Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Forwarder 9.1.1 update failed on Domain Controller
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The update installation of the forwarder is not running and a roll-back is being performed. During further tests I have activated the verbose logging of the MSI installer. The following error occurs here:
Cannot set GROUPPERFORMANCEMONITORUSERS=1 since the local users/groups are not available on Domain Controller.
He is probably right. But why does the installer try to set this parameter at all during an update installation? Unfortunately, I cannot set any further options here during an update. There is clearly a bug in the installer script.
Any Ideas?
Log:
Action 14:44:08: SetAccountTypeData.
Action start 14:44:08: SetAccountTypeData.
MSI (s) (A0:60) [14:44:08:562]: PROPERTY CHANGE: Adding SetAccountType property. Its value is 'UseVirtualAccount=;UseLocalSystem=0;UserName=D3622070\SIEM-EVNT-READER;FailCA='.
Action ended 14:44:08: SetAccountTypeData. Return value 1.
MSI (s) (A0:60) [14:44:08:562]: Doing action: SetAccountType
MSI (s) (A0:60) [14:44:08:562]: Note: 1: 2205 2: 3: ActionText
Action 14:44:08: SetAccountType.
Action start 14:44:08: SetAccountType.
MSI (s) (A0:F0) [14:44:08:562]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAC9D.tmp, Entrypoint: SetAccountTypeCA
SetAccountType: Error 0x80004005: Cannot set GROUPPERFORMANCEMONITORUSERS=1 since the local users/groups are not available on Domain Controller.
CustomAction SetAccountType returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:44:08: SetAccountType. Return value 3.
MSI (s) (A0:60) [14:44:08:594]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (A0:60) [14:44:08:594]: User policy value 'DisableRollback' is 0
MSI (s) (A0:60) [14:44:08:594]: Machine policy value 'DisableRollback' is 0
MSI (s) (A0:60) [14:44:08:594]: Note: 1: 2318 2:
MSI (s) (A0:60) [14:44:08:609]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1467512195,LangId=1033,Platform=589824,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (A0:60) [14:44:08:609]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (A0:60) [14:44:08:609]: Executing op: DialogInfo(Type=1,Argument=UniversalForwarder)
MSI (s) (A0:60) [14:44:08:609]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
MSI (s) (A0:60) [14:44:08:609]: Executing op: RegisterBackupFile(File=C:\Config.Msi\b08a3953.rbf)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From Splunk Support:
"It will be resolved in version 9.1.3 and 9.2.1 releases. "
As a workaround, you can uninstall the UF and install the new version instead of upgrading.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same problem on our DC's. Did you find a solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From Splunk Support:
"It will be resolved in version 9.1.3 and 9.2.1 releases. "
As a workaround, you can uninstall the UF and install the new version instead of upgrading.
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
