Hello,
I deploy Splunk via SCCM using a PowerShell script which runs the MSI and then copies a specific deploymentclient.conf file depending on the server type.
For some reason, application deployment is failing on all of our domain controllers with the error which correlates to "invalid detection method used". I can see when the MSI runs, the old version gets uninstalled, but then ultimately it just gets reinstalled again. This newer version is superseding an older version, so could that be part of the issue? Why would this only affect domain controllers when all of our other server installations are successful? Would the MSI detection string be different for domain controllers?
This is the PowerShell install command I am using:
Here are more hints from verbose logging:
Property(S): InstallRegmonDrv = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): InstallNetmonDrv = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): InstallNohandleDrv = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): CreateFtr = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): FirstTimeRun = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): SetSplunkLaunchConf = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;FailCA=
Property(S): InstallSplunkService = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;ServiceStartType=auto;PrevProdCode={1CA252F3-7317-4021-B678-141BB5D3E3FF};FailCA=
Property(S): SetAcls = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;FailCA=
Property(S): EnableSplunkForwarder = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): EnableEventLogs = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;App=; Sec=; Sys=;Fwd=; Set=;FailCA=
Property(S): StartSplunkService = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;LaunchSplunk=1;FailCA=
Property(S): StopSplunkServiceDef = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;FailCA=
Property(S): RollbackRegmonDrv = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): RollbackNetmonDrv = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): RollbackNohandleDrv = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): RestartSplunkService = SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;LaunchSplunk=1;FailCA=
Certificate issue?
Hi @mk_ultra,
Please see the following reply for instructions on how to troubleshoot: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highlight/true#...
Cheers,
- Jo.
This is resolved. I just put an extra line in my PowerShell deployment script to uninstall the previous version of Splunk Forwarder before attempting the new install. This wasn't necessary for previous SCCM deployments where I did an upgrade in-place with supersedence rules. And curiously it only affected domain controllers.
Hmmm...interesting. That should be implied, but thanks for letting us know!