SCE 2007 - Problems with Feature configuration wizard
When running the Feature configuration wizard, the wizard stops with the following error:
The service threw an unknown exception
The Policy Configuration Results pane shows that configuration of group policy, Remote Assistance policy, firewall exceptions feature and error monitoring failed with the following error code:
Error: -2146233088
Proxy settings, Scheduled Discovery and Daily Health report settings configured successfully, but the Close button is grayed out.
As you might expect, the wizard created no group policy's or SCE computer groups in Active Directory.
The user account running the installation is a member of Administrators, Domain Administrators, Enterprise Admins, Schema Admins, Group Policy Creator Owners. The domain is a single-label domain (its name is 'domain', not 'domain.local', 'domain.com' etc). Although, we managed to install SCE and run the wizard without errors in our lab.The server where we installed SCE is new, no other functions has been running on it before.We installed SCE from a media with integrated Service Pack 1. Windows Server 2003 R2 SP2
How can we solve this problem?
Best regards
Per
SCECert0.log.txt:-----------------------------------------------------------------------------------Starting Logging at 11:51:34 den 6 juni 2008 : CreateWSUSCodeSigningCertificate----------------------------------------------------------------------------------------------------------------------------------------------------------------Starting Logging at 11:51:34 den 6 juni 2008 : CreateWSUSCodeSigningCertificate--------------------------------------------------------------------------------11:51: Params : D:\SCE\\Certificates\WSUSCodeSigningCert.cer11:51: Got the code signing certificate from WSUS11:51: Params : IsLocalPolicy : False, SCEServer : installation.domain, AEMFileShare : , RemoteControl : True, AEM : False11:51: Error : The service threw an unknown exception. See inner exception for details.11:51: StackTrace: at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex) at Microsoft.EnterpriseManagement.DataAbstractionLayer.TypeSpaceOperations.UpdateManagementPack(ManagementPack managementPack, ManagementGroup managementGroup) at Microsoft.EnterpriseManagement.Configuration.ManagementPackDatabaseWriter.UpdateManagementPack(ManagementPack mp) at Microsoft.EnterpriseManagement.Configuration.ManagementPack.AcceptChanges() at Microsoft.EnterpriseManagement.SceCertPolicyConfig.SceCertPolicyConfig.ConfigureSceRules(String logFile, Boolean configureLocalPolicy, String sceServer, String aemFileShare, String domainName, Int32 aemPort, Boolean configureRemoteControl, Boolean configureAem, Boolean configureFirewall)11:51: Params : SGName : SCE Managed Computers (INSTALLATION_MG), SGACL: domain\INSTALLATION$, gpoName: SCE Managed Computers Group Policy (INSTALLATION_MG)11:51: SearchDirectory: not found (&(objectClass=group)(cn=SCE Managed Computers (INSTALLATION_MG))(groupType=-2147483640))11:51: securityGroup with UNIVERSAL_SG not found: now searching with GLOBAL_SG11:51: SearchDirectory: not found (&(objectClass=group)(cn=SCE Managed Computers (INSTALLATION_MG))(groupType=-2147483646))11:51: Uninstall: securityGroup for SCE Managed not found11:51: CreateSecurityGroupAndSetGroupPolicyAcls Success---
SCECert0.log:---SCECert Log -- Starting Log -- [06-06-2008 09:51:34]CreateSelfSignedCertificate: Exporting Certs.CreateAndDeployCert: Installing Cert.ConfigureSCEMPRules failed with error code of: 0x80131500
ConfigureSCEMPRules: CreateAndDeployCert failed with error code of: 0x80131500
CreateCertAndConfigureGroupPolicyDoWork failed with hr = 80131500CleanUpCertificates: FindObject failed: 0x80070490CleanUpCertificates failed. hr = 80070490
RegQueryValueEx(1): no eixsting values, ignore error: 0x80070002
RegQueryValueEx(1): no eixsting values, ignore error: 0x80070002
RegQueryValueEx(1): no eixsting values, ignore error: 0x80070002
SaveGP: spGPO->Save succeeded: 0x0SetADGPOPolicyElements: spManagedCompGPO->Save succeeded : 0x0SaveGP: spGPO->Save succeeded: 0x0SetADGPOPolicyElements: spAllCompGPO->Save succeeded: 0x0 CreateCertAndConfigureGroupPolicy: Returned from threadCreateCertAndConfigureGroupPolicy: Worker thread failed with error code of: 0x80131500
CreateCertAndConfigureGroupPolicy: WaitForSingleObject returned: 0x80131500
---
June 6th, 2008 1:28pm
Hi,Please open GPMCchoose the domain which you need to install SCE, and select "delegation" tab, add the account which you used to install SCE, and then try the run the wizard again.--------------------Regards,Eric Zhang
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2008 12:33pm
Hi,
thank you for your answer.
I tried adding the account in the delegation tab, but the problem was exactly the same when running the wizard.
After rebooting the server, the option Configure a domain-level Group Policy is grayed out.
We tried to run SCECertPolicyConfigUtil.exe /ManagementGroup [Management Group name] /uninstall, but it stopped with the following error:
Failed to Configure Policy and Deploy Certs. hr = 80070002
SCECert0.log looks like this:
---
SCECert Log -- Starting Log -- [06-10-2008 16:17:06]Failed to query the registry value IsSCEServer. hr = 80070002
LoadSettingsForCleanUp failed. hr = 80070002
CreateCertAndConfigureGroupPolicyDoWork: CleanUpCertificatesAndPolicy failed with error code of: 0x80070002
CreateCertAndConfigureGroupPolicy: Returned from threadCreateCertAndConfigureGroupPolicy: Worker thread failed with error code of: 0x80070002
CreateCertAndConfigureGroupPolicy: WaitForSingleObject returned: 0x80070002
---
June 10th, 2008 7:28pm
In Active Directory Users and Computers, can you check if the security group SCE managed computers (machinename_MG) exists? Also, using group policy management (either gpmc.msc if installed, or dsa.msc) to check if System Center All Computers Policy and/or SCE Managed Computers (computername_MG) exist? Also look for an unlinked policy object named "SCE Test GPO".
If any of these are present, try deleting them prior to restarting the SCEUI and running the policy wizard. If not, can you confirm it is possible on the SCE Server to create a policy from that machine as the current user? While the user may have the right permissions, this ensures that the physical machine is not having issues accessing those.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2008 10:44pm
Hi Stephanie
There is no group named "SCE Managed Computers..." in Active Directory Users and Computers.
The only of the mentioned GPO's that exists is "SCE Test GPO", and it looks like it is created when you start the Feature Configuration Wizard. Deleting it, and running the wizard again, gives the same result (the domain-level group policy option is grayed out).From the SCE server, I'm able to create a GPO as the current user.
June 13th, 2008 3:29pm
Hi,Please open a cmd prompt and navigate to the C:\Program Files\System Center Essentials 2007 directory, then run the following command: SCECertPolicyConfigUtil.exe /PolicyType<domain or local> /ManagementGroup <management group name> /SCEServer <Essentials Server FQDN> After running the command, reboot the SCE server then try to run the wizard again.--------------------Regards,Eric Zhang
Free Windows Admin Tool Kit Click here and download it now
June 18th, 2008 9:51am
Hi Eric,
we ran the following command. We get the same errors before and after reboot.
But when I look in Group Policy Management, there is a GPO named "System Center Essentials All Computers Policy" created at the same that I ran the command below after reboot. (I tried to run the wizard from the SCE console again, the domain level option is still greyed out.) Can this be normal behaviour?
C:\>SCECertPolicyConfigUtil.exe /PolicyType domain /ManagementGroup sceserver_MG /SCEServer sceserver.domain Failed to Configure Policy and Deploy Certs. hr = 80004005
SCECert0.log
SCECert Log -- Starting Log -- [06-23-2008 09:27:49]CreateSelfSignedCertificate: Exporting Certs.CreateAndDeployCert: Installing Cert.GetADRoot: Initialized PDC with...LDAP://dc1.domain/DC=domainCreateGPO: GPO Already exists. We will return E_FAILHaveGPORightsOnDC: Unable to create test GPOConfigureDomainPolicyObjects: HaveGPORightsOnDC failed with error code of: 0x80004005
CreateCertAndConfigureGroupPolicyDoWork: ConfigureDomainPolicyObjects failed with error code of: 0x80004005
CreateCertAndConfigureGroupPolicyDoWork failed with hr = 80004005CleanUpCertificates: FindObject failed: 0x80070490CleanUpCertificates failed. hr = 80070490
GetRegistryKey: OpenDSGPO failed: 0x80070003
SetADGPOPolicyElements: GetPolicyObject failed: 0x80070003
CleanUpCertificatesAndPolicy: SetADGPOPolicyElements failed with error code of: 0x80070003
CreateCertAndConfigureGroupPolicy: Returned from threadCreateCertAndConfigureGroupPolicy: Worker thread failed with error code of: 0x80004005
CreateCertAndConfigureGroupPolicy: WaitForSingleObject returned: 0x80004005
SCECert0.log.txt
--------------------------------------------------------------------------------Starting Logging at 11:27:49 den 23 juni 2008 : CreateWSUSCodeSigningCertificate----------------------------------------------------------------------------------------------------------------------------------------------------------------Starting Logging at 11:27:49 den 23 juni 2008 : CreateWSUSCodeSigningCertificate--------------------------------------------------------------------------------11:27: Params : D:\SCE\\Certificates\WSUSCodeSigningCert.cer11:27: Got the code signing certificate from WSUS11:27: Params : IsLocalPolicy : False, SCEServer : sceserver.domain, AEMFileShare : , RemoteControl : False, AEM : False11:28: ConfigureSceRules Success11:28: Params : SGName : SCE Managed Computers (sceserver_MG), SGACL: domain\INSTALLATION$, gpoName: SCE Managed Computers Group Policy (sceserver_MG)11:28: SearchDirectory: not found (&(objectClass=group)(cn=SCE Managed Computers (sceserver_MG))(groupType=-2147483640))11:28: securityGroup with UNIVERSAL_SG not found: now searching with GLOBAL_SG11:28: SearchDirectory: not found (&(objectClass=group)(cn=SCE Managed Computers (sceserver_MG))(groupType=-2147483646))11:28: Uninstall: securityGroup for SCE Managed not found11:28: CreateSecurityGroupAndSetGroupPolicyAcls Success
June 23rd, 2008 12:51pm
Hi,First, please open a cmd prompt and navigate to the C:\Program Files\System Center Essentials 2007 directory, then run the following command: SCECertPolicyConfigUtil.exe /uninstall /ManagementGroup<management group name>"Second, open a windows explorer, navigate to C:\Program Files\System Center Essentials 2007\certificates, delete the two certificates under this folder.Reboot the server, check whether you can run the wizard, if it still fails, please open event viewer to check whether there is any error and post it in the thread.--------------------Regards,Eric Zhang
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2008 10:42am
Can you go through following procedure?
Close SCE console.
Delete the "SCE Test GPO" from Active Directory (if it exists).
Open a command prompt and navigate to the System Center Essentials installation directory (e,g.C:\Program Files\System Center Essentials 2007)
Run the following command: (replace <management group name> with your management group)SCECertPolicyConfigUtil.exe /ManagementGroup<management group name> /uninstall
Open the registry editor (type regedit in Start->Run)
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center Essentials\1.0\Console\FeatureWizardSettings
Change the value of "FeatureConfigurationCompleted" to 0. (Warning: Make sure to backup your registry before making any changes.)
Start the SCE console again. You should be able to see the option for Domain Policy.
Let us know how this goes.
June 26th, 2008 12:21am
Hi,
Thanks for your answer. I am working with Per.
I have deleted the two cert files.
When I run SCECertPolicyConfigUtil.exe I get this result
Failed to Configure Policy and Deploy Certs. hr = 80070002
The FeatureWizardSettings key in the registry is already 0
Still no success , any other ideas? Is there a debug tool you could send us that logs a lot, that we can use to see what is really going on here?
Thanks
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2008 10:34am
When looking in Group Policy Management I can see the following SCE GPO
System Center Essentials All Computers Policy (User configuration settings disabled) should I delete that too before I try to run the wizard again?
June 26th, 2008 10:45am
Please delete the following GPOs if any of them is present:
1. SCE Test GPO
2. System Center Essentials All Computers Policy
3. SCE Managed Computers Group Policy (<management group name>)
Run the SceCertPolicyConfigUtil.exe /ManagementGroup <management group name> /Uninstall
Make sure the "FeatureConfigurationCompleted" key is set to 0.
Restart the SCE console.
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2008 8:57pm
I deleted SCE Test GPO and "System Center Essentials All Computers Policy".
"SCE Managed Computers Group Policy" does not exist.
SceCertPolicyConfigUtil.exe gives the following output:
"Failed to Configure Policy and Deploy Certs. hr = 80070002"
The "FeatureConfigurationCompleted" key is set to 0 before and after running the SceCertPolicyConfigUtil.exe.
Domain-level group policy is still greyed out in the SCE Console
June 27th, 2008 9:22pm
Can you check if the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center Essentials\1.0\PolicySettings folder exist in registry?
Delete "PolicySettings" folder if it exists (Warning: Make sure to backup your registry before making any changes.).
Restart SCE. Run the Feature Configuration Wizard.
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2008 11:11pm
The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center Essentials\1.0\PolicySettings folder was found in registry. I deleted it and rebooted the server.
Running the Feature Configuration Wizard gives the same result: the domain-level group policy option is greyed out. Nothing new in the registry. There is a new"SCE Test GPO".
June 28th, 2008 12:12am
Delete the SCE Test GPO and other SCE related GPOs (refer to previous post).
Do you see the PolicySettings folder in registry now? Check for the key "IsLocalPolicy" there. Change its value from 0 to 1. Re-start SCE.
I am not sure why it is creating SCE Test GPO if only local policy is selected. Which radio-button is selected in the greyed out "Policy Type" page in the Feature Configuration Wizard?
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2008 12:59am
No, there is no PolicySettings folder in the registry.
It looks like the SCE Test GPO is created as soon as you start the wizard.
In step 3 of the wizard, you get the option to select policy type. In our case, the option called "Yes, configure a domain-level Group Policy for me (recommended)" is greyed out and because of that the option called "No, use local policy to configure computers" is selected. As I want to use a domain-level policy I now select "Cancel" to close the wizard.
June 28th, 2008 1:25am
Hi,Please log on to your DC, navigate to \\SYSVOL\<domain FQND>\policies\ folder, make sure the "SCE Managed computers group policy" and "System Center Essentials All computer policy" has been deleted.For checking the Unique ID of these two policies, please open GPMC, click the poicy, choose detail tab, you will find the Unique ID of the policy.--------------------Regards,Eric Zhang
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2008 11:38am
Hi,As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios.If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.In addition, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.Thanks!--------------------Regards,Eric Zhang
July 10th, 2008 12:02pm
No, we have not solved this. The problem right now is that there is no new ideas how to troubbleshot this. We are working with PSS too to get a solution.
Free Windows Admin Tool Kit Click here and download it now
July 10th, 2008 12:07pm
Hello!I've got the exact same issue! Did you get it resolved? I'm currently working a case with Microsoft support.Best regardsAdamadam [d0t] nerell [at] gmail [d0t] com
December 29th, 2008 9:11pm
Hi, no we did not. If you solve please share. What I have heard from others with this problem a solution could be to move all FSMO roles to one machines and also make sure the SCE machine always talk to this DC. The problem can that SCE creates a object in AD to check permissions, then when SCE wants to remove it, it is connected to another DC that done have the object, replication have not occurred yet.Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2009 10:31am
I just ran into the same issue installing SCE 2007 SP1 in our Hyper-V lab. Checked domain conectivity with netdiag.exe, tried the proposed solutions above to no avail.The option to use Group Policies is still greyed out. I built a new Virtual Server (2003 R2 32-bit) for this, so the machine is clean.I have removed an old SUS Group Policy, but that was all. I have no Policies or Groups and also do not see the SCE Test policy.I'm using the domain admin account for the lab domain from this. There are only 2 domain controllers (physical) in the domain.Has anyone got any further with this?George.George
May 21st, 2009 11:38pm
We solved it by edit the SCE server host file. We added one line for the domain, so each time the SCE server resolved the domain it communicated with the same domain controller. It seems like SCE created a GPO with in one way and deletes it in another way, and it ended up on different domain controllers when doing that. So the GPO was not on the 2nd DC when it tries to delete it. Out SCE server is now fully installed.Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2009 11:58am
After some AD & DNScleanup and checking with nslookup, it was clear that this wan't the issue with me.It took me some time to realize that McAfee AV Enterprise was blocking GPO changes on the DC. Pfff.Anyway, after that it was all gravy.Removed the systems I had added from management, removed the local policy I had added, reset the wizard (in registry) and added a domain policy (via commandline) and then ran through the Feature wizard as well.Regards,George.George
May 22nd, 2009 4:46pm
ive tryed everything you talked about now way .... its not working, any news in the mean time ???
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2009 2:51pm
Basically DNS needs to be working as should creation of new GPO's. I didn't find that McAfee snafu until I catually tried to save a new GPO; had tried new and edit, but never actually tried to SAVE something. Only then did I find out that AV was blocking this.But that was just me.George.
George
July 1st, 2009 2:58pm
i installed GPMC on the SCE Server , i can make a new GPO and edit and save it ...
can it be that the SCE Server didnt like it to be installed in sub domain ( ip adress etc.), but he is member of the top domain. the dns and wins points only to my MFSO DC,
i ve also put the DC in the lmhost. when i open the wizard he makes the SCE Test GPO, and then failur"Failed to Configure Policy and Deploy Certs. hr = 80070002"
hmmmmmmmmm...
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2009 3:45pm