| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Prepare MQ Wizard on Win2003 errors out |
« View previous topic :: View next topic » |
| Author |
Message
|
| PeterPotkay |
 Posted: Thu Jul 15, 2004 12:27 pm Post subject: Prepare MQ Wizard on Win2003 errors out |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Windows 2003 Server
MQSeries 5.3 CSD07
1st Install attempt in this domain, 1st install attempt on Win2003:
I am logged on as User1, which is in the administrators group, thru pcAnywhere.
1. Answer No when the Set Up GUI asks me if I am in a Windows 2000 Domain.
2. Install of base MQ 5.3 is OK.
3. I try and run the Prepare WebSphere MQ Wizard, to make MQ a Service. It throws the following error:
WebSphere MQ configuration problem
WebSphere MQ is not correctly configured for Windows 2000 domain users
An unexpected error while validating the security credentials of user QA1\User1
Ensure the network is operational, and that all required domain controllers are available.
4. I click Cancel, and install CSD07.
5. Try and run the Wizard again, and get the same error.
6. I add User1 to the mqm group, and try and run the Wizard again, with the same error.
I find out that this is the first time we are installing MQ in this domain, and it IS a Windows 2000 domain.
I have the Sys Admin follow the steps in Chapter 11 of the Quick Beginnings Manual. He creates the domain group "domain mqm" (no quotes), and adds a user call User1_qa1 into it. He gives me the password, and sets the password expiration to unlimited. He puts domain mqm / User1_qa1 into another global group as well, called OtherGlobal. OtherGlobal is in the Administrators group of this server.
7. I log back onto the server as User1_qa1, in the QA1 domain. I uninstall MQ, delete the MUSR_MQADMIN id, leave the mqm group, and reboot.
8. I run the set up again, this time answering YES to the domain question. The install again proceeds with no issues. I do not run the Prepare WebSphere MQ Wizard at this point.
9. I install CSD07 with no issues.
10. I go to run the Prepare WebSphere MQ Wizard, and again it bombs out with the same error, except this time it points to QA1\User1_qa1. It never asked me what special ID it should run under. And, it recreated the MUSR_MQADMIN ID again!
What should I try next?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jul 15, 2004 1:38 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Peter,
Have you tried using NetMeeting instead of PC Anywhere?
Pleasantries aside, I don't think it likes your user id as it is not part of the domain "domain mqm" but a machine userid "qa1\user_qa1"
I never installed a windows version on a domain, I always answered no.
The user installing MQ will need to have all admin rights to the machine. It should be a domain user if the service is to run as a domain service...
Being part of the mqm group can you skip the wizard and go to dos
and then create a qmanager from the prompt ??
??
Hope it helps a little.
 |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jul 15, 2004 7:17 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Quote: |
I don't think it likes your user id as it is not part of the domain "domain mqm" but a machine userid "qa1\user_qa1"
|
qa1 is not the machine name, it is the domain name.
User1_qa1 is defined in the "domain mqm" group. I dont understand why this message is being thrown saying it sees it as being on qa1. When I logged onto the server, I did type at the logon screen User1_qa1, the password, and the domain as QA1, so maybe thats why?. User1_qa1 is not defined on the machine locally though. It was originally defined in "domain mqm". The in was placed in a global group (SomeOtherGlobalGroup) in the QA1 domain, and the QA1/SomeOtherGlobalGroup was placed in the local administrators group.
| Quote: |
Being part of the mqm group can you skip the wizard...
|
I need to run it to make MQ a service.
| Quote: |
and go to dos
and then create a qmanager from the prompt ??
|
I'll try that when I get in to work.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Jul 16, 2004 1:33 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
The question 'are you windows 2000' is the worst worded question possible. Please translate it mentally to read "Are you running an active directory domain which has not been migrated from an NT4 domain.
Therefore, your answer should be Yes, and it should ask you for that userid and password. That userid must be a domain id, and its easiest if you add it to a domain group "Domain mqm", as you have done (because Domain mqm gets added automatically to the local mqm group when it gets created). You also need to give delegate authority, to the domain userid on the DC (and note the instructions in the manual are wrong if the DC is windows 2003, but thats not the case for you - I can post details if anyone becomes interested...).
I suspect the delegate authority is the bit that has been missed. If the prepare wizard bombs out, look at the amqmjpse.?log/txt? file, as it says why. As usual, also check for mq error logs + fdcs. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jul 16, 2004 7:28 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Quote: |
and it should ask you for that userid and password.
|
Which it never did.
| Quote: |
You also need to give delegate authority, to the domain userid on the DC
|
I assume we did, since we followed the instructions in the Quick Beginnings to the letter.
| Quote: |
and note the instructions in the manual are wrong if the DC is windows 2003, but thats not the case for you
|
Let me ask my admin if that is the case. I think the DC is 2000, but never really checked.
And I'll look at that file also.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JasonE |
| Posted: Mon Jul 19, 2004 1:36 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| The only reason I can see you wouldnt get the panel on the first run of the wizard is that you answered No to the w2k question from the initial launchpad (prior to the install) and this is passed through to the prepare wizard, and we skip the question then. On subsequent launches, you should get asked the userid / domain type question... I think... |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jul 19, 2004 11:42 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Interestingly enough, I was able to create a QM called TEST, start it and its listener, client connect an app to it, use runmqsc as well.
But I cannot open the MQExplorer tool locally. It complains with the following error when I tried to expand the WebSphere MQ level of the tree in the left panel:
"Could not initialize WebSphere MQ Services Objects. x80080005 Server Execution failed (AMQ4100)."
If I try and open the MQServices GUI and expand the tree at WebSphere MQ Services (local), I get this error:
"Unable to complete this task because you do not have authority to administer WebSphere MQ. You must be in the Administrators group, the mqm group, or logged on in with the SYSTEM ID to administer WebSphere MQ (AMQ4212)."
I closed all the Windows, but Task Manager still shows 1 amqsvc.exe running.
The thing is, I am logged on as User1_qa1, which should qualify. And I get the same error if I log on as User1. Here is the current state of all my groups and IDs.
Somewhere in the QA1 domain, the Sys Admin defined a group called "domain mqm". In that group is defined the ID User1_qa1. We gave this group all the authorities it needed as detailed in the Quick Beginings Manual.
Somewhere in the QA1 domain, there is a global group called MQADMINS. The User1_qa1 ID is placed in there as well.
On this server, the mqm group has the following IDs: MUSR_MQADMIN, User1 and QA1\Domain mqm.
On this server, the Administrators group has the following IDs (among others): User1, QA1\MQADMINS
I dont want to go messing with the setup right now, because I have a ticket open with IBM on this and I do not want alter the environment while they are trying to resolve the issue. But, 2 things came to mind as I was looking at all these IDs.
A. User1_qa1 is correctly in the "domain mqm" group. But that ID is also in the QA1/MQADMINS group, which is in the local Administrators group. Could the OS be confusing MQ at this point, and MQ thinks the User1_qa1 ID is ONLY in the Administrators group (by way of the global group QA1/MQADMINS), and thus does not "see" that it is in "domain mqm"?
B. Looking in the local mqm group, I see QA1\Domain mqm. Is that capitol letter "D" casuing a problem? Probably not, since when is Windows case sensitive, but maybe...
Also, I did verify that the DC is NOT Windows 2003.
Here is the amqmjpse.txt file:
| Code: |
14:35:48 *********************************************************************
14:35:48 Monday July 19, 2004
14:35:48 Starting the Prepare MQSeries Wizard log
14:35:48 MQSeries binary directory is 'C:\Programs\MQSeries\bin\'
14:35:48 MQSeries data directory is 'C:\Programs\MQSeries'
14:35:48 Getting parameters passed to program:
14:35:48 Finished getting parameters passed to program
14:35:48 This computer name is 'MyServerName'
14:35:48 Logged on user is 'User1_qa1' on domain 'QA1'
14:35:48 National language identifier is 'A'
14:35:48 No other instance of the Prepare MQSeries Wizard, creating new instance
14:35:48 Displaying the Prepare MQSeries Wizard
14:35:48 Active page is 'IDD_PROPPAGE_WELCOME' (Class = 'CPageWelcome')
14:35:49 Windows 2000, trying to force window to foreground
14:35:49 This thread id 2764, foreground thread id 2764
14:35:49 Already foreground window
14:35:50 Checking logged on user is authorized
14:35:50 IsAdminAuthority: checking logged on user has administrator authority on local machine
14:35:50 Retrieved token information
14:35:50 IsAdminAuthority: rc=True
14:35:50 Logged on user is authorized
14:35:50 Active page is 'IDD_PROPPAGE_SERV_CHECK' (Class = 'CPageServCheck')
14:35:50 CheckSecurity: Checking that the MQSeries Services can read the group membership of the logged on user
14:35:50 Retrieved token information
14:37:27 CoCreateInstance failed, rc=-2146959355 (0x80080005)
14:37:27 CheckSecurity: rc=2 (0x2)
14:37:27 Checking Services status: SECURITY_STATE_UNKNOWN
14:37:30 No shortcut to the Prepare MQSeries Wizard already exists
14:37:30 Active page is 'IDD_PROPPAGE_SEC_BAD' (Class = 'CPageSecBad')
14:40:11 Cancel pressed
14:40:11 Cancel pressed
14:40:11 Checking logged on user is authorized
14:40:11 IsAdminAuthority: checking logged on user has administrator authority on local machine
14:40:11 Retrieved token information
14:40:11 IsAdminAuthority: rc=True
14:40:11 Logged on user is authorized
14:40:11 Checking whether first time setup of Services has been done
14:40:11 First time setup of Services has already been done
14:40:41 Started the taskbar application 'C:\Programs\MQSeries\bin\amqmtbrn.exe'
14:40:41 Ending the Prepare MQSeries Wizard log
|
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jul 19, 2004 12:13 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| On this server, the Administrators group has the following IDs (among others): User1, QA1\MQADMINS |
Try adding QA1\Domain mqm to QA1\MQADMINS thus giving it admin priviledges.
Remember in windows the mqm group must have admin priviledges to the registry !!
Just my 2cts
 |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jul 19, 2004 12:19 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Quote: |
Try adding QA1\Domain mqm to QA1\MQADMINS thus giving it admin priviledges.
|
Even though User1_qa1 is in QA1\MQADMINS already? If a user is in a group (Group1) and that group is in another group (Group2), isn't the user effectivly in Group2?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Jul 20, 2004 2:52 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| Quote: |
| Remember in windows the mqm group must have admin priviledges to the registry !! |
This is wrong. The mqm group does NOT need administrative rights to anything unless you chose to give them it for your own reasons. All the registry keys etc which MQ uses it adds an ACL on for the mqm group.
| Quote: |
| If a user is in a group (Group1) and that group is in another group (Group2), isn't the user effectivly in Group2? |
Mq doesnt support nested (domain) groups. However, if Group1 is a domain group and group2 is a local group, then this should work
In your scenario, User1_qa1 is in the domain mqm group, and QA1\Domain mqm is in the local mqm group - This should suffice to enable MQ to run under the user1_qa1 group AS LONG AS you have given user1_qa OR the Domain mqm the required delegate authority on the server.
To answer your questions.
A. It doesnt matter - if you resolve to the administrator group OR resolve to the mqm group you are an mqm administrator...
B. No, I doubt it for the reason you said, ie windows is case insensitive.
Dont forget being signed on as user1_qa1 is pretty irrelevant for this security check, what we are trying to confirm is that when launched via dcom as a different identity, MQ can authenticate users.
| Quote: |
| 14:37:27 CoCreateInstance failed, rc=-2146959355 (0x80080005) |
This worries me more - That is CO_E_SERVER_EXEC_FAILURE, indicating a failure to launch the dcom object.
I guess you will asked to follow my checklist... Posted here for reference, and you need the non-musr_mqadmin route!
| Quote: |
1. Open command prompt, cd to mqm\bin dir, amqmsrvn -regserver
2. Same prompt, regsvr32 amqmspsn.dll
3. Change the password to musr_mqadmin, set in dcomcnfg under the mqseries
dcom object, identity page, ensure the userid is musr_mqadmin and type
the new password. Note: If the MQ userid is not musr_mqadmin, do the
same for whatever (domain?) userid is being used.
4. If installed into x:\program files\.... see if there is a file
or directory called x:\program (no extension) and rename it if there is.
5. Ensure SYSTEM.ADMIN.COMMAND.QUEUE is set to DEFPSIST(NO)
6. Ensure MUSR_MQADMIN is not disabled and password is not set to expire
7. Check that MUSR_MQADMIN has directory permissions to the MQ drive and directories
including WINNT and SYSTEM32
8. Ensure MUSR_MQADMIN has logon as a service and logon as a batch job rights
9. Ensure the computer does not have the browser service disabled as MQ Install
seems to require it for some reason.
10. Do the dcomcnfg check below, specifically ensuring Default Authentication
Level is Connect
DComCnfg check
--------------
a. Default Properties tag, Default Authentication Level is Connect
Default Impersonation Level is Impersonate
b. Applications Tag, IBM MqSeries Services, Properties
Location - Run application on this computer
c. Security Tag
Use custom access permissions, edit, mqm - Allow access
Use custom launch permissions, edit, mqm - Allow Launch
d. Identity tag
This user, MUSR_MQADMIN (+password...)
11. Check that MUSR_MQADMIN has access to the registry keys under
HKEY_LOCAL_MACHINE\Software\IBM\MQSeries. This can be done through
REGEDT32.exe
|
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jul 26, 2004 3:50 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I got the Windows 2003 server in the Windows 2000 domain to work, after many hours on the phone with Miguel from IBM.
Before you start the MQ Install, create that "domain mqm" (no quotes) group in the domain. Add a user to that domain group that you will use to have MQ run with (instead of MUSR_MQADMIN). Lets call this domain\UserID1. So far this is what the manual tells you to do.
Then add that domain group (domain\domain mqm) or the individual ID that is in that domain group (domain\UserID1) into the Administrators group on the Windows 2003 server where you are installing MQ.
At this point begin your install, and answer yes to the domain question. When the Wizard comes up (now it will), configure it to run with domain\UserID1. The wizard will also stick it into the mqm group.
But unless it it also placed in the Administrators group prior to, the Wizard will not run, nor will MQ work 100%.
Miguel and I don't know if this is a Win2003 in a Win2000 domain thing everywhere, or just at our shop. IBM is still trying to figure out exactly why the above works.
Tomorrow we try and find out why the Windows 2000 server in the Windows 2000 domain is having the same type of problem.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Jul 27, 2004 1:00 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Hmmm... Your id should not *need* to be in the administrators group. We do frequently ask people to try it, as it quickly confirms the problem is security problem, but long term you shouldnt need to do it this way. The 'problem' with running this way is purely that MQ may be given more authorization (admin!) than people are happy with.
I dont think I can comment much more as you have PMR's open, and they are being progressed, but let me know via PM if things dont get sorted. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
