SQL server agent job running as Agent Service Account whose service account does not have r/w access but is still able to write?
Hi. I am newer to SQL server security and am reviewing some of our SQL server's configuration to make sure the services are running under accounts with least privilege. I have a SQL server 2012 instance whose Agent service is configured to run
under an AD user account named 'SQLServices'. The jobs on this server are configured to run as 'SQL server agent service account', which means they should execute as user 'SQLServices'. The jobs are set up to execute SSIS packages which read and
write to a database on the same server where the agent job is scheduled and SSIS package installed (all on same server). The jobs are currently executing without error and are reading writing data correctly. Upon close examination, it turns out the
SQLServices account is not assigned to the 'sysadmin' role and had no users mapped to any databases on this server. How are these jobs working? I verified in profiler that the login name indeed is 'SqlServices'. I also verified
that SQLServices login has no database access by remote-ing onto the server and trying to log into the DB, and access was denied as expected. According to the literature, the Agent service needs to be a member of 'sysadmin role' but I am reading
some cases where that is not necessarily the case. So this is not so concerning. What is concerning is that the login 'SQLServices' had no access to the databases on that server yet it is reading and writing to the databases as if it does.
The only thing I can think of is maybe jobs run as 'SQL server agent service account' on the same server as the databases it r/w to somehow has some kind of default access. What am I missing here? Any input would be helpful.
After 2 days on this forum I found the answer to my own question. In retrospect, I should have posted this under 'SQL Server Security', but I didn't know it existed.
The 2 threads below explain that Sql agent actually runs using SID (service) NT SERVICE\SQLSERVERAGENT if you chose that when you installed. This will automatically create an associated login NT SERVICE\SQLSERVERAGENT in SQL server with sqladmin
role. This is the login that Agent uses to connect to the local instance of SQL server. If you changed to domain account to run the service during install or after using config manager, basically NT SERVICE\SQLSERVERAGENT is still
used to connect to your local instance behind the scenes (even though you will still see your domain user as account), and the domain account is used to reach outside the server.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for
https://social.technet.microsoft.com/Forums/sqlserver/en-US/b83a52fd-fe11-4c28-a27b-88be8ae79f2a/how-do-i-change-sql-server-agent-service-account-to-nt-servicesqlserveragent?forum=sqlsecurity
Similar Messages
-
I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
"The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
ID: 2607"
What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
1) My SCVMM service account is a local admin on the SCVMM server
2) My SCVMM service account is a dbowner on the SCVMM database in SQL
3) My SQL service account is a dbowner on the SCVMM database in SQL
4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
5) Neither service account is locked out
Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
Andrew ToppThat answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
as suggested by 331951, and that made absolutely no difference.
1) My SCVMM service account is a local admin on the SCVMM server
2) My SCVMM service account is a dbowner on the SCVMM database in SQL
3) My SQL service account is a dbowner on the SCVMM database in SQL
4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
"doesn't have access to AD DS," which is obviously untrue)
The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution? -
SQL Server Management 6.5.1.0 and 6.5.4.0 does not discovery SQL 2008 databases on Windows 2003
SQL Server Management 6.5.1.0 and 6.5.4.0 does not discovery SQL 2008 databases on a custom instance name or when multiple SQL instances are installed on Windows 2003.
OS Version: Windows 2203 x64 with SP2
Database Version: 10.3.5869.0
The instance in this case: I01 is running on port 49168.
SQL Server Network Configuration | Protocols for I01 | IP Addresses | IPAll | TCP Port = 49168
The DB Engine class is discovered but not the "Tcp Port" property.
The database discovery script then fails as it is missing the 8th parameter; The Port.
Looking at the discovery script DiscoverSQL2008DBEngineDiscovery.vbs i see the following WMI query.
Set oWMI = GetObject("winmgmts:\\" & computerName & "\root\Microsoft\SqlServer\" & SQL_WMI_NAMESPACE)
Set oQuery = oWMI.ExecQuery("SELECT * FROM ServerNetworkProtocolProperty
Using WMI Explorer if I connect to namespace: root\Microsoft\SqlServer\ComputerManagement10
and query "SELECT * FROM ServerNetworkProtocolProperty". There are no instances.
What am I missing or doing wrong?
Closely related to this article. https://gallery.technet.microsoft.com/Hotfix-Management-Pack-SQL-17cf1118#content.
Thanks
GavinHi,
I would like to know is there any update about the issue. If the issue is solved, will you please share the resolution here to help others in this forum who encounter similar issue.
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. -
SQL Server 'Last Job Run' Metric / Alerting
Hi,
I am looking at implementing Grid Control monitoring on our SQL Server estate.
One of the items we need to monitor for is SQL Server jobs which have failed. There is a metric in Grid Control that covers this ('Last Job Run') and successfully notifies me if a job fails, however it returns the 'job ID' (random 32 char alphanumeric internal SQL Server identifier) rather than the 'job name'.
I know that Grid collects the job name as in All Metrics-->Database Job you can see the 'job name' metric/data, however I can not find a way of including this data in an alert or monitoring metric.
Does anyone have an idea of how this can be done. I'm sure I must be missing a trick here as it would seem strange that this information is being collected but can't be put into a metric or notification.
Any assistance or pointers greatly appreciated!Anything is possible.
So, just to reiterate, running the job manually works, running the scheduled job does not result in errors neither data arriving to the DW, right? And it used to, correct?
If so, the 1st step would be to examine the configuration(s). But not before you inspect the package. Do you have an ability to export it to a file system and open in BIDS?
Arthur My Blog -
How to get the SQL Signon that Agent Jobs "Run As" or "Executed as User"
How to get the SQL Signon that Agent Jobs "Run As" or "Executed as User"?
I have an install SQL scripts that creates a Linked Server. I want to put some security on the Linked Server and only grant the Agent Job Signon (the "Run As" or "Executed as User") access to the linked server. I need to retrieve the
Agent Job Signon (something like "NT SERVICE\SQLAgent$FIDEV360BI02").
I could query certain jobs and SUBSTRING the Message column - using some form of the query below, which would return "Executed as user: NT SERVICE\SQLAgent$SSDEVBI02. The step succeeded." But that is pretty imprecise.
use msdb
SELECT [JobName] = JOB.name,
[Step] = HIST.step_id,
[StepName] = HIST.step_name,
[Message] = HIST.message,
[Status] = CASE WHEN HIST.run_status = 0 THEN 'Failed'
WHEN HIST.run_status = 1 THEN 'Succeeded'
WHEN HIST.run_status = 2 THEN 'Retry'
WHEN HIST.run_status = 3 THEN 'Canceled'
END,
[RunDate] = HIST.run_date,
[RunTime] = HIST.run_time,
[Duration] = HIST.run_duration,
[Retries] = HIST.retries_attempted
FROM sysjobs JOB
INNER JOIN sysjobhistory HIST ON HIST.job_id = JOB.job_id
-- CHANGE THIS
-- WHERE JOB.name like '%GroupMaster%' or Job.name like '%etlv%'
ORDER BY HIST.run_date, HIST.run_timeby default all sql jobs are executed as sql server agent account, unless otherwise a proxy is setup.
you can get the proxy information as Olaf mentioned, if the proxy_id is null for the step, it implies that the job step was executed as sql server service account and in such case it will be null
so, if it is null, it ran as sql server agent account.
so, one work around is get the sql server agent service account and if the proxy is null, that means it ran as sql server agent account, so, use isnull function. the disadvantage would be if the sql server agent account was switched, you might not get the
accurate information as the new account will show up though the job really ran as old account, to get this information, you need to get this from the logmessage column as you mentioned above.
try this code...
/*from sql 2008r2 sp1, you get the service accounts using tsql,otherwise you have to query the registry keys*/
declare @sqlserveragentaccount varchar(2000)
select @sqlserveragentaccount= service_account
from sys.dm_server_services
where servicename like '%sql%server%agent%'
select message,isnull(name,@sqlserveragentaccount) as AccountName
from sysjobhistory a inner join sysjobsteps b
on a.step_id=b.step_id and a.job_id=b.job_id
left outer join sysproxies c on c.proxy_id=b.proxy_id
Hope it Helps!! -
What windows account to use as proxy account to schedule a package to run in sql server 2005 job
I have successfully set up a credential and proxy in SQL Server 2005 to run a SSIS 2005 job under my windows account. The problem I got is the password of my account will expire sometime so the job execution will fail until I change the password
in the credential. I am thinking either to ask our IT administrator to set my account to password never expire or use a different account for the credential. I have very limited knowledge regarding windows security. So if I go the second option what account
should I use for the credential/proxy? I need to know about this before asking our IT admin.It must be a domain wide service account (with a strong, non-expiring password), not a private account with just enough rights to run packages (this implies the account must be able to connect to remote data sources and shares). Oftentimes, such
an account also needs write access to the %temp% directory.
Arthur My Blog
Thanks. I will try to tell our admin see if it makes sense to him. -
Sql Agent Job Failed after changing job name to sa Error(The job owner does not have access )
I changed job owner to sa and it worked well, But now it fails saying job owner does not have sever access and shows job owner as previous owner Name even after it changed to sa?
Help......EXEC msdb.dbo.sp_update_job @job_id=N'7d4d4040-b79c-4022-9d19-e449497ab60e',
@owner_login_name=N'sa'
Best Regards,Uri Dimant SQL Server MVP,
http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting:
Large scale of database and data cleansing
Remote DBA Services:
Improves MS SQL Database Performance
SQL Server Integration Services:
Business Intelligence -
I ran SQL Server 2012 express setup as user with administrator privileges and still it's failing to install "Database Engine Service" and "SQL Server Replication".
Any and every ideas on how to resolve this issue is greatly appreciated.Three weeks passed and I am yet to find a fix for the the failed installation of the database engine on sql server 2012 express installation. I have tried various work-around including uninstalling, deleting all the directory paths, and reinstallation. Still
not able to successfully install sql server 2012 express.
I will greatly appreciate any and every contribution towards resolving this issue. Thanks in advance.
Here is the content of log file after the latest failed installation:
Overall summary:
Final result: Failed: see details below
Exit code (Decimal): -2061893607
Start time: 2013-12-23 14:42:45
End time: 2013-12-23 15:07:51
Requested action: Install
Setup completed with required actions for features.
Troubleshooting information for those features:
Next step for SQLEngine: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Next step for Replication: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Machine Properties:
Machine name: mymachine1
Machine processor count: 4
OS version: Windows 7
OS service pack: Service Pack 1
OS region: United States
OS language: English (United States)
OS architecture: x86
Process architecture: 32 Bit
OS clustered: No
Product features discovered:
Product Instance Instance ID
Feature Language
Edition Version Clustered
SQL Server 2012 SQLEXPRESS_GT MSSQL11.SQLEXPRESS_GT Database Engine Services
1033 Express Edition 11.0.2100.60 No
SQL Server 2012 SQLEXPRESS_GT MSSQL11.SQLEXPRESS_GT SQL Server Replication
1033 Express Edition 11.0.2100.60 No
SQL Server 2012
Management Tools - Basic 1033 Express Edition
11.0.2100.60 No
Package properties:
Description: Microsoft SQL Server 2012 Service Pack 1
ProductName: SQL Server 2012
Type: RTM
Version: 11
Installation location: C:\9b6607e524727c7fe1defd80\x86\setup\
Installation edition: Express
Slipstream: True
SP Level 1
Product Update Status:
Success: KB 2674319
Product Updates Selected for Installation:
Title: Service Pack 1
Knowledge Based Article: KB 2674319
Version: 11.1.3000.0
Architecture: x86
Language: 1033
Update Source: MU
User Input Settings:
ACTION: Install
ADDCURRENTUSERASSQLADMIN: true
AGTSVCACCOUNT: NT AUTHORITY\NETWORK SERVICE
AGTSVCPASSWORD: *****
AGTSVCSTARTUPTYPE: Disabled
ASBACKUPDIR: Backup
ASCOLLATION: Latin1_General_CI_AS
ASCONFIGDIR: Config
ASDATADIR: Data
ASLOGDIR: Log
ASPROVIDERMSOLAP: 1
ASSERVERMODE: MULTIDIMENSIONAL
ASSVCACCOUNT: <empty>
ASSVCPASSWORD: <empty>
ASSVCSTARTUPTYPE: Automatic
ASSYSADMINACCOUNTS: <empty>
ASTEMPDIR: Temp
BROWSERSVCSTARTUPTYPE: Disabled
CLTCTLRNAME: <empty>
CLTRESULTDIR: <empty>
CLTSTARTUPTYPE: 0
CLTSVCACCOUNT: <empty>
CLTSVCPASSWORD: <empty>
CLTWORKINGDIR: <empty>
COMMFABRICENCRYPTION: 0
COMMFABRICNETWORKLEVEL: 0
COMMFABRICPORT: 0
CONFIGURATIONFILE:
CTLRSTARTUPTYPE: 0
CTLRSVCACCOUNT: <empty>
CTLRSVCPASSWORD: <empty>
CTLRUSERS: <empty>
ENABLERANU: true
ENU: true
ERRORREPORTING: false
FEATURES: SQLENGINE, REPLICATION, CONN, BC, SDK, ADV_SSMS, SNAC_SDK
FILESTREAMLEVEL: 0
FILESTREAMSHARENAME: <empty>
FTSVCACCOUNT: <empty>
FTSVCPASSWORD: <empty>
HELP: false
IACCEPTSQLSERVERLICENSETERMS: true
INDICATEPROGRESS: false
INSTALLSHAREDDIR: c:\Program Files\Microsoft SQL Server\
INSTALLSHAREDWOWDIR: <empty>
INSTALLSQLDATADIR: <empty>
INSTANCEDIR: C:\Program Files\Microsoft SQL Server\
INSTANCEID: SQLEXPRESS
INSTANCENAME: SQLEXPRESS
ISSVCACCOUNT: NT AUTHORITY\Network Service
ISSVCPASSWORD: <empty>
ISSVCSTARTUPTYPE: Automatic
MATRIXCMBRICKCOMMPORT: 0
MATRIXCMSERVERNAME: <empty>
MATRIXNAME: <empty>
NPENABLED: 0
PID: *****
QUIET: false
QUIETSIMPLE: false
ROLE: <empty>
RSINSTALLMODE: DefaultNativeMode
RSSHPINSTALLMODE: DefaultSharePointMode
RSSVCACCOUNT: <empty>
RSSVCPASSWORD: <empty>
RSSVCSTARTUPTYPE: Automatic
SAPWD: <empty>
SECURITYMODE: <empty>
SQLBACKUPDIR: <empty>
SQLCOLLATION: SQL_Latin1_General_CP1_CI_AS
SQLSVCACCOUNT: NT Service\MSSQL$SQLEXPRESS
SQLSVCPASSWORD: <empty>
SQLSVCSTARTUPTYPE: Manual
SQLSYSADMINACCOUNTS: MH\gt038676t
SQLTEMPDBDIR: <empty>
SQLTEMPDBLOGDIR: <empty>
SQLUSERDBDIR: <empty>
SQLUSERDBLOGDIR: <empty>
SQMREPORTING: false
TCPENABLED: 0
UIMODE: AutoAdvance
UpdateEnabled: true
UpdateSource: MU
X86: false
Configuration file: C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\Log\20131223_144132\ConfigurationFile.ini
Detailed results:
Feature: Management Tools - Complete
Status: Passed
Feature: Client Tools Connectivity
Status: Passed
Feature: Client Tools SDK
Status: Passed
Feature: Client Tools Backwards Compatibility
Status: Passed
Feature: Management Tools - Basic
Status: Passed
Feature: Database Engine Services
Status: Failed: see logs for details
Reason for failure: An error occurred during the setup process of the feature.
Next Step: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Component name: SQL Server Database Engine Services Instance Features
Component error code: 0x851A0019
Error description: Could not find the Database Engine startup handle.
Error help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=11.0.3000.0&EvtType=0xE53883A0%400xBE03358B%401306%4025&EvtType=0xE53883A0%400xBE03358B%401306%4025
Feature: SQL Server Replication
Status: Failed: see logs for details
Reason for failure: An error occurred for a dependency of the feature causing the setup process for the feature to fail.
Next Step: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.
Component name: SQL Server Database Engine Services Instance Features
Component error code: 0x851A0019
Error description: Could not find the Database Engine startup handle.
Error help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=11.0.3000.0&EvtType=0xE53883A0%400xBE03358B%401306%4025&EvtType=0xE53883A0%400xBE03358B%401306%4025
Feature: SQL Browser
Status: Passed
Feature: SQL Writer
Status: Passed
Feature: SQL Client Connectivity
Status: Passed
Feature: SQL Client Connectivity SDK
Status: Passed
Rules with failures:
Global rules:
Scenario specific rules:
Rules report file: C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\Log\20131223_144132\SystemConfigurationCheck_Report.htm -
Today I tried to configure JAVA APM on a CentOS 6.4 server with tomcat6 installed through the normal RPM package. Adding this server to SCOM was no problem and it shows itself as a 'Deep Monitored Configuration'. The last part of enabling
JAVA APM fails. I have followed the following process:
1. Imported the JAVA APM MP's
2. Extracted the JAVA APM Files
3. Copied those files to my CentOS server
4. Added the JAVA_OPTS to my tomcat configuration file
5. Restarted Tomcat
When I look for the log file which needs to be created through the installation of the APM agent it cannot be find. When I look into my Catalina.out file I see the following errors:
Mar 05, 2014 7:05:16 PM com.microsoft.ManagementServices.APMAgent.Log.SystemLogger error
SEVERE: Java APM Agent initialization failed: SEAgent.config.xml does not have a valid event sender configured
com.microsoft.ManagementServices.APMAgent.Exception.ApmException: SEAgent.config.xml does not have a valid event sender configured
at com.microsoft.ManagementServices.APMAgent.AgentThreadManager.<init>(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.AgentThreadManager.<init>(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.Agent.Monitor.AgentContext.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at com.microsoft.ManagementServices.APMAgent.Agent.Startup.AgentContextLoader.loadContext(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.Agent.Startup.Agent.premain(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:382)
at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:397)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
... 15 more
Caused by: com.microsoft.ManagementServices.APMAgent.Exception.ApmException: Error registering MBean: com.microsoft.ManagementServices.APMAgent:type=COUNTER
at com.microsoft.ManagementServices.APMAgent.EventSender.MBeanEventLog.registerMetricMBeans(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.EventSender.MBeanEventLog.<init>(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.EventSender.MBeanEventLog.<init>(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.AgentThreadManager.<init>(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.AgentThreadManager.<init>(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.Agent.Monitor.AgentContext.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at com.microsoft.ManagementServices.APMAgent.Agent.Startup.AgentContextLoader.loadContext(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.Agent.Startup.Agent.premain(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:382)
at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:397)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
... 15 more
Caused by: com.microsoft.ManagementServices.APMAgent.Exception.ApmException: Error registering MBean: com.microsoft.ManagementServices.APMAgent:type=COUNTER
at com.microsoft.ManagementServices.APMAgent.EventSender.MBeanEventLog.registerMetricMBeans(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.EventSender.MBeanEventLog.<init>(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.EventSender.MBeanEventLog.<init>(Unknown Source)
... 19 more
Mar 05, 2014 7:05:16 PM com.microsoft.ManagementServices.APMAgent.Log.SystemLogger info
INFO: Java APM Agent loading failed (Build: 1.10.100.15, Label: NotFromLabel, BuildDate: 20131112)
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
at com.microsoft.ManagementServices.APMAgent.Agent.Startup.AgentContextLoader.loadContext(Unknown Source)
at com.microsoft.ManagementServices.APMAgent.Agent.Startup.Agent.premain(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:382)
at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:397)
Caused by: java.lang.InstantiationException: Monitor initialization failed: SEAgent.config.xml does not have a valid event sender configured
at com.microsoft.ManagementServices.APMAgent.Agent.Monitor.AgentContext.<init>(Unknown Source)
... 12 more
Does anyone have seen this error before? Can someone help me with this one?
Thnx,I'm running tomcat on a CentOS release 6.4 (Final) server. I installed Tomcat 6 through an RPM from the CentOS sources. I have installed Apache Tomcat/6.0.24 wit JVM version 1.7.0_09-icedtea-mockbuild_2013_01_16_18_52-b00, the JVM Vendor is Oracle Corporation.
My tomcat configuration needs to be done in '/etc/tomcat6/tomcat6.conf'
I installed the APM Agent in the path '/opt/apm/' with the rights 40755 (root/root). The files have the following rights:
-rw-rw-r-- 1 root tomcat 32046 Mar 3 15:38 apm_facade.jar
-rw-rw-r-- 1 root tomcat 244819 Mar 3 15:38 apm_monitor.jar
-rw-rw-r-- 1 root tomcat 38110 Mar 3 15:38 apm_producers.jar
-rw-rw-r-- 1 root tomcat 207006 Mar 3 15:38 asm-all-3.3.1.jar
-rw-rw-r-- 1 root tomcat 4157 Mar 3 15:38 ASM_Third_Party_Notices.txt
-rw-rw-r-- 1 root tomcat 241368 Mar 3 15:38 DispatcherStub.dll
-rw-rw-r-- 1 root tomcat 36880 Mar 3 15:38 pmonitor.config.xml
-rw-rw-r-- 1 root tomcat 2625 Mar 3 15:38 SEAgent.config.xml
-rw-rw-r-- 1 root tomcat 830 Mar 5 15:19 Starter.properties
The above rights are equal to the /etc/tomcat6 directory with the tomcat configuration files.
In the tomcat6.conf I have added the following entries:
#Microsoft SCOM APM
JAVA_OPTS="${JAVA_OPTS} -Djava.library.path=/opt/apm"
JAVA_OPTS="${JAVA_OPTS} -javaagent:/opt/apm/apm_facade.jar -Xbootclasspath/p:/opt/apm/apm_producers.jar -Xbootclasspath/p:/opt/apm/apm_facade.jar"
When I look into the running tomcat process I see the following:
tomcat 17401 1 0 Mar05 ? 00:00:39 /usr/lib/jvm/jre/bin/java -Djava.library.path=/opt/apm -javaagent:/opt/apm/apm_facade.jar -Xbootclasspath/p:/opt/apm/apm_producers.jar -Xbootclasspath/p:/opt/apm/apm_facade.jar
-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Djava.library.path=/opt/apm -javaagent:/opt/apm/apm_facade.jar -Xbootclasspath/p:/opt/apm/apm_producers.jar -Xbootclasspath/p:/opt/apm/apm_facade.jar -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory
-classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp
-Djava.util.logging.config.file=/usr/share/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
My Starter.Properties looks like this:
# Jars to load by inner classloader.
# Use semicolons to separate the JAR entries
ClassPath=apm_monitor.jar;asm-all-3.3.1.jar;apm_producers.jar
# Path to pmonitor.config
MonitorConfigFileName=pmonitor.config.xml
# Path to SEAgent.config
AgentConfigFileName=SEAgent.config.xml
# Log file name
# Example for full-path location:
# LogFileName=c:\\tracelog\\apm-java-agent.log
# Example for relative path (to agent jar files):
# LogFileName=apm-java-agent.log
LogFileName=apm-java-agent.log
# Log level (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST)
# A level of FINER or FINEST may expose Personally identifiable
# information (PII) in the log file. The levels below INFO are
# intended for debugging and diagnostic use only.
LogLevel=FINEST
The 'apm-java-agent.log' is not created on the system. The only logging is done in the catalina.out. When restarting tomcat I see the following entries in te log file:
INFO: Initializing Java APM Agent (Build: 1.10.100.15, Label: NotFromLabel, BuildDate: 20131112)
Mar 06, 2014 9:35:21 AM com.microsoft.ManagementServices.APMAgent.Log.SystemLogger info
INFO: Java APM Agent loading succeeded (Build: 1.10.100.15, Label: NotFromLabel, BuildDate: 20131112)
Mar 06, 2014 9:35:21 AM com.microsoft.ManagementServices.APMAgent.Log.SystemLogger info
INFO: Initializing Java APM Agent (Build: 1.10.100.15, Label: NotFromLabel, BuildDate: 20131112)
Mar 06, 2014 9:35:21 AM com.microsoft.ManagementServices.APMAgent.Log.SystemLogger warning
WARNING: Failed registering the COUNTER MBean
Mar 06, 2014 9:35:21 AM com.microsoft.ManagementServices.APMAgent.Log.SystemLogger error
SEVERE: Java APM Agent initialization failed: SEAgent.config.xml does not have a valid event sender configured
Mar 06, 2014 9:35:21 AM com.microsoft.ManagementServices.APMAgent.Log.SystemLogger info
INFO: Java APM Agent loading failed (Build: 1.10.100.15, Label: NotFromLabel, BuildDate: 20131112)
Hope this gives your some more background around my problem, I double checked the permissions.. -
VSS-00011: Connection to database instance <instance_name> failed.
Cause : The user account in which the Oracle VSS Writer Service is running does not have the DBA privileges to log in to the Oracle instance.
Action : Run the Oracle VSS Writer Service in a user account that can connect to the Oracle instance with DBA privileges.
I have assigned ora_dba group to the user that runs the Oracle VSS Writer Service which is the only Oracle solution but still getting
the above error. Was advised to raise the issue here that it is an OS issue. Pls helpThe user account cannot access Oracle Database instance. And also how do you temporarily disable security software on the server.
Have you checked what I already asked for? "Try using the user account and access the Database Instance.
That will let you see if the problem is with the user account permissions or not."
If this does not help then you can contact Oracle as suggested by Dave.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Hi All,
An exception was thrown while processing Submit Tasks Domain\"SDK Account" does not have sufficient permission to perform the operation.
am getting this error when try to enable audit in one of Domain controllers.Dear Mark,
i face similar problem before, i had resolve it be adding SDK service account to Operation Manager Administration group.
Regards, Ibrahim Hamdy -
Run As Account does not exist on the target system or does not have enough permissions
We are getting below alerts,
Run As Account does not exist on the target system or does not have enough permissions.
I know we can create a Run As account with low Privilege can fix this issue ,
http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
My question here is there is any other way to fix it. I tried giving below permission for scom_act account (we used for agent installation and has local admin rights) but still same issue and
also i tried with sysadmin access for scom_act as well but no luck still having same issue , any solution would be welcome
The min. Privilege for monitor SQL server
DB Server Level
a. VIEW ANY DEFINITION
b. VIEW SERVER STATE
c. VIEW ANY DATABASE
Each DB
a. SQLAgentReaderRole database role.
b. PolicyAdministratorRole database roleCheck below link
http://blog.coretech.dk/msk/run-as-account-does-not-exist-on-the-target-system-or-does-not-have-enough-permissions/
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical | Twitter:
Mai Ali -
When I try to log on to my DC it says "The security database on the server does not have a computer account for this workstation trust relationship". It won't let me log on. I installed another server server 2012r2 (its virtual )
and I can get to ADSI edit.
I think what happened was I had a pc that could not connect without unplugging the network cable. So I found this fix
FIX: “The security database on the server does not have a computer account for this workstation trust relationship”2032011
I’ve seen a lot of solutions, or suggestions rather, with regard to the error in the title of this post. In my experience, the problem can almost always be resolved without extra domain add/removes and reboots, which is the most prevalent solution I have
seen around. Usually, this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself. Here are the steps I take to fix this issue when it crops up:
Open up Active Directory Users & Computers pointed to the domain the computer account resides in
From the “View” pull-down menu, make sure that “Advanced Features” is checked
Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides
Open the Properties for the computer object
Choose the “Attribute Editor” tab on the Properties dialog box
Check the Attributes dNSHostName & servicePrincipalName – anywhere that a fully qualified hostname is specified (e.g. myserver.mydomainname.com), make sure that the entry matches the hostname
you have configured when you go here on your server: Start -> Computer -> Right-Click, Properties -> Change Settings (under “Computer name, domain… settings”) -> Full Computer Name
As an example, for a fictitious W2K8 R2 server whose Full Computer Name is “srv1.mydomainname.com”, these attribute/value pairs should be in Active Directory:
dNSHostName:
srv1.mydomainname.com
servicePrincipalName:
HOST/SRV1
HOST/srv1.mydomainname.com
RestrictedKrbHost/SRV1
RestrictedKrbHost/srv1.mydomainname.com
TERMSRV/SRV1
TERMSRV/srv1.mydomainname.com"
Not reading it carefully I add a computer with the same name as the pc having the issue and followed the above. The problem is that I did not notice that the spn did not want the name of my server (serv1) but the name of the trouble
pc.
dcdiag output
PS C:\Users\administrator.TOM> dcdiag.exe
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
***Error: DC3 is not a Directory Server. Must specify /s:<Directory Server> or /n:<Naming Context> or nothing to
use the local machine.
ERROR: Could not find home server.
PS C:\Users\administrator.TOM> dcdiag.exe /s:DC2
Directory Server Diagnosis
Performing initial setup:
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC2
Starting test: Connectivity
The host 9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM could not be resolved to an IP address. Check the DN
server, DHCP, server name, etc.
Neither the the server name (DC2.TOM) nor the Guid DNS name (9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM)
could be resolved by DNS. Check that the server is up and is registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... DC2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC2
Skipping all tests, because server DC2 is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : TOM
Starting test: CheckSDRefDom
......................... TOM passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... TOM passed test CrossRefValidation
Running enterprise tests on : TOM
Starting test: LocatorCheck
......................... TOM passed test LocatorCheck
Starting test: Intersite
......................... TOM passed test Intersite
PS C:\Users\administrator.TOM> regsvr32 schmmgmt.dll
PS C:\Users\administrator.TOM> netdig /fix
netdig : The term 'netdig' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdig /fix
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (netdig:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> Setup /PrepareSchema
Setup : The term 'Setup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Setup /PrepareSchema
+ ~~~~~
+ CategoryInfo : ObjectNotFound: (Setup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> netdiag /test
netdiag : The term 'netdiag' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdiag /test
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (netdiag:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> nslooup
nslooup : The term 'nslooup' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ nslooup
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (nslooup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM>Ok fixed.
At a elevated cmd prompt run ;
C:\Users\administrator.TOM>setspn -x
As you can see the DC serv1 had duplicate SPNs.
Checking domain DC=TOM
Processing entry 1
HOST/serv1.TOM is registered on these accounts:
CN=SERV1,OU=Domain Controllers,DC=TOM
CN=C00049,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/TOWN-HBWJ29ZOQC is registered on these ac
counts:
CN=Administrator,CN=Users,DC=TOM
CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/town-hbwj29zoqc.TOM is registered on thes
e accounts:
CN=Administrator,CN=Users,DC=TOM
CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
RestrictedKrbHost/serv1 is registered on these accounts:
CN=C00049,CN=Computers,DC=TOM
CN=SERV1,OU=Domain Controllers,DC=TOM
RestrictedKrbHost/serv1.TOM is registered on these accounts:
CN=C00049,CN=Computers,DC=TOM
CN=SERV1,OU=Domain Controllers,DC=TOM
found 5 groups of duplicate SPNs.
Went to the computers OU and changed computer c00049 to the correct SPN. Now I have a new issues, I'll start a new thread. -
We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
not have a private key information property attached to it" There is no software firewall set on the DC. When I run Certutil -VerifyStore MY it shows the current certificates as well as the revoked and expired certificates
correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
appreciated.Hi,
Have you tried this?
How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
http://support.microsoft.com/kb/889651
Best Regards,
Amy -
We have installed RM client in the POC server .
Installed Deployment Agent in Dev server .
We created Configuration stages for POC->Dev.
We created a template with x copy deployer and selected source as build definition.
While releasing we faced following issue ,
The release was success in POC (Where RM client is installed), but in DEV environment (Which is different server)it got rejected because of the error
"Package location(Path) does not exist or deployer user does not have access"Hi Dhamayandhi
There is quite a bit to do to get RM working successfully. I have a soup-to-nuts guide on implementing continuous delivery with TFS and RM
here.
Cheers - Graham
Blog:
http://pleasereleaseme.net LinkedIn:
Maybe you are looking for
-
HT1578 Disk Utility says there's no room on disk when "info" says there is
I wanted to create a password-protected 498 GB disk image on a new 500 GB external hard drive. So I successfully created the disk image but I forgot to ask for encryption so the new disk image is unprotected. Realizing this, I erased the drive to sta
-
Getting error when using PCD 10.5.1 for "simple" migration.
Hey guys, I'm currently migrating from 9.1.2-X to 10.5.1 and when I look at the VM in the new migration (the 10.X), I see the following error on the console "The hardware you are using is not supported for this product. Installation will now
-
'Include CD Text' option is greyed out
When I try to burn a playlist onto a blank CD, the option to include CD text is "greyed out". I noticed this option was disabled after I installed a new internal hard drive earlier this month (Seagate Scorpio Blue Serial ATA). I have the current vers
-
How to add an App to launchpad from applications
my iPhoto is gone from launchpad due to the fact it had a huge grey question mark on it and it would not function as an App in launchpad only applications in finder.. how to put an app in launchpad... 2nd try at trying to get this answerered..
-
No modus-changer in Vista with x
When i instal the xf-i vista driver i don't have the modus-changer and the other software, i just have the audio-console. Is there a way to get the extra software?