| Author |
Message
|
| mnance |
 Posted: Mon Feb 14, 2005 5:42 am Post subject: Windows 2003 Member server and MQ account |
 |
|
Apprentice
Joined: 15 Aug 2002
Posts: 44
|
Is it possible to configure a Windows 2003 member server with a domain account rather than the local account? Most of my MQ boxes run on Domain Controllers but I have a few member servers that need an instance of Websphere MQ 5.3 as well? I am using a custom mqparms.ini to specify the account during an unattended installation. Currently I cannot make this work.
It tells me that my account does not have access to the MMC or application. It must be a member of the Administrators or MQM group. I have tried creating a local MQM group and placing the domain account inside this local group. No success. Any suggestions???
_________________
Salvation can only be achieved through Jesus Christ, our Lord and Saviour. |
|
| Back to top |
|
 |
| sebastianhirt |
| Posted: Mon Feb 14, 2005 6:56 am Post subject: |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
Hi,
Have you tried to run the Preperation Wizard after the installation? There you can specify as witch user MQ should be executed. If that does work, you might want to check your MQParms.ini.
You don't need to create a mqm group, as it is created during the installation. But afterwards you need to include the (domain) useraccount to the mqm group ( As far as I remember MQ is not doing it automatically)
Hope this helps
cheers
Sebastian |
|
| Back to top |
|
|
| mnance |
| Posted: Mon Feb 14, 2005 7:03 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2002
Posts: 44
|
I am using the "amqmjpse.exe" command to run the Installation Wizard silently. It sets the account up using the domain account and places it inside a LOCAL MQM group on the member server. However, I still receive the error stating that I do not have access....that I must be a member of the Administrator's or MQM group. Even though the account already belongs to the local and domain MQM group.
_________________
Salvation can only be achieved through Jesus Christ, our Lord and Saviour. |
|
| Back to top |
|
|
| sebastianhirt |
| Posted: Mon Feb 14, 2005 7:09 am Post subject: |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
Strange, it is working for me pretty well,
Only to make sure... How does your MQParm file look like?
| Code: |
[Services]
USERTYPE = domain
DOMAINNAME = YourDomain
USERNAME = TheUserName
PASSWORD = ThePassword |
What is the exact error message?
Is it giving anything valuable in the Windows Event Log? |
|
| Back to top |
|
|
| mnance |
| Posted: Mon Feb 14, 2005 7:33 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2002
Posts: 44
|
[MSI]
;MSI /q parameter: Completely silent installation.
/q
MQPLANGUAGE=1033
MQPLOG=c:\Logs\MQParms.log
MQPSMS=1
ADDLOCAL=Server,Client
REMOVE=Java,Toolkit
;**********************************************************
[Services]
USERTYPE=onlydomain
DOMAINNAME=MyDomainName
USERNAME=MUSR_MQADMIN_XXXXX
PASSWORD=*****************
[DefaultConfiguration]
MIGRATE=yes
ALLOWREMOTEADMIN=yes
Error:
Unable to complete this task b/c you do not have the authority to administer Webshpere MQ. You must be in the administrator's group, in the mqm group or logged in with the System ID to administer WebSphere MQ. (AMQ4212)
_________________
Salvation can only be achieved through Jesus Christ, our Lord and Saviour. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Feb 14, 2005 7:36 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Is the user you are running the install command as a member of the Administrator's group?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| sebastianhirt |
| Posted: Mon Feb 14, 2005 7:38 am Post subject: |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
Here we go.
| Quote: |
[Services]
USERTYPE=onlydomain |
for the parameter USERTYPE the valid settings are local or domain (Windows Quick Beginnings). 'onlydomain' is not valid. You might want to try to change it and retest. |
|
| Back to top |
|
|
| mnance |
| Posted: Mon Feb 14, 2005 8:05 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2002
Posts: 44
|
Jeff,
The user account is not a member of the local Adminstrators group. It is a member of the local MQM group which is all that WebSphere MQ requires.
Sebastian,
Hmmm, that is interesting. I have used this same mqparms.ini file to configure about 850 DC's running WebSphere MQ 5.3 and they working perfectly for over a year now. I will make the change to see if it makes a difference. I wonder where I got the "ONLYDOMAIN" from? Maybe that was a remnant from version 5.2
_________________
Salvation can only be achieved through Jesus Christ, our Lord and Saviour. |
|
| Back to top |
|
|
| sebastianhirt |
| Posted: Mon Feb 14, 2005 8:16 am Post subject: |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
| Kind of Strange... The other ones where all Domain Controlers? If I remember correctly (had a W2k training 2 years ago) on a Domain Controller automaticaly all acounts are domain accounts (I hope I am not making myself a complete monkey with this statement)?! Might this explain why it doesn't matter there if the setting is onlydomain? |
|
| Back to top |
|
|
| mnance |
| Posted: Mon Feb 14, 2005 8:27 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2002
Posts: 44
|
It does automatically create the account but since I have 850 DC's I wanted them all to use the same account so that I did not have 850 MUSR_MQADMIN accounts......However, I made the change and it seems to be working on 2 member servers. Thank you very much for help in this matter, it is appreciated!!!
_________________
Salvation can only be achieved through Jesus Christ, our Lord and Saviour. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Feb 14, 2005 2:30 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
mnance, I just went through this.
The wizard tool does now always work right after the install, and thus you can't use it to change the ID MQ runs under. Even if you answered Yes to the Domain question atthe head of the install process, it still gets set up as MUSR_MQADMIN.
Prior to this step, your domain administrator should have set up a domain group called "domain mqm" (no quotes), and created the domain ID yourdomainID in there. The exact rights needed for this ID and group are spelled out in the Windows Quick Beginings Manual, Chapter 11. On Windows 2003, there is this extra consideration:
http://www-1.ibm.com/support/docview.wss?rs=0&q1=%2binstall+%2bwindows+%2b2003+%2bactive+%2bdirectory+%2bdomain+%2buid&uid=isg1II13640&loc=en_US&cs=utf-8&cc=us&lang=all
If not already there, add domain mqm and ABC/yourdomainID into the mq group. MQ has problems with nested groups, so make sure both are in there.
Once the install is done, use the dcomcnfg utility to find MQSeries, and on the identity tab, change it to run with ABC\yourdomainID.
To prove all is well, the ID you log on with should be able to open MQExplorer and MQServices, and to expand all the sub trees inside each of these tools.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Feb 14, 2005 2:39 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Oh, and Jeff is correct, you need to be a Windows Administrator to install MQSeries. It is documented in the Quick Beginings Manual.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Feb 15, 2005 1:17 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Just to clarify a couple of comments...
onlydomain was added in GA2 and hence missed the documentation. The behaviour of the prep wizard without this is to create and test with musr_mqadmin, and only if it fails use the userid supplied. onlydomain means skip the create/test with a local musr_mqadmin, and go straight for the domain id
Your id needs to be in the admin group to install, and probably for the prep wizard although I am not sure.
As per Peters update, the easiest (but not only) was of configuring things is to set up a domain id in a domain group called "Domain mqm" as this group will automatically be added into the local mqm group during install. However, you can also put it in a domain group called Superbowl for example, and manually put that domain group into the local mqm - it makes no difference.
Even though you are using a domain id it needs certain local user rights on the server on which MQ runs - I believe these are listed in the quick beginnings guide, or search this forum for them
Finally, MQ does NOT need to run with administrator priviliges. If you are having problems, and putting the account MQ is running under into the admin group resolves the problem then you have an underlying security problem. Solve that problem and MQ will run ok. Administrator rights just normally gets over any security restrictions.
Oh and dont forget to give the domain id delegate authority on the domain controller... again, see the windows quick beginnings |
|
| Back to top |
|
|
|
|
