1 2 Previous Next 16 Replies Latest reply on Aug 3, 2011 8:22 AM by Edwin Lindeman

    Managing Windows 2008 R2

    Vinnie Lima

      I'm running RSCD 7.6 HF 207 64 bit.


      Install worked, agent is running, had to tinker with the permissions of C:\WINDOWS\rsc folder and files.


      Seemed that even though users.local identifies the rw map to "Administrator" user,  the app server still couldnt push an ACL (permission denied). I had to change the file/folder permissions of RSC dir to grant the user which performed the install full rights.  STrange.


      Now, I am getting lots of permission denied when running jobs that worked fine on Windows 2003.


      Has anyone documented any standard configuration one must make to get RSCD working with 2008 R2 and all of it's great privilege model, that would differ from W2003?




        • 1. Re: Managing Windows 2008 R2

          Did 7.6 even officially support R2?

          • 2. Re: Managing Windows 2008 R2
            Bill Robinson

            Permission denied from the OS ?  could it be UAC?

            • 3. Re: Managing Windows 2008 R2

              I was able to successfully run patch analysis on windows 2008 R2 server. I'm not sure if it's officially supported yet though, at least not sure about 7.6. I know that 8.0 supports it.


              When you run into permission denied issues, does it log anything in the rscd.log file on the 2008 r2 server? If so, what do you see?

              • 4. Re: Managing Windows 2008 R2

                I have word from one customer that 2008R2 doesn't work in 7.6.0, even with the latest hotfixes (r207). The 7.6.0 Installation Guide doesn't list 2008R2. If any of you have this working, please let the Community know.


                -can't even get a license for testing it, Dante

                • 5. Re: Managing Windows 2008 R2
                  Bill Robinson

                  Can you provide logs, error messages, etc?  saying "it doesn't work" doesn't help identify any issues.  we have customers using r2 successfully.

                  • 6. Re: Managing Windows 2008 R2

                    This is part of the problem.

                    I have a PS in one ticket with a customer that cannot get Patch Analysis jobs to work on 2008R2 targets. The error is:

                    “The version of Shavlik SDK on target is not supported by appserver. Patch Analysis will not continue.”

                    Meanwhile the same PS found a posting here in the Communities that another PS was able to get things to work using r189. I cannot find this post.

                    I'm working another angle about this now: I'm going to up the errors to debug and see the agent log responses. This will get me closer to a result. This is of course what you just said. However I've been tied up on a desire to reproduce the error and I needed to get beyond that.

                    • 7. Re: Managing Windows 2008 R2
                      Vinnie Lima

                      Bill - I'll get the logs/details posted here tomorrow (snowed in today) but as you mentioned, this has been done before, so can we follow down that thread?


                      Before I go chase a rabbit (or rat) into a hole, can anyone provide a best practice bullet points on getting this working?  For example, someone else posted what needed to be done to the C:\windows\rsc directory and permissions and that was a show stopper for many people. I am sure there are many little things like these.


                      Instead of making everyone drag along on this issue - can someone from BMC post a formal how-to on this?  Windows 2008R2 is here and we have big push from our client to move to it.  We are not migrating to 8.0 yet for many reasons outside of this topic, and I am not sure that will get us over the significant differences in W2008R2 (e.g. permissions/UAC); Meaning, we'll still need a best practice for managing W2K8R2.





                      • 8. Re: Managing Windows 2008 R2

                        This is working at my customer, a large Federal entity.

                        • 9. Re: Managing Windows 2008 R2
                          Bill Robinson

                          There's really nothing special - the rsc files should have something like:



                          * rw



                          <whatever acls are appropriate, auto generated>



                          BLAdmins:BLAdmin rw,map=<Administrator>


                          I'd look at figuring out what's wrong via the logs and such because an out-of-box install should run w/o any special changes.


                          It also sounds like there are a few different issues here - some issues w/ patching and then some issues w/ basic agent functionality.  I don't think we can lump them all together.


                          Obviously, you should have support tickets open for these...

                          • 10. Re: Managing Windows 2008 R2

                            In the case of my customer, they had the Shavlik issues at first. We had them look closer at their rsc files and they fixed an issue they had, and then everything was working normally. I will enquire with them to see if they would be willing to share the particulars with me.

                            • 11. Re: Managing Windows 2008 R2

                              Adam, it's Dante from Support (I guess using a nickname here is impractical).


                              If you find out the details from your side, this would help me immensely. Then I could write up an article for the Knowledge Base and link to it once it becomes public.


                              To Bill: I'm already working on a best practices doc once I can get this to work. There is a support ticket open already.

                              • 12. Re: Managing Windows 2008 R2

                                Something to add to this best practice is to make sure the Win 2008 R2 Firewall should be disabled or have an "allow" inbound rule for port 4750. We ran into this at my current client.


                                As far as having client with success stories with R2 Patching, I'm checking with the client I had this working with to make sure it still works. We were able to compare the patching results from the MS Baseline vs BL Shavlik, and they looked the same. Then we even pushed out the patches and re-ran the analysis to find 0 patches missing.


                                There might be a GPO setting or in my case, the firewall issue, that might be causing the permission issue that you are seeing. Also, see if Shavlik was previously installed on that R2 server. We've had clients that have had it installed on the agent, which causes the product to not function properly. There have been instances where the agent port is being used by some other app, so watch out for that as well.

                                • 13. Re: Managing Windows 2008 R2
                                  Vinnie Lima

                                  OK Update:


                                  Looked at the RSCD agent log and found the following:

                                  592e529e377d4140b434 0000000001 02/09/10 08:15:20.636 INFO     rscd -  EMOA-NBP-UEA03 1768 SYSTEM (???): ???: The following local user will be used by the agent for user privilege mapping: BladeLogicRSCD
                                  52d02d7e205a26266a9f 0000000002 02/09/10 08:15:20.823 INFO     rscd -  EMOA-NBP-UEA03 1768 SYSTEM (???): ???: Adding account right "SeBatchLogonRight" to user BladeLogicRSCD@EMOA-NBP-UEA03 for user privilege mapping
                                  414aabda6f075e1c576a 0000000003 02/09/10 08:15:20.886 INFO     rscd -  EMOA-NBP-UEA03 1768 SYSTEM (???): ???: Adding account right "SeDenyInteractiveLogonRight" to user BladeLogicRSCD@EMOA-NBP-UEA03 for user privilege mapping


                                  My question:  Do I need to let my Active Directory folks know to allow the following permissions to be assigned to the local user? Otherwise, GPO will come around and wipe it out potentially:




                                  I also found the following error in the RSCD agent log:


                                  e26f7abb4d55fcb5d267 0000000004 02/09/10 09:37:46.890 ERROR    rscd -  EMOA-NBP-UEA03 2932 SYSTEM (???): ???: User Impersonation Failed ; Error Location: RSCD_WinUser::initFromUsernameDomainW:LookupAccountNameW ; Error Message: No mapping between account names and security IDs was done. ; Auxiliary Error Message: Account: EMOA-NBP-UEA03\guardian
                                  4ef07d9e04f9fe24d1bb 0000000005 02/09/10 09:37:46.906 WARN     rscd - 2932 SYSTEM (BLAdmins:BLAdmin): CM: Impersonation failed

                                  This was my issue in the beginning - another job we run which is an auto-remediating compliance job expected all mappings to be to user "guardian". Well just happens these 2008R2 systems did not have such local admin user created.  Changing the users.local to map to "Administrator" fixed the problem:

                                  <IPADDRESS> 1944 BladeLogicRSCD@EMOA-NBP-UEA03->Administrator@EMOA-NBP-UEA03:PrivilegeMapped (BLAdmins:BLAdmin): CM: > [Client] Pushing of AgentACL to emoa-nbp-uea03 succeeded

                                  • 14. Re: Managing Windows 2008 R2
                                    Bill Robinson

                                    Yes, you need to mod your GPO for the user rights the local BladeLogicRSCD account needs, as on startup it's only setting them on the machine local security policy.


                                    For the 2nd error, it looks like you are trying to map to a domain account.  That's not supported in 7.6.  you need to map to a local account.

                                    1 2 Previous Next