- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Forwarder 9.1.1 update failed on Domain Controller
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The update installation of the forwarder is not running and a roll-back is being performed. During further tests I have activated the verbose logging of the MSI installer. The following error occurs here:
Cannot set GROUPPERFORMANCEMONITORUSERS=1 since the local users/groups are not available on Domain Controller.
He is probably right. But why does the installer try to set this parameter at all during an update installation? Unfortunately, I cannot set any further options here during an update. There is clearly a bug in the installer script.
Any Ideas?
Log:
Action 14:44:08: SetAccountTypeData.
Action start 14:44:08: SetAccountTypeData.
MSI (s) (A0:60) [14:44:08:562]: PROPERTY CHANGE: Adding SetAccountType property. Its value is 'UseVirtualAccount=;UseLocalSystem=0;UserName=D3622070\SIEM-EVNT-READER;FailCA='.
Action ended 14:44:08: SetAccountTypeData. Return value 1.
MSI (s) (A0:60) [14:44:08:562]: Doing action: SetAccountType
MSI (s) (A0:60) [14:44:08:562]: Note: 1: 2205 2: 3: ActionText
Action 14:44:08: SetAccountType.
Action start 14:44:08: SetAccountType.
MSI (s) (A0:F0) [14:44:08:562]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAC9D.tmp, Entrypoint: SetAccountTypeCA
SetAccountType: Error 0x80004005: Cannot set GROUPPERFORMANCEMONITORUSERS=1 since the local users/groups are not available on Domain Controller.
CustomAction SetAccountType returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:44:08: SetAccountType. Return value 3.
MSI (s) (A0:60) [14:44:08:594]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (A0:60) [14:44:08:594]: User policy value 'DisableRollback' is 0
MSI (s) (A0:60) [14:44:08:594]: Machine policy value 'DisableRollback' is 0
MSI (s) (A0:60) [14:44:08:594]: Note: 1: 2318 2:
MSI (s) (A0:60) [14:44:08:609]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1467512195,LangId=1033,Platform=589824,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (A0:60) [14:44:08:609]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (A0:60) [14:44:08:609]: Executing op: DialogInfo(Type=1,Argument=UniversalForwarder)
MSI (s) (A0:60) [14:44:08:609]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
MSI (s) (A0:60) [14:44:08:609]: Executing op: RegisterBackupFile(File=C:\Config.Msi\b08a3953.rbf)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From Splunk Support:
"It will be resolved in version 9.1.3 and 9.2.1 releases. "
As a workaround, you can uninstall the UF and install the new version instead of upgrading.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same problem on our DC's. Did you find a solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From Splunk Support:
"It will be resolved in version 9.1.3 and 9.2.1 releases. "
As a workaround, you can uninstall the UF and install the new version instead of upgrading.
Meet Duke Cyberwalker | A hero’s journey with Splunk
The Future of Splunk Search is Here - See What’s New!
Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today
