Did 7.6 even officially support R2?
Permission denied from the OS ? could it be UAC?
I was able to successfully run patch analysis on windows 2008 R2 server. I'm not sure if it's officially supported yet though, at least not sure about 7.6. I know that 8.0 supports it.
When you run into permission denied issues, does it log anything in the rscd.log file on the 2008 r2 server? If so, what do you see?
I have word from one customer that 2008R2 doesn't work in 7.6.0, even with the latest hotfixes (r207). The 7.6.0 Installation Guide doesn't list 2008R2. If any of you have this working, please let the Community know.
-can't even get a license for testing it, Dante
Can you provide logs, error messages, etc? saying "it doesn't work" doesn't help identify any issues. we have customers using r2 successfully.
This is part of the problem.
I have a PS in one ticket with a customer that cannot get Patch Analysis jobs to work on 2008R2 targets. The error is:
“The version of Shavlik SDK on target is not supported by appserver. Patch Analysis will not continue.”
Meanwhile the same PS found a posting here in the Communities that another PS was able to get things to work using r189. I cannot find this post.
I'm working another angle about this now: I'm going to up the errors to debug and see the agent log responses. This will get me closer to a result. This is of course what you just said. However I've been tied up on a desire to reproduce the error and I needed to get beyond that.
Bill - I'll get the logs/details posted here tomorrow (snowed in today) but as you mentioned, this has been done before, so can we follow down that thread?
Before I go chase a rabbit (or rat) into a hole, can anyone provide a best practice bullet points on getting this working? For example, someone else posted what needed to be done to the C:\windows\rsc directory and permissions and that was a show stopper for many people. I am sure there are many little things like these.
Instead of making everyone drag along on this issue - can someone from BMC post a formal how-to on this? Windows 2008R2 is here and we have big push from our client to move to it. We are not migrating to 8.0 yet for many reasons outside of this topic, and I am not sure that will get us over the significant differences in W2008R2 (e.g. permissions/UAC); Meaning, we'll still need a best practice for managing W2K8R2.
This is working at my customer, a large Federal entity.
There's really nothing special - the rsc files should have something like:
<whatever acls are appropriate, auto generated>
I'd look at figuring out what's wrong via the logs and such because an out-of-box install should run w/o any special changes.
It also sounds like there are a few different issues here - some issues w/ patching and then some issues w/ basic agent functionality. I don't think we can lump them all together.
Obviously, you should have support tickets open for these...
In the case of my customer, they had the Shavlik issues at first. We had them look closer at their rsc files and they fixed an issue they had, and then everything was working normally. I will enquire with them to see if they would be willing to share the particulars with me.
Adam, it's Dante from Support (I guess using a nickname here is impractical).
If you find out the details from your side, this would help me immensely. Then I could write up an article for the Knowledge Base and link to it once it becomes public.
To Bill: I'm already working on a best practices doc once I can get this to work. There is a support ticket open already.
Something to add to this best practice is to make sure the Win 2008 R2 Firewall should be disabled or have an "allow" inbound rule for port 4750. We ran into this at my current client.
As far as having client with success stories with R2 Patching, I'm checking with the client I had this working with to make sure it still works. We were able to compare the patching results from the MS Baseline vs BL Shavlik, and they looked the same. Then we even pushed out the patches and re-ran the analysis to find 0 patches missing.
There might be a GPO setting or in my case, the firewall issue, that might be causing the permission issue that you are seeing. Also, see if Shavlik was previously installed on that R2 server. We've had clients that have had it installed on the agent, which causes the product to not function properly. There have been instances where the agent port is being used by some other app, so watch out for that as well.
Looked at the RSCD agent log and found the following:
592e529e377d4140b434 0000000001 02/09/10 08:15:20.636 INFO rscd - EMOA-NBP-UEA03 1768 SYSTEM (???): ???: The following local user will be used by the agent for user privilege mapping: BladeLogicRSCD
52d02d7e205a26266a9f 0000000002 02/09/10 08:15:20.823 INFO rscd - EMOA-NBP-UEA03 1768 SYSTEM (???): ???: Adding account right "SeBatchLogonRight" to user BladeLogicRSCD@EMOA-NBP-UEA03 for user privilege mapping
414aabda6f075e1c576a 0000000003 02/09/10 08:15:20.886 INFO rscd - EMOA-NBP-UEA03 1768 SYSTEM (???): ???: Adding account right "SeDenyInteractiveLogonRight" to user BladeLogicRSCD@EMOA-NBP-UEA03 for user privilege mapping
My question: Do I need to let my Active Directory folks know to allow the following permissions to be assigned to the local user? Otherwise, GPO will come around and wipe it out potentially:
I also found the following error in the RSCD agent log:
e26f7abb4d55fcb5d267 0000000004 02/09/10 09:37:46.890 ERROR rscd - EMOA-NBP-UEA03 2932 SYSTEM (???): ???: User Impersonation Failed ; Error Location: RSCD_WinUser::initFromUsernameDomainW:LookupAccountNameW ; Error Message: No mapping between account names and security IDs was done. ; Auxiliary Error Message: Account: EMOA-NBP-UEA03\guardian
4ef07d9e04f9fe24d1bb 0000000005 02/09/10 09:37:46.906 WARN rscd - 22.214.171.124 2932 SYSTEM (BLAdmins:BLAdmin): CM: Impersonation failed
This was my issue in the beginning - another job we run which is an auto-remediating compliance job expected all mappings to be to user "guardian". Well just happens these 2008R2 systems did not have such local admin user created. Changing the users.local to map to "Administrator" fixed the problem:
<IPADDRESS> 1944 BladeLogicRSCD@EMOA-NBP-UEA03->Administrator@EMOA-NBP-UEA03:PrivilegeMapped (BLAdmins:BLAdmin): CM: > [Client] Pushing of AgentACL to emoa-nbp-uea03 succeeded
Yes, you need to mod your GPO for the user rights the local BladeLogicRSCD account needs, as on startup it's only setting them on the machine local security policy.
For the 2nd error, it looks like you are trying to map to a domain account. That's not supported in 7.6. you need to map to a local account.