| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Connecting to Config Manager error, |
« View previous topic :: View next topic » |
| Author |
Message
|
| LazyBoy |
 Posted: Tue May 26, 2009 1:30 pm Post subject: Connecting to Config Manager error, |
 |
|
Voyager
Joined: 04 May 2006
Posts: 78
|
Hi
I have WMB 6.1.0.3 Broker and Cofigmgr on Windows 2003 Server.
I have created broker and configmgr on MachineA using local user LUserA.
Now, I am using a domain user "mydomain\DUserB" to connect to MachineA broker from MachineB. I have created a local user DUserB on MachineA and also created acl entry for user DUserB with full access.
Now on MachineB toolkit when I try connecting to MachineA configmgr, I am getting following error:
BIP0991E:
BIP1162S: The Configuration Manager has received a registration request for resource '*/ConfigManagerProxy/' that cannot be processed. Exception 'com.ibm.broker.config.ConfigManagerFatalException: [3221232488] com.ibm.broker.security.ugregistry.UGRegistryException: Native security system error: &1 ' has been generated.
A request was received by the Configuration Manager to register for updates to the resource '*/ConfigManagerProxy/', but an exception was thrown while processing this request ('com.ibm.broker.config.ConfigManagerFatalException: [3221232488] com.ibm.broker.security.ugregistry.UGRegistryException: Native security system error: &1 ').
Restart the connection to the Configuration Manager and retry the operation. If the exception persists, start Configuration Manager tracing to record details of the request, and contact your IBM Support Center.
On MachineA Event Viewer I have following Error:
Error in call 'NetUserGetLocalGroups()' to the NT security domain with return code 1722.
A component of WebSphere Message Brokers is attempting to call the NT security domain. The security subsystem returned an error code.
Check NT security subsystem documentation for the reported error. Restart the relevant service component (UserNameServer, or Configuration Manager). Ensure that a Domain Controller, either Primary or Backup, is available
I am using VPN connection to connect from MachineA to MachineB.
Please advice me where I am going wrong.
Thanks, |
|
| Back to top |
|
 |
| gs |
| Posted: Fri May 29, 2009 1:17 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
How is your SVRCONN channel that you connect to configured?
Sounds like you've set MCAUSER to empty and thus MachineA can't find user "mydomain\DUserB" that you use on MachineB.
Also read up on NetUserGetLocalGroups() error 1722 if necessary. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 29, 2009 1:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| It sounds to me like the configmgr service user is not authorized to the NT domain. OR that the domain controllers were rebooted and the configmgr was not restarted. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri May 29, 2009 2:02 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqjeff wrote: |
| OR that the domain controllers were rebooted and the configmgr was not restarted. |
Can you elaborate?
Ya know, we see these "Error in call 'NetUserGetLocalGroups()' to the NT security domain with return code 1722." every few days / weeks on the few Windows 2000 servers we have left. No one complains, its sporadic, the server guys don't know, so we live with it.
Our Config Managers that were running on Windows 2003 VMWare servers would get this also. The VMWare guys "re-added the server to the domain" and the errors stopped.
And last week a user whose workstation is a XP VMWare session also keeps getting the error on their local Broker / CM.
Its seems environmental to me, since if it was configured wrong on the MQ/WMB side, it would never work. These errors come and go.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 29, 2009 3:49 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I can't really elaborate a lot. I'm not an expert on AD stuff. But consider that it's a hub/spoke network with cached connections that may not refresh as quickly as one would like, particularly if WINS resolution isn't working very well for other reasons. So if the connection to the PDC goes bad, the configmgr's machine may not quite notice that until someone tries to *talk* to the PDC - which the configmgr is doing when ever it needs to.
And consider that the windows API may cache connection stuff under the covers when the configmgr first opens up the security registry. So it's not a bad idea to give the configmgr a reboot, or the whole server a reboot, when you know that significant events in the AD domain have occurred. It may not be necessary at all, but unless you have to fill out 20 pieces of change-control, it can't hurt too much. |
|
| Back to top |
|
|
| LazyBoy |
| Posted: Fri May 29, 2009 6:45 am Post subject: |
|
|
Voyager
Joined: 04 May 2006
Posts: 78
|
| Quote: |
How is your SVRCONN channel that you connect to configured?
Sounds like you've set MCAUSER to empty and thus MachineA can't find user "mydomain\DUserB" that you use on MachineB. |
Yes, I am running with empty MCA User id.
| Quote: |
| Also read up on NetUserGetLocalGroups() error 1722 if necessary. |
I read upon this error, Microsoft suggests to enable Netbios for tcp/ip network, Even that didn't help out.
http://www-01.ibm.com/support/docview.wss?uid=swg21172979
I did all that mentioned in that microsoft websites ( the workarounds),but no luck.
Now, I see an underlying MQ Error, it is reporting following error:
WebSphere MQ encountered the following network error: The RPC server is unavailable.
MQ failed to successfully complete a network operation due to the specified error. If the error is encountered on systems that are part of a Windows 2000 domain it can indicate incorrect DNS or WINS configuration.
Ensure that your network is functioning correctly. On the Windows platform check DNS and/or WINS settings to ensure that domain controllers, used for authentication or authorisation functions, are accessible.
I have IBM MQ Series windows services running under "Local system account".
The IBM MQ Series DCOM component running under MUSR_MQADMIN.
If I have to use my domain user to connect to QM do I need to run the DCOM Serice uder Domain user? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
