Ah - logging. I was looking everywhere for the logs. Where are they located?

Regards,

Geoff

C:\icm\log\Websetup.log

david

Hi Geoff,

You could check if Service account used to run Domain Manager is a member of Setup Security group

or use a full domain administrator account while using the domain manager tool.

for websetup tool try different format for logging in  eg domain.suffix\username or NETBIOSDOMAIN\username and check if it helps.

Also from the staging guide check the functional level of AD if possible try lowering the functional level to

Windows Server 2003 and see if that helps this would disable lot of advanced feature of 2008.

–

Windows Server 2003 functional level (on Windows 2003 Server)

–

Windows Server 2008 functional level (on Windows 2008 Server)

–

Windows Server 2008 R2 functional level (on Windows 2008 R2 Server)

Along with the web setup logs if there are authentication issues then  we should look at the below logs

Domain Manager 

Sadlib logs  (for authentication)

Enable sadlib tracing as follows:

Goto to registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems,

Inc.\ICM\SystemSettings\'

Set "Debug_Sadlib = Yes"

and check the logs in c:\temp folder.

Hope this give you more insight on the issue.

Shirish

Thank you for your reply Shirish. As to lowering the functional model - although I can try that in my lab, that's not going to fly at the customer's site. They are sure to running the 2008 R2 functional level.

I'm logging in as the Domain Admin - that removes any issues of being a member of Cisco_ICM/Setup. I have tried NETBIOSNAME\Administrator but not fqdn\Administrator. One second .. . .. ... no, that is illegal syntax.

Thanks for the tip on tracing the Domain Manager.

Regards,

Geoff

Actually, I don't believe I can lower the functional level. I'm at Windows 2008 - I can raise it to 2008 R2.

Regards,

Geoff

Ah - found it in icm\log\Websetup.log

Here is the error that prevents me from logging in.

08/23/11 12:57:19 ERROR -LocalAdminChecker- Caught Exception while finding the Local Admin membership

08/23/11 12:57:19 ERROR -LocalAdminChecker- Exception msg: Object reference not set to an instance of an object. type: System.NullReferenceException

08/23/11 12:57:19 ERROR -LocalAdminChecker- Exception stack trace:    at LocalAdminChecker.LocalAdminAdapter.isUserLocalAdminMember(UserPrincipal user)

   at LocalAdminChecker.Program.Main(String[] args)

0: SB738571.W2008.ICM: Aug 23 2011 12:57:19.675 -0700: %ICM-ERROR-AUTH_FAILURE: User W2008\Administrator is not a member of Local Administrators group

Regards,

Geoff

Hey Geoff,

Not sure if that's a question or a statement ? Anyways : the user you run Web Setup with should be a member of the local Administrator group on the UCCE server. That's always been the case with UCCE. However, quite often people end up using an account that's a member of the Domain Administrators group. At least on a Windows 2003, the Domain Administrators group automatically becomes a member of the Local Administrators group when you join a domain. I assume that didn't happen in your case, otherwise your domain Administrator account would have been a local Administrator too.

This Technet discussion seems to suggest that this should still happen on a Windows 2008 domain, but it may fail if you cloned your VMs and they have an identical SID. Any chance that's what happened on your lab ?

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/dcff7b65-f813-4b91-8f88-6f8d19b9f924/

Cheers,

Kris

This Technet discussion seems to suggest that this should still happen on a Windows 2008 domain, but it may fail if you cloned your VMs and they have an identical SID. Any chance that's what happened on your lab ?
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/dcff7b65-f813-4b91-8f88-6f8d19b9f924/

Sure - they are clones. We always used to run "newsid" with 2003 servers after cloning and before joining the domain, but I had heard that MS asked that newsid be not used any more.

I'll follow that link - makes sense.

Regards,

Geoff

OK, I went back to my VM snapshots, which is DC and ICM machine in the domain, ICM 8.5.2 installed but prior to running Domain Manager. Now on the member I left the domain, removed the computer from Users and Computers on the DC (dunno why that did not clean up), ran windows\system32\sysprep\sysprep GENERALIZE and rebooted.

Had to reset the network, renamed the box and joined the domain again. Now before I installed anything I checked

Server Manager -> Configuration -> Local Users and Groups -> Groups -> Administrators and made SURE the domain admins are here - that wasn't so before, now that I see what it should look like.

But now when I run DomainManager I get an error when I try to create the Cisco Root.

This is all pretty sad. It actually creates the Cisco root, facility and instance - but does not fill me with confidence as it throws an error each time.

Regards,

Geoff

Geoff,

I feel that your install just went from bad to worst... by any chance are there any special retrictions on your AD?

david

It certainly did mate. Nothing special here - this is my part of our lab - I control all the machines. All vanilla R2 installs.

I'm starting again with the member machine. Recreated from a R2 clone, ran sysprep, set the networking - just installing SP1. Then join the domain, install 8.5(2) and try again.

I had no issues with 2003 as a DC - and I don't mind when things go wrong in my lab. But I must say there is very little tracing in the DomainManager - even when I made the registry change. Have to do the install Monday so I'm trying to get some practice - but I'm getting more than I expected.

Regards,

Geoff

One thing a coworker ran into while working with Win2k8 AD is to make the make the domain admin OU visible to all OUs.  Not sure if that will help.

david

But I must say there is very little tracing in the DomainManager - even when I made the registry change. 

My mistake. It does not write at a higher trace level to DomainManager.txt but instead creates a new file called sadlib.log in the TEMP directory.

I'm still unable to create the OU correctly so that Web Setup allows the instance to be added.

But if I run DomainManager again, it crashes when I click on the + to expand the top level item.

When I try to add the instance the trace from Websetup.log is:

17: SB738571.W2008.ICM: Aug 24 2011 11:11:55.249 -0700: %ICM-ERROR-ADSetupAuthorizer.checkAndFixSecurityGroups:  A problem was encountered while checking or creating security groups for instance OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM; Exception Details: Should have SG member "CN=lab_ucce1_Setup,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM" in:

CN=lab_ucce1_Config,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM

0x8A (138)

Should have SG member "CN=lab_ucce1_Setup,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM" in:

CN=lab_ucce1_WebView,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM

0x8A (138)

Although I can't use the DomainManager I can go directly to the DC and add the groups I "think" it wants, referring to the above trace. No good.

sadlib.log - the error I get when I try to add the Cisco_ICM OU is detailed a little more in this log.

08/24/11 10:37:11   SadMan::addSGMember getAdObject SadIcmInstance::GetIcmInstance() returned NULL

08/24/11 10:37:11   SadMan::addSGMember adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Config,OU=Cisco_ICM,DC=W2008,DC=ICM

08/24/11 10:37:11   SadMan::addSGMember Succeeded (0x0) adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Config,OU=Cisco_ICM,DC=W2008,DC=ICM

08/24/11 10:37:11   SadMan::addSGMember getAdObject SadIcmInstance::GetIcmInstance() returned NULL

08/24/11 10:37:11   SadMan::addSGMember adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_WebView,OU=Cisco_ICM,DC=W2008,DC=ICM

08/24/11 10:37:11   SadMan::addSGMember Succeeded (0x0) adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_WebView,OU=Cisco_ICM,DC=W2008,DC=ICM

08/24/11 10:37:11   SadMan::addSGMember getAdObject SadIcmInstance::GetIcmInstance() returned NULL

08/24/11 10:37:11   SadMan::addSGMember adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Setup,OU=Cisco_ICM,DC=W2008,DC=ICM

08/24/11 10:37:11   SadMan::addSGMember Succeeded (0x0) adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Setup,OU=Cisco_ICM,DC=W2008,DC=ICM

08/24/11 10:37:11   SadStatus::appendText Cannot get Security, no bind to object OU=Cisco_ICM,DC=W2008,DC=ICM

08/24/11 10:37:11   SadStatus::addError Cannot add ACE Null Dacl

08/24/11 10:37:11   SadMan::getGuid

Not quite enough to help me. I am sure there is some security setting I need to "relax" on the DC before this runs in order for it to work.

Any clues guys?

Regards,

Geoff