway specified when the wizard is run or a different management server/gateway should be specified during the wizard to see if the same error occurs.


Please select the scenario you are encountering:

The intended target computer is not in the list of potential agents after the initial discovery runs

If the intended target computer is not in the list of potential agents after initial discovery runs, the computer may already be identified in the database as part of the management group, or the computer is listed under 'Pending Actions' in the Operations Console.

If the target computer is listed in the 'Pending Actions' node of the 'Administration' space in the Operations Console, the existing action must either be approved or rejected before a new action can be performed. If the existing install settings are sufficient, approve the pending installation from the console. If the existing settings are incorrect, reject the pending action, then run the discovery wizard again.


Did this solve your problem?

The discovery wizard encounters an error while trying to install the agent

The most common errors that the discovery wizard encounters when trying to install the agent are listed below:

  • Operation: Agent Install
    Error Code: 800706D9
  • Error Description: Unknown error 0xC000296E
  • Error Description: Unknown error 0xC0002976
  • Error Code: 80070643
    Error Description: Fatal error during installation.

There can be a few different causes to these kinds of errors:

  • The account previously specified to perform the agent installation in the discovery wizard does not have permissions to connect remotely to the target computer and install a Windows service. This requires local administrator permissions due to the requirement to write to the registry.
  • Group policy restrictions on the management server computer account, or the account used for agent push, are preventing successful installation. Group Policy Objects in Active Directory that prevent the Management Server computer account, or the user account used by the Discovery Wizard, from remotely accessing the Windows folder, the registry, WMI or administrative shares on the target computer can prevent successful deployment of the Operations Manager agent.
  • The Windows Firewall is blocking ports between the Management Server and the target computer.
  • Required services on the target computer are not running.
Possible Resolutions:
  • If the credentials specified in the wizard do not have local administrator permissions, add the account to the local Administrators security group on the target computer, or use an account that is already a member of that group.
  • Block group policy inheritance on the target computer, or the user account performing the installation.
  • If an agent install is failing when using a domain account to push the agent from a management server, the use of Windows administrative tools can help identify potential issues. Log onto the Management Server under the credentials in question and attempt the following tasks. If the account does not have permission to log onto the management server, the tools can be run under the credentials to be tested from a command prompt.

    "RUNAS /user: compmgmt.msc". From the 'Action' menu item, select 'connect to another computer'. Browse or type in the remote computer name. Try to open event viewer and brows any of the event logs.

    "RUNAS /user:services.msc". From the 'Action' menu item, select 'connect to another computer'. Browse or type in the remote computer name. Attempt to start or stop print spooler or any other service on the target computer.

    "RUNAS /user: regedt32.exe". From the File' menu item, select 'connect network registry'. Browse or type in the remote computer name. Try to open "HKey_Local_Machine" on the remote machine.

    "RUNAS /user:Explorer.exe". Type the following in the address bar: \\admin$ .
If any of these tasks fail, try using a different account known to have Domain Administrator or Local Administrator (on the target computer) permissions. Also try the same tasks from a member server or workstation to see if the tasks fail from multiple machines.

NOTE Failure to connect to the admin$ share may prevent the Management Server from copying setup files to the target. Failure to connect to the Windows Registry on the target can cause the Health Service to not be installed properly. Failure to connect to Service Control Manager will prevent setup from starting the service.

  • The following ports must be open between the Management Server and the target computer:

    RPC endpoint mapper Port number: 135 Protocol: TCP/UDP

    *RPC/DCOM High ports (2000/2003 OS) Ports 1024-5000 Protocol: TCP/UDP

    *RPC/DCOM High ports (2008 OS) Ports 49152-65535 Protocol: TCP/UDP

    NetBIOS name service Port number: 137 Protocol: TCP/UDP

    NetBIOS session service Port number: 139 Protocol: TCP/UDP

    SMB over IP Port number: 445 Protocol: TCP

    MOM Channel Port number: 5723 Protocol: TCP/UDP
  • The following services must be enabled and running on the target computer:

    Netlogon

    Remote Registry

    Windows Installer

    Automatic Updates
The following articles provide some good background about deploying the Operations manager agent using discovery from the Management Server:


Did this solve your problem?

Troubleshooting Agent Deployment via the Operations Manager Command Shell

In some situations, automatic discovery of potential agents may time out due to very large or complex Active Directory environments. Other situations may require that automatic discovery be run with an LDAP query that is more limited than what is available in the UI. In these cases, automatic discovery of computers and remote installation of the Operations Manager agent is possible via the Operations Manager command shell.

For example, the command below defines a LDAP query and passes it to New-WindowsDiscoveryConfiguration, thereby creating an LDAP based WindowsDiscoveryConfiguration:

$query = New-LdapQueryDiscoveryCriteria –LdapQuery: “(sAMAccountType=805306369)(name=srv1.contoso.com*)” –Domain:”contoso.com”$discoConfig = New-WindowsDiscoveryConfiguration –LdapQueryDiscoveryCriteria:$query

For another example, the command below defines a name-based WindowsDiscoveryConfiguration that will discovery a specific computer or computers. In our example here, it finds client1.contoso.com and client2.contoso.com.

$discoConfig = New-WindowsDiscoveryConfiguration -ComputerName: "srv1.contoso.com", "srv2.contoso.com"

There is also much more that you can specify when defining a WindowsDiscoveryConfiguration. The following commands direct the discovery module to use specific credentials, perform verification of each discovered Windows computer, and constrain the type of discovered object to a Windows server. The ComputerType parameter can be a workstation, a server or both. The PerformVerification switch is used to direct discovery to verify that only available computers should be returned.

# Prompt for credentials used to perform the discovery.

$creds = Get-Credential

# Define a WindowsDiscoveryConfiguration

$discoConfig = New-WindowsDiscoveryConfiguration –ComputerName: "srv3.contoso.com", "srv4.contoso.com" –PerformVerification: $true –ActionAccount:$creds -ComputerType: "Server"

# Select the Management Server used to run the discovery.

$managementServer = Get-ManagementServer –Root: $true

# Start the discovery process.

$discoResult = Start-Discovery –ManagementServer: $managementServer –WindowsDiscoveryConfiguration: $discoConfig

# Check that the discovery process discovered the Windows computers you specified.

$discoResult.CustomMonitoringObjects

Last but not least install agents on the discovered computers.

Install-Agent –ManagementServer: $managementServer –AgentManagedComputer: $discoResult.CustomMonitoringObjects


Did this solve your problem?

Troubleshooting Agent Deployment via Verbose Windows Installer Logging

If the installation of the agent on a remote computer fails during installation, a verbose Windows Installer log may be created on the management server in the following default location:

C:\Program Files\System Center Operations Manager \AgentManagement\AgentLogs

where <version> is 2007 or 2012

The log can be used to determine if there was a specific error encountered and may be useful to further troubleshoot installation of the Operations Manager agent on the target computer.

Look for the first entry with the string Return Value 3 in the log. The preceding few lines will usually indicate the error that Windows Installer encountered. The format will typically be in the form of function / description of error / error return code and can indicate permission issues, missing files, or other settings that need to be changed.

Examples:

  • Error message: ConvertStringSecurityDescriptorToSecurityDescriptor failed : 87
    Possible cause: The installation account does not have permission to the security log on the target computer.
  • Error message: ModifyEventLogAccessForNetworkService(): Could not grant read access to SecurityLog: 0x00000057
    Possible cause: The installation account does not have permission to the security log on the target computer.
  • Error message: Cannot open database file. System error -2147024629
    Possible cause: The installation account does not have permission to the system TEMP folder.

There are many possible errors that can be logged here, and other individual errors that you find can be further researched on TechNet or the Microsoft Knowledge Base.


Did this solve your problem?

Troubleshooting Manual installation of the Operations Manager Agent

In cases where the Operations Manager client agent cannot be deployed to a remote computer via the Discovery Wizard, the agent will need to be installed manually. This can be performed via command line using the MomAgent.msi file. The following references describe the various switches and configuration options available to perform a manual installation:

If the agent is deployed via manual install, please be aware that future Service Pack updates or cumulative updates will need to be manually deployed as well. Computers that have been manually installed will not be designated by the System Center Configuration Management service as being remotely manageable, and the option to upgrade them will not be presented in the Operations Console.

Other key considerations to account for during the manual installation of agents include:

  • If the installation is being performed by a domain or local user, the account need to be a member of the local Administrators security group in Vista or later operating systems. In pre-Vista Operating Systems, users that were members of the "Power Users" security group had the permissions required to install services.
  • If the agent is being deployed via Configuration Manager, the Configuration Manager Agent service account will either need to run as Localsystem (which is the default) or under the context of a local administrator.

Did this solve your problem?

Congratulations!

Your Operations Manager client installation issue is resolved.

Sorry

It appears that we are unable to resolve your issue by using this guide. For more help resolving this issue please see our TechNet support forum or contact Microsoft Support.

Error Code 800706BA - The RPC server is unavailable

In Operations Manager, the agent computer must be able to successful reach and connect to TCP port 5723 on the Management Server. If this is failing you will likely receive Event ID 21016 and Event ID 21006 on the client agent.

In addition to TCP port 5723, the following ports must also be enabled:

  • TCP and UDP port 389 for LDAP
  • TCP and UDP port 88 for Kerberos authentication
  • TCP and UDP port 53 for DNS

In addition to the above, we must also ensure that RPC communications complete successfully over the network. If there are problems with RPC communication it will usually manifest itself when pushing an agent from the OpsMgr management server. RPC communication problems will usually cause the client push to fail with an error similar to the following:

The Operation Manager Server failed to perform specified operation on computer agent1.contoso.com.

Operation: Agent Insall 

Install account: contoso\Agent_action

Error Code: 800706BA 

Error Description: The RPC server is unavailable

This typically occurs when either nonstandard ephemeral ports are being used, or when the ephemeral ports are blocked at a firewall. For example, if nonstandard high range RPC ports have been configured, a network trace while pushing the agent will show a successful connection to RPC port 135 followed by a connection attempt using a nonstandard RPC port such as 15595 as shown below.

18748 MS Agent TCP TCP: Flags=CE....S., SrcPort=52457, DstPort=15595, PayloadLen=0, Seq=1704157139, Ack=0, Win=8192 18750 MS Agent TCP TCP:[SynReTransmit #18748] Flags=CE....S., SrcPort=52457, DstPort=15595, PayloadLen=0, Seq=1704157139, Ack=0, 18751 MS Agent TCP TCP:[SynReTransmit #18748] Flags=......S., SrcPort=52457, DstPort=15595, PayloadLen=0, Seq=1704157139, Ack=0, Win=8192

In this example, since the port exemption for this non-standard range was not configured on the firewall, the packets are dropped and the connection fails.

In Windows Vista and above the RPC high range ports are 49152-65535 so that’s what we want to look for. To verify whether this is your issue, run the following command to see what RPC high port range is configured:

Netsh int ipv4 show dynamicportrange tcp

As per IANA standards, it should look something like this:

Protocol tcp Dynamic Port Range 

--------------------------------- 

Start Port : 49152 

Number of Ports : 16384

If you see a different start port then the problem may be that the firewall is not configured correctly to allow traffic on those ports. You can change the configuration on the firewall or you can run the command below to set the high range ports back to their default values:

Netsh int ipv4 set dynamicport tcp start=49152 num=16383

Note that you can also configure the RPC dynamic port range via the registry. See the following article for more information:

154596 - How to configure RPC dynamic port allocation to work with firewalls

If everything appears to be configured correctly but you still experience the error above, it may be that one of the following conditions are true:

  1. DCOM has been restricted to a certain port. To verify, open dcomcnfg.exe and traverse to dcomcnfg -> My Computer –> Properties –> Default Protocols and ensure that there is not custom setting there.
  2. WMI is configured to use a custom endpoint. To check if you have a static endpoint configured for WMI, open dcomcnfg.exe and traverse to dcomcnfg -> My Computer –> DCOM Config -> Windows Management and Instrumentation –> Properties -> Endpoint and ensure that there is no custom setting here.
  3. The agent computer is running the Exchange 2010 CAS role. The Exchange 2010 Client Access Service changes this port range to 6005 through 65535. The range was expanded to provide sufficient scaling for large deployments. Do not change these port values without fully understanding the consequences of doing such.

More Information

For more information regarding port and firewall requirements please see the Firewalls section in the following document:

Preparing your environment for System Center 2012 R2 Operations Manager

You can also find the minimum required network connectivity speeds in the same document.

Final Notes

Troubleshooting network problems is an extremely large issue unto itself, so it’s best to consult a networking engineer if you suspect that an underlying network problem is causing your agent connectivity issues in Operations Manager. We also have some basic, generalized network troubleshooting information available from our Windows Directory Services support team available here:

Troubleshooting networks without NetMon


Did this solve your problem?


內容

文章識別碼:10147 - 最後檢閱時間:2016年2月24日 - 修訂: 17

意見反應