ACS Upgrade 4.1

Similar Messages

• ACS Upgrade in live network ok?

  I am about to upgrade our CiscoSecure  ACS from 4.1 to 4.2.  If I do so on a live network, can that affect anything within my network?
  I would hate to bring down an entire network and upset about 3000 users.
  Thanks in advance!

  That will prevent that particular ACS to authenticate new users for the time of the upgrade ...
  Existing users won't be kicked out unless you configured a very frequent reauthentication timer.
  If you have more than one ACS then the other should be there to take the job

• ACS upgrade on windows

  Hi,
  I have ACS 4.1 installed on my windows servers, i want upgrade it to ACS 4.2.0.124
  Can i download the this version from cisco and upgrade?
  i would like to know the procedure to upgrade
  Please help
  Thanks
  Ravi

  Create a TAC case and request Special File Access. If you are entitled they will post the files and send you an email with the URL where you can download the new software. Then simply follow the documented upgrade instructions.

• ACS upgrade from 4.2.1.15 to ACS5.6

  HI 
  We have bought new ACS5.6 SNS3415 Boxes , earlier we have ACS4.2.1.15   , now we want to migrate the data from old ACS to new ACS.
  We have downloaded the ACS and trying to install 4.2.1.15 but getting the error
  " ACS4.2.115 can only be installed on top of base version"
  So we have installed the eval-ACS-4.2.0.124-SW  successfully. And now we are trying to install the 4.2.1.15 but we are getting eth below error
  " 4.2.1.5 can not be installed on EVAL version"
  How can we resolve this so that we can migrate the data to ACS5.6 via migration utility.

  Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
  you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379

• ACS upgrade from 4.0.x to 4.1.x "Appliance upgrade in progress"

  Hello friends,
  We are in the process of upgrading ACS 4.0 to 4.1 in a SE appliance 1113.
  We followed very carefuly the steps, and upgraded de Appliance management ACS 4.1. The second upgrade (Software for appliance 4.1) keeps showing "Appliance upgrade in progress..." (near 2 hours by now). I know that it can stick even finishing, but it seems it has not finished because we can not log in with the GUI Administrator account like we did when upgrading the management software (previous step).
  Is this normal? what can be missing?, I attach the console text output below (IP adds obscured).
  Note the management upgrade went fine.
  Thanks.
  Cisco Secure ACS: 4.1.1.23
  ACS 4.0.1.49-CSAdmin-CSCsd96293_CSCse26719 Fix: (Patch: 4.0.1.49 Tue 01/09/2007
  7:50:00.17)
  Appliance Management Software: 4.1.1.23
  Appliance Base Image: 4.0.1.2
  CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
  Appliance upgrade in progress...
  Session Timeout: 10
  Last Reboot Time: Fri Jun 06 11:46:40 2008
  Current Date & Time: 6/6/2008 13:17:40
  Time Zone: (GMT-05:00) Bogota, Lima, Quito
  NTP Server(s): 131.107.1.10
  CPU Load Free Disk Free Physical Memory
  0.00% 16.9 GB 765 MB
  Appliance IP Configuration
  DHCP Enabled. . . . . . . . . . .: No
  IP Address. . . . . . . . . . . .: 172.16.x.y
  Subnet Mask . . . . . . . . . . .: 255.255.255.0
  Default Gateway . . . . . . . . .: 172.6.x2.y2
  DNS Servers . . . . . . . . . . .: 172.16.x3.y3
  CSAdmin running
  CSAuth running
  CSDbSync running
  CSLog running
  CSMon running
  CSRadius running
  CSTacacs running
  CSAgent stopped
  Appliance upgrade in progress...

  Thanks Jagdeep, but the upgrade has not finished.
  The documentation mentions (please read it carefully):
  "IF YOU COMPLETE THE UPGRADE and the ACS console displays the message Appliance upgrade in progress, this indicates that the upgrade PROGRESS is hanging.
  If this condition occurs, start an ACS console session and enter the command download [hostAddress], where hostAddress can be any IP address. This action releases the ACS console from the upgrade process."
  What worries me is that it has not finished.
  As I said in my post, we can not log in :( (the GUI gets blocked during the upgrade).
  I appreciate the help. Many Thanks.

• ACS Upgrade query

  Hi
    I have upgraded ACS solution engine from 4.2.0 to 4.2.1 successfully.I have upgraded ACS software and appliance mangement software.Should i upgrade base image also?.I didnt find base image in the cisco download session of ACS
  Thanks in advance
  Anvar

  Hi Anvar,
  You dont need to upgrade the base image as the most current i guess is 4.2.0
  Thanks
  Waris Hussain.

• CSM and ACS upgrade

  1.       Cisco ACS /Solution Engine I think, the dedicated appliance, unknown version)
  2.       Cisco Security Manager 3.1
  Are upgrades possible, or purchase of lastest version of the product is the only way out?
  What do we need for upgrading?
  Are there specific codes or new need to buy new products?
  In case of buying new products, which are the configurations?
  Your response will be appreciated.

  The ACS appliance has been released with at least three different major releases - 3.x, 4.x, and 5.x. If you have ACS 4.2 on an 1120 appliance, you can upgrade to the latest (5.3) on the same hardware. Anything else will require a new appliance (or use a VM solution).
  Please refer to the ordering guide and the migration guide for this information.
  For CSM, to upgrade you would need to go to 3.3. first and then to the current (4.2) CSM release. The necessary licenses are described in this product bulletin.
  It would probably be easier and cleaner to just build a new installation in both cases. Both products' architecture and db schema have changed significantly. The upgrade SKUs will probably save you some in licensing costs although both products have undergone changes in how they are licensed.
  Note that CSM will be coming out with a new version 4.3 later this spring.

• Cisco ACS upgrade

  Hello,
  is it possible to upgrade from ACS v.3.3 directly to 5.2 ? Or do I need version 4.X in between?
  Thanks for your help.

  You can't upgrade ACS 3.3 directly to ACS 5.2.
  ACS 5.x is completely different to ACS 3.x and 4.x.
  There is specific hardware that you need to run ACS version 5.x, and here is the list:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp70853
  Here is the migration guide to ACS 5.x:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/migration/guide/Migration_Book.html
  Hope that helps.

• ACS Upgrade License needed?

  Hi,
  in our enviroment we have two ACS installed on W2K3 Server. We have to upgrade from release 4.2 (0) build 124 to release 4.2.1.15-4.
  Anyone can tell me if an upgrade license is needed?
  Thanks a lot!
  Leo

  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Release_Notes/acs421_rn.html#wp999055

• ACS upgrade to 5.5 Patch

  Hi All,
  According to Cisco there is a need to install  Patch: Pointed-PreUpgrade-CSCum04132-5-4-0-46-0a.tar.gpg before upgrading to 5.5. Our current system running 5.4 has the latest patch 5-5-0-46-1.tar.gpg already installed.
  I am aware that the patches are cummulative and if we install the latest it covers all the below patches. but the readme did not specify the Bud ID
  CSCum04132. Can please advice do I need to install patch  Pointed-PreUpgrade-CSCum04132-5-4-0-46-0a.tar.gpg before upgrade?

  To reduce the ACS database size by removing unused disk space from within ACS database file use the database-compress command in the ACS Configuration mode. This command has the option to truncate ACS transaction history.
  This command does not erase or modify any information during the database compression except for the transaction history if the truncate flag is used.
  When you run this command, ACS is stopped and the process of compressing ACS database is executed and ACS starts automatically after the process is over.
  The progress of the command execution is logged in the ADE.log file.
  database-compress [truncate_log]
  Reference:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/command/reference/cli/cli_app_a.html#wp1938829

• ACS UPgrade Problem

  Hi,
  I was running ACS3.0 and I upgraded to 4.0 now The access points or clients cannot authenticate. Does anyone had similar problems?
  Thanks in advance.
  Biju

  This is the output for debug
  User Access Verification
  WIRELESS_TEST#debug radius brief
  Radius protocol debugging is on
  Radius protocol brief debugging is on
  Radius protocol verbose debugging is off
  Radius packet hex dump debugging is off
  Radius packet protocol debugging is off
  Radius elog debugging debugging is off
  Radius packet retransmission debugging is off
  Radius server fail-over debugging is off
  Radius elog debugging debugging is off
  WIRELESS_TEST#
  Jun 20 14:29:23.169: RADIUS/ENCODE(00000002):Orig. component type = DOT11
  Jun 20 14:29:23.170: RADIUS(00000002): Storing nasport 257 in rad_db
  Jun 20 14:29:23.170: RADIUS(00000002): Config NAS IP: 10.100.1.88
  Jun 20 14:29:23.170: RADIUS(00000002): Config NAS IP: 10.100.1.88
  Jun 20 14:29:23.170: RADIUS(00000002): Send Access-Request to 10.1.2.2:1812 id 1
  645/1, len 134
  Jun 20 14:29:28.776: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:29:28.776: RADIUS: Retransmit to (10.1.2.2:1812,1813) for id 1645/1
  Jun 20 14:29:33.800: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:29:33.800: RADIUS: Retransmit to (10.1.2.2:1812,1813) for id 1645/1
  Jun 20 14:29:39.240: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:29:39.240: RADIUS: Retransmit to (10.1.2.2:1812,1813) for id 1645/1
  Jun 20 14:29:44.680: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:29:44.680: RADIUS: No response from (10.1.2.2:1812,1813) for id 1645/1
  Jun 20 14:29:44.680: RADIUS/DECODE: parse response no app start; FAIL
  Jun 20 14:29:44.680: RADIUS/DECODE: parse response; FAIL
  Jun 20 10:29:44.681 R: %DOT11-7-AUTH_FAILED: Station 0013.021d.f404 Authenticati
  on failed
  Jun 20 14:29:45.229: RADIUS/ENCODE(00000003):Orig. component type = DOT11
  Jun 20 14:29:45.230: RADIUS(00000003): Storing nasport 258 in rad_db
  Jun 20 14:29:45.230: RADIUS(00000003): Config NAS IP: 10.100.1.88
  Jun 20 14:29:45.230: RADIUS(00000003): Config NAS IP: 10.100.1.88
  Jun 20 14:29:45.230: RADIUS(00000003): Send Access-Request to 10.1.2.2:1812 id 1
  645/2, len 134
  Jun 20 14:29:50.760: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:29:50.760: RADIUS: Retransmit to (10.1.2.2:1812,1813) for id 1645/2
  Jun 20 14:29:56.296: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:29:56.296: RADIUS: Retransmit to (10.1.2.2:1812,1813) for id 1645/2
  Jun 20 14:30:02.353: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:30:02.353: RADIUS: Retransmit to (10.1.2.2:1812,1813) for id 1645/2
  Jun 20 14:30:07.841: RADIUS: no sg in radius-timers: ctx 0xBBBA70 sg 0x0000
  Jun 20 14:30:07.841: RADIUS: No response from (10.1.2.2:1812,1813) for id 1645/2
  Jun 20 14:30:07.841: RADIUS/DECODE: parse response no app start; FAIL
  Jun 20 14:30:07.841: RADIUS/DECODE: parse response; FAIL
  Jun 20 10:30:07.842 R: %DOT11-7-AUTH_FAILED: Station 0013.021d.f404 Authenticati
  on failed

• ACS loses connection with AD occasionally after upgrade from 5.2 to 5.3.0.40

  ACS had been integrated with Active Directory before ACS upgrade to 5.3. After the ACS 5.3 upgrade users aren’t able to login to AAA devices occasionally. Error message is:
  {AuthenticationResult=Error; Type=Authentication; Authen-Reply-Status=Error; }
  24429 Could not establish connection with Active Directory
  At the same time, when this issue occurs, ACS connection to AD works fine (checked with Users and Identity Stores> External Identity Stores > Active Directory “Test Connection”)

  I had the same problem, I opened a Cisco TAC case and my issue was resolved.
  Sent: Tuesday, 14 August 2012 9:58 AM
  Subject: RE: 622739355 HelpDesk#SVR328332-2 : Troubleshoot Cisco ACS 1121 v5.3 With Windows Active Directory
  Hi Ramraj,
  Thanks for the link to the article, but from what I’ve seen in the logs I’m not sure that we’ve got the same root cause to the issue.
  From the ACSADAgent.log files I can see log messages like:
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG network.state NST: SniffList: postfailsort=mykulad11p.cssc.dksh.net
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.kerberos.adhelpers Encryption (id 1) is not supported by KDC. Try next in the list
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.osutil Module=Kerberos : KDC refused skey: KDC has no support for encryption type (reference base/adhelpers.cpp:216 rc: -1765328370)
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.adagent Unable to refresh computer credentials: KDC refused skey: KDC has no support for encryption type
  This lines up with the error message that we see in the TACACS+ Authentication logs:
  24493 ACS has problems communicating with Active Directory using its machine credentials.
  I have come across a NETBIOS limitation (it’s not an ACS bug, but a bug has been filed for tracking and documentation purposes) that prevents two ACSs from being connected to Active Directory at the same time if the first 15 characters of their hostnames are the same. The bug ID is CSCtj62342 and its externally visible details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj62342
  The hostname of the primary ACS is : MYMY-TPM-DC-ACS-1
  The hostname of the secondary ACS is: MYMY-TPM-DC-ACS-2
  From the hostnames, we can see that the first 16 characters of the hostnames are the same. What this means is that once the primary is connected to AD, after some time passes (this will depend on when the secondary goes an talks to AD) the secondary will lose its connection to AD and any authentications hitting the secondary will fail with the same error: 24493 ACS has problems communicating with Active Directory using its machine credentials.
  To resolve this issue, the hostnames of the ACSs will need to be changed so that the first 15 characters of their respective hostnames are not the same. Please keep in mind that this is a NETBIOS limitation and not a software bug.

• After upgrading ACS 3.3.1 to 4.2 on windows the local database is not working

  Hi,
  I have upgaded the ACS 3.3.1 for windows server to 4.2. Everything went fine but the local database is not working.
  The CD is an upgrade kit from 3.x to 4.2 on windows. I tried to install directly the 4.2 I was able to install but integration with AD/LDAp is not working. Anysay its an upgrade kit so I cant expect it shoud work when install drectly the 4.2 but by upgrading from 3.3 to 4.2 everything should work fine.
  I followed the upgradation path as recomended.
  Also we have a requirment that once it is upgraded to 4.2 we need to shift the whole thing from the physical server to a virtual machine on VMware ESX server 3.5.
  Can anybody pls guide me if anything else to do after the upgradation.
  Thanks & Regards
  Sachi

  Hi Javier,
  First of all I was facing a problem of restoring the old database of 3.3 to 4.2. Somehow I overcame that issue by following the below steps. Now local authentication is working fine but AD/other External database authentication is not working. As you told the setting for the unknown users are configured to fetch the credentials from the external database if it is not in the local database.
  Do we need to do anything in the AD itself?
  Regards
  Sachi
  Steps for ACS upgrade to 4.2 version
  Below are the requested steps mentioned for the up gradation from ACS 3.3.2 to ACS 4.2.
          1)     Take a configuration backup from existing ACS. ACS--->System
  configuration----> ACS Backup
  2)    now if you have  ACS 3.3.2 on server. take backup of the ACS
  3)   Insert the cd or if you have the set up on the system then  Run the setup of ACS 3.3.4. During the process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 3.3.4 upgrade.
  4)     Once you are at 3.3.4, take a backup and keep it handy.
  5)     Run the setup of 4.1.1. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.1 upgrade.
  6)Once you are at 4.1.1.24 take a backup and keep it handy.
  7)     Run the setup of 4.2. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.2 upgrade.
  8)     Once you are at 4.2 take a backup and keep it handy. Now run the
  patch 12 and take a backup again.
  9)     Now fresh install 4.2 on your new production server and install patch
  12. Restore the 4.2 patch 12 backup and you should be all set.

• How to survive an ACS audit with aaa-reports!

  For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
  Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
  Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
  Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
  Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
  Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
  Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
  Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
  Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
  In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
  Below are some additional TDA specific tips:
  Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
  Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
  Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
  Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
  Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
  Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
  The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
  For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

  .

• SCOM 2012 R2 Post upgrade issues

  Hey all,
  yesterday we upgraded our SCOM environment from 2012 SP1 to R2.  All of the installers ran fine without any issues.  After a couple reboots it was back up however we have run into some issues.
  Issue 1:  The ACS seems to be broken.  I can usually run a query on the ACS database manually and get back audit entries.  However, now I am getting nothing back at all.  Here are the errors that are repeated every few minutes on both
  management servers.  I did run the ACS upgrade on them both yesterday.
  Error occured on database connection:
   Status: 0x00040000
   ODBC Error: 14
   ODBC State: 01000
   Message: [Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionOpen (ParseConnectParams()).
   Database: Register
   Connection: ComplianceTest
   Statement: -
  Error occured on database connection:
   Status: 0x00200001
   ODBC Error: 14
   ODBC State: 08001
   Message: [Microsoft][ODBC SQL Server Driver][DBNETLIB]Invalid connection.
   Database: Register
   Connection: ComplianceTest
   Statement: -
  Issue 2:  Our UNIX agents are all greyed out now and when I try to upgrade them I get the following error.
  EDIT: and here is something else I just found on our other management server
  Any info would be great
  Thanks
  Warm Fuzzies!

  I am going to update this post.  The service is still crashing nightly.  The views dvAll, dvAll5 and dvHeader are not being created.  I tried the fix provided by the Microsoft rep and it did nothing.  I have uninstalled and reinstalled
  the ACS server multiple times and the views are never created.  When I start the ACS services I get the same errors.
  AdtServer encountered the following problem during startup:
   Task: Load Certificate
   Failure: Certificate for SSL based authentication could not be found. SSL authentication will be disabled
   Error: 0x00000002
   Error Message:
  The system cannot find the file specified.
  Error occured on database connection:
   Status: 0x00040000
   ODBC Error: 4624
   ODBC State: 01000
   Message: [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
   Database: SqlWriter
   Connection: Maintenance
   Statement:
  I see where the forwarders are connecting.  No other errors or messages.  The service is set to start up as the Network Services account.  The DOMAIN\SERVER$ has a logon and is mapped to the SQL user AdtServer on the OperationsManagerAC database.
   We have almost a terabyte of data that we cannot get to after the R2 upgrade.
  Very frustrating!!!!
  Warm Fuzzies!