Client service terminates with Access is denied
I have Windows 7 x64 bit system that I have tried to push the client to. The install appears to work. I have both a System Center Essentails Configuration Helper and a System Center Operatoins Manager 2007 R2 agent installed on the system. The System Center Management service will not run. It places the following message in the event log and terminates immediately. The System Center Management service terminated with service-specific error Access is denied.. I have rebooted the system between install attempts. It is in the correct group and it is contacting the SCE WSUS server correctly. I have not been able to find a log from the client service. My other systems are comming online correctly, but this is my only x64 bit Windows 7 system. My 2008 R2 servers are working correctly and my Windows 7 x86 systems are working. This is about a 36 hour old install of SCE Essentials 2010 (7.0.2432.1) on a newly installed Windows Server 2008 R2 both completely patched. Domain GPO deployment. Thanks Roy
December 21st, 2010 4:48pm
Hi, Thank you for posting here. Based on my research, I would like to suggest the following: 1. If you have anti-virus program on this client, please check its settings and exclude the folder “C:\Program Files\System Center Essentials” in its scan list. 2. Check the permissions of the file “HealthService.exe” and the folder “Health Service State” which are located in “C:\Program Files\System Center Essentials” 3. Clear the HealthService queue and config on the problematic agent: 1) Stop System Center Management service. 2) Go to C:\Program Files\System Center Essentials\, and rename the “Health Service State” folder. 3) Restart System Center Management service. Hope this helps. Thanks. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact email@example.com.Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 22nd, 2010 9:12am
Completely disabled the anti-virus program (which is running on all the other systems) and it did not help. Renamed the directory as requested. (My path is c:\Program Files\System Center Operations Manager 2007 NOT as you said) Started the service. It failed as before. It created the following sub-directories in the new Health Service State folder Completed File Uploads - empty Connecter Configuration Cache - has on empty folder in the form of managmentsystem_MG Downloaded Files - empty Downloading Files - empty Health Service Store - contains edb.chk, edb.log edbres00001.jrs, edbres00002.jrs and HealthServiceStore.edb Management Packs - empty Upload Files - Empty Thanks Roy
December 22nd, 2010 2:56pm
i've seen this a few times where the management service won't start and it's been due to the fact that service information is missing from the registry. on the machine having the problem go into the registry and look at HKLM\System\CurrentControlSet\Services\HeathService and compare this key and ALL subkeys to a pc that's working properly. Typically what I've found is the enum key is missing on xp clients, or there is something missing under the Parameters key. Export from a working machine to the one not working. Service should start now.Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
December 22nd, 2010 6:32pm
Tim, thanks but that did not fix the problem either. I did find a missing key (SSIDs - empty on the working system) and the default value for another key was wrong type and value, but importing from a working system did not resolve the problem. I also looked at HKLM/Software/Microsoft/System Center Essentials and discovered many setting missing under PolicySettings. I figgured that they were not there because the service had never run, but imported them anyway and again, no luck. The service still receives the Access is Denied status. Thanks Roy
December 23rd, 2010 9:59pm
what account is being used to start the service on your clients?Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
December 23rd, 2010 10:28pm
Local SystemThanks Roy
December 23rd, 2010 10:30pm
do you see anything in the system log regarding failed services?Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
December 23rd, 2010 10:34pm
Nothing other than the standard serverice terminated with nonstandard error... Access is deniedThanks Roy
December 23rd, 2010 10:35pm
in the details it doesn't give like a -214xxxxxxxx error?Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
December 23rd, 2010 10:55pm
No, 5 (access is denied) Parameter 1 - System Cente rManagement Parameter 2 - %%5Thanks Roy
December 23rd, 2010 10:58pm
Hi, Thank you for your updates. Please also try the methods in the following posts: Operations Manager 2007 Health Service Terminated [error 2147500037 (0x80004005)] http://blogs.technet.com/b/vikasma/archive/2008/08/26/operations-manager-2007-health-service-terminated-error-2147500037-0x80004005.aspx OpsMgr 2007: HealthService Service Fails to Start with 25362 Warning http://blogs.technet.com/b/smsandmom/archive/2008/04/30/opsmgr-2007-healthservice-service-fails-to-start-with-25362-warning.aspx If the issue persists, please also try removing the agent and pushing the agent to this client again. Hope this helps. Thanks. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact firstname.lastname@example.org. Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 27th, 2010 6:48am
Neither of these two articles helped, but they did lead me to a KB article that explained a little. Bottom line. On Vista and 7, the logs are visible via Event Viewer and with 2010, they are always enabled but not at the verbose level. Anyway, I have already removed and repushed the agent twice. I have imported registry settings. Looking at the Operations Manager event log Event Viewer between a system that works and one that does not. Both state that "Active Directory Integration has been deisable ...." (event 20063) Working system logs an event 21022. No certificate was specified..... Broken systeem logs an even 21021. No certificate could be loaded or created. This Health Service will not be able to communicate with other health services. Look for previous events in the event log for more detail. First, I don't know why Active Directory Integration is disabled. I am fairly sure that I enabled it on the server. Second, as I undertand the certficate is only needed if server/client are not in a trusted domain relationship. Both systems are members of the same domain. The TracingGuidsNative.log is the only file with info in it after the verbose logging and conversion. It has MANY errors about missing registry info, but what it is looking for is not present on other systems either (assuming I am looking in the right key - it only lists the value being looked up). It also shows the certificate issue. Excerpt of the log below.    [12/27/2010-08:01:07.488] [Common]  [Verbose]  [Common::EventLogUtil::LogEvent] [EventLogUtil_cpp321]Logging informational event 20063 with args "THEMIS_MG", "NULL","NULL", "NULL", "NULL", "NULL", "NULL", "NULL", "NULL"    [12/27/2010-08:01:07.488] [Common]  [Information]  [Common::EventLogUtil::LogEvent] [EventLogUtil_cpp397]Logging event 20063 from source "OpsMgr Connector" with severity Information and description "Active Directory Integration has been disabled for management group THEMIS_MG.".    [12/27/2010-08:01:07.489] [MOMConnector]  [Information]  [CHSAvailabilityManager::Initialize] [HSAvailabilityNotifier_cpp510]Initialize availability notification manager    [12/27/2010-08:01:07.489] [MOMChannel]  [Verbose]  [MOMChannel::TestAsyncChannelEngine::TestAsyncChannelEngine] [AsyncChannelEngine_cpp64](00000000004AD510)->AsyncChannelEngine::AsyncChannelEngine( 00000000004C1740 )    [12/27/2010-08:01:07.490] [MOMConnector]  [Verbose]  [CConnectorSolutionSharedState::CConnectorSolutionSharedState] [ConnectorSolutionSharedState_cpp635]CConnectorSolutionSharedState::CConnectorSolutionSharedState 00000000004C3990    [12/27/2010-08:01:07.509] [MOMChannel]  [Error]  [MOMChannel::createTemporaryCertificate] [SChannelUtil_cpp631]Unable to create self-signed certificate, error = 5(ERROR_ACCESS_DENIED)    [12/27/2010-08:01:07.509] [MOMChannel]  [Warning]  [MOMChannel::SChannelUtil::GetCertificateType] [SChannelUtil_cpp2184]Unable to retrieve certificate for this machine, certificate may not be loaded    [12/27/2010-08:01:07.510] [Common]  [Verbose]  [Common::EventLogUtil::LogEvent] [EventLogUtil_cpp311]Logging error event 21021 with args "NULL", "NULL","NULL", "NULL", "NULL", "NULL", "NULL", "NULL", "NULL"    [12/27/2010-08:01:07.510] [HealthServiceRuntime]  [Verbose]  [CThreadPool::_WorkerThread] [ThreadPool_cpp1387]Got completion for overlapped 0000000000000000    [12/27/2010-08:01:07.510] [Common]  [Information]  [Common::EventLogUtil::LogEvent] [EventLogUtil_cpp397]Logging event 21021 from source "OpsMgr Connector" with severity Error and description "No certificate could be loaded or created. This Health Service will not be able to communicate with other health services. Look for previous events in the event log for more detail.".    [12/27/2010-08:01:07.511] [HealthServiceRuntime]  [Verbose]  [CThreadPool::_WorkerThread] [ThreadPool_cpp1387]Got completion for overlapped 0000000000000000    [12/27/2010-08:01:07.511] [Common]  [Verbose]  [CBaseFileStream::InitializeAsReader] [BaseFileStream_cpp139]CreateFile for file 'C:\Program Files\System Center Operations Manager 2007\Health Service State\Connector Configuration Cache\THEMIS_MG\OpsMgrConnector.Config.xml' failed with code 2(ERROR_FILE_NOT_FOUND).    [12/27/2010-08:01:07.511] [Common]  [Verbose]  [CFileStreamReader::_Create] [FileStreamReader_cpp247]InitializeAsReader failed with code 2(ERROR_FILE_NOT_FOUND). Thanks Roy
December 27th, 2010 4:32pm
1) - Removed/Added to domain - no visible effect 2) - Protected Storage is running 3) - I have pushed to several Windows 7 (x86) systems. This is the only x64 in this domain. (I have other domains - physically seperate sites - with Windows 7 x64 systems that worked.) 4) - Do not really know what I was to try from the blog. 5) - If you think ti belongs in SCOM,go for it. (Just tell me how to find it once it moves.) I am not sure that I understand the distinctions in the pieces or the naming of the pieces. (Way too confusing.) From a customer prespective, if it comes with System Center Essentials, it is System Center Essentials - especially given that the name of the service that is failing to run is "System Center Management" not System Center Operations Management. 6) - Also please note that most of the blogs etc you have refered me to are for version 2007 and the directories and registry keys have changed etc. Even the KB articles that "have been updated" do not have the correct info for running on a Vista of Windows 7 system. (Log file paths in particular are wrong in the KB article.)Thanks Roy
December 28th, 2010 9:10am
Hi, Thank you for your update. Please try the following: 1. Leaving the client from the domain and join it to the domain again to see if it works. 2. Check Protected Storage Service, ensure it is running. Meanwhile, please also try the methods in the following posts: Fixing troubled agents http://blogs.technet.com/b/kevinholman/archive/2009/10/01/fixing-troubled-agents.aspx In addition, please check if other clients work fine. If possible, please also add another Windows 7 computer to this domain, push the agent to it and see if this issue occurs. Thanks. PS: I just noticed this should be a SCOM related issue. To avoid possible confusion and make the discussion clear, I think it is better to move it to SCOM forum. Please let me know if we can do this. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact email@example.com. Nicholas Li - MSFT Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 28th, 2010 12:04pm
Hi, As we know, System Center Operations Manager and System Center Essentials are different products. I just noticed “I have both a System Center Essentials Configuration Helper and a System Center Operations Manager 2007 R2 agent installed on the system.” in your post. It is System Center Operations Manager 2007 R2 agent and you said its installation path is “c:\Program Files\System Center Operations Manager 2007”. At this time, may I know if you have both SCE and SCOM in your environment and this client is managed by SCOM? Regarding the System Center Management service, please ensure its dependencies are running. Then, please also try the following to add localservice and networkservice to the administrator group: Open a privileged command prompt, type the following commands: net localgroup administrators localservice /add net localgroup administrators networkservice /add Hope this helps. Thanks. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact firstname.lastname@example.org.Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 29th, 2010 4:47am
Well, you may know that the two are different products, but you could not prove that to me at this point. I have NEVER even THOUGHT about installing and using SCOM. The only reason I even have SCE is because of the Hypver-V management. I found that the old 2007 VMManager would not correctly migrate a system to a 2008 R2 Hypver-V system. I have installed SCE 2010 in two different domains that are not releated in any way and the installation paths and product names etc are the same between them. Best I can tell, SCE 2010 is some sort of wrapper around SCOM just like Forefront Client Security was a wrapper around MOM 2005. I understand why things are that way, but it turns out to be very messy for the customer. So to answer your question is, "this client managed by SCOM?". My answer is two fold. 1) Currently it is not managed by anything. 2) I did NOT install SCOM. As I said in my prevous posts, this is a confusing mess of product names vs. product installation paths and registry keys. Not everything gets renamed when the product gets renamed. When you say "dependencies are running". If you mean the services, then yes both are running. As far as add localservice and networkservice to the adminstrators group is concerned. That are NOT members on other working systems (Vista or 7) and doing that add sounds like a really bad idea.Thanks Roy
December 29th, 2010 7:54am
use process explorer and figure out where it gets an access denied?Rob Korving http://jama00.wordpress.com/
December 29th, 2010 10:04am
I must admit I am at loss as to how to use Process Explorer to catch the 05 status. Please enlighten me.Thanks Roy
December 29th, 2010 11:48am
Hi Roy, First off, I'd like to agree with you that having both products with similar installation/registry paths can be quite annoying, I've had similar issues with other products. However thankfully in this situation, as far as I'm aware, SCE & SCOM are fairly similar in how certain functions operate at the agent level. The service name for a SCOM R2 Agent is 'System Center Management', which appears to match the service name for a SCE 2010 Agent going by the information you provided. Even though this might confuse things, it almost appears they are one in the same, or at a minimum they are fairly similar. This is a benefit in a way, as it means anyone with no SCE experience but with SCOM experience (like me) can assist you with this issue. Now to the problem. I agree that adding the LocalService and NetworkService accounts to the Local Administrators group on the client is not a good idea longer term, but as a quick test it would be invaluable. If these accounts could be added briefly, the client rebooted and test to see if the service will start successfully, then this is all that's needed and the accounts can be removed. This would help pinpoint if the issue lies with security permissions for the account(s) that are being used by the SCE agent service, or some other type of issue. Also since you have mentioned this is the only x64 system in this domain, can you advise if there are any different security configuration/GPO settings for x64 servers in this domain in comparison to the other domain? Cheers, Brian
December 29th, 2010 3:57pm
Adding the accounts and restarting had no observable effect. Just to clairfy, this is the only x64 bit Windows 7. I have several Windows Server 2008 R2 (which of course are x64) and a couple of Windows Server 2008 also running x64. These systems had no issues. I do have other Win 7 systems but they are all x86. No, I do not have any different security setup between x86 and x64 systems. I agree that there can be some benifit of things working almost the same, but the downside is that people that are susposed to be experts become confused over which product you have. I believe that the 05 status has to do with trying to create a local certificate, but I am at loss as to why it is trying to do so. The other systems do not appear to do so, they just continue without one (I think). Also I am confused as to why the logs indicate that it is NOT a domain GPO installation. That is just not true (as far as I know). All the working systems that I looked at indicate the same situation, only they either sucessfull creating the certificate or they decided they did not need one.Thanks Roy
December 29th, 2010 4:13pm