| Author |
Message
|
| ivanachukapawn |
 Posted: Tue Nov 30, 2010 9:29 am Post subject: unexpected results - MQ Service identity and DCOM change |
 |
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
I installed MQ5.3 on a Win2K system. This was a non-domain installation. Everything looks OK after this install, (all MQ services running and stable), MQ Service running under System and DCOM (amqmsrvn) running under MUSR_MQADMIN. Also, channel initiator, listener, and trigger monitor all running under MUSR_MQADMIN. This configuration runs very well. (I also ran amqmjpse -r -s (the wizard which sets it to MUSR_MQADMIN).
Then I reconfigured the MQ Service identity to admin1 (in Administrator group) and also dcomcnfg to launching user. Then I rebooted.
I now see two amqmsrvn processes (one under admin1 and another under my login id). I also have duos of listeners and trigger monitors etc. one running under admin1 and one under my local ID.
I expected to see MQ service running under admin1 and MQ services all running under admin1. I need to find out why this happens. Any ideas?
To forestall some anticipated questions and objections:
#1. Yes I know MQ5.3 is out of service etc. etc. I have no choice.
#2. I would love to leave it configured with everything running under MUSR_MQADMIN but I need to change to a local administrator. This is because local security policy will remove the folder permissions for mqm to the root directory for MQ. I know this is whacky but again I have no choice.
#3. I am currently doing an MQ6.0.2.10 installation in an attempt to duplicate the problem but this time with a supported version of MQ. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Nov 30, 2010 10:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
That's fairly wacky.
What happens if you stop the MQSeries service? Do you see one set of processes go away? or both?
I'm a little confused about what you said about reconfiguring the service and dcomcfg.
Do you mean that you configured the "Log on As" properties in the Service control panel for the IBM MQSeries service to one userid, and then adjusted the dcomcfg properties to a second id?
If so, that would be the source of the issue. Leave the Log On As properties to "local system account", and only only only change the dcomcfg properties. The MQSeries service uses the dcomcfg properties to essentially do a "Run As" on the processes. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Nov 30, 2010 11:50 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
MQjeff,
I set the logon as (in the MQ Service properties panel) to admin1.
I configured the DCOM Identity with dcomcnfg to launching user.
I have already blown that environment away and am using it in a replication attempt with MQ6.0.2.10 - however, my recollection is that when I stop the service the processes (amqmsrvn, runmqlsr, runmqchi, etc) which remain are the ones running on my ID. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Nov 30, 2010 12:10 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It's best to leave the ID on the Service properties to Local System. It also makes little sense (at least to me... ) that this would be a different ID than what's set in DCOMCFG.
The ID in the Service properties is really only used to run the amqsvc.exe process, which then uses DCOM to launch everything else. (thus the DCOMCFG id... )
If you had two sets of processes running, under different IDs, the basic explanation is that two queue managers are running, one that was started from the command line using strmqm instead of amqmdain. strmqm on windows causes the qmgr to start up as the user issuing the command, and it will of course end when that user logs out. It shouldn't under any circumstances be possible to start the same queue manager as two separate users simultaneously.
I really don't know what you mean by "launching user". |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Nov 30, 2010 12:26 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
In my opinion, it is best to leave the ID on the service property to local System and the DCOM Identity to MUSR_MQADMIN (which it defaults to on a non-domain install), but as you may have gathered, I do not have the latitude on this job to do what is best. I have been urged to:
set the Service logon as to admin1 (an Administrator)
set the DCOM identity to launching user - (There are 3 options on the dcomcnfg identity panel - #1. The interactive user #2. The launching user #3 This user (where you get to specify the ID and password)) - the local wisdom (?) is that if the MQ service runs under admin1, then the DCOM process would be launched by admin1 and the launching user would be admin1. These people have a lot of these MQ5.3 Win2k systems configured like that and they seem to run reasonably well, but as you know when I try to set it up that way I get the problem as previously described. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Nov 30, 2010 2:02 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So the intent is to set the service to have a specific ID and then set the DCOMCFG to follow that?
Kind of backwards, I guess.
Again, the only way you should see two sets of processes is if there are two queue managers.
Or if there are a *lot* of FDCs thrown. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Wed Dec 01, 2010 5:58 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
MQjeff,
I have only one queue manager and I definitely had multiple MQ service processes running under different IDs. But that is history.
Thank you very much for your insight on this problem. I was able to get a concession (from the security department) allowing for configuration of the MQ Service logon as to Local System, and the DCOM identity set to the admin1 (local account in the Administrator group). Problem disappeared! Thanks a lot,
regards,
ivanachukapawn |
|
| Back to top |
|
|
|
|
