Partager via

Two common SCOM agent start failure issues

  • Article

In this post, I will discuss two common SCOM agent start failure issues.

Issue 1

We can find the following information in SCOM trace.

[1]28648.8548::09/23/2011-10:16:48.168 [SecureStorageManager] [] [Error] :CSecureStorageManager::NotifyManagementGroupsList{SecureStorageManager_cpp1025} Unable to create per-MG state object

[1]28648.8548::09/23/2011-10:16:48.168 [SecureStorageManager] [] [Error] :CSecureStorageManager::NotifyManagementGroupsList{SecureStorageManager_cpp1640}Unable to initialize per-management group state

[1]28648.8548::09/23/2011-10:16:48.168 [ConnectorManager] [] [Error] :CConnectorManager::informManagementGroupState{ConnectorManager_cpp5447}Secure Storage Manager failed during MG notification : -2147467259(E_FAIL)

[1]28648.8548::09/23/2011-10:16:48.168 [ConnectorManager] [] [Error] :CConnectorManager::Start{ConnectorManager_cpp1745}Unable to inform components about management groups : -2147467259(E_FAIL)

[1]28648.8548::09/23/2011-10:16:48.187 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::ManagerStartup{HealthServiceExecutive_cpp1681}Start of 1 manager failed with code -2147467259(E_FAIL).

[1]28648.8548::09/23/2011-10:16:48.187 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::ServiceInitialization{HealthServiceExecutive_cpp1933}ManagerStartup failed with code -2147467259(E_FAIL).

[1]28648.8548::09/23/2011-10:16:48.187 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::OnStartService{HealthServiceExecutive_cpp2064}ServiceInitialization failed with code -2147467259(E_FAIL).

[1]28648.8548::09/23/2011-10:16:48.187 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::ErrorShutdownServiceNoLock{HealthServiceExecutive_cpp1545}Shutting down service due to error. The supplied error code is -2147467259(E_FAIL) and the current service state is ServiceStateStarting.

[1]28648.8548::09/23/2011-10:16:48.216 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::_ServiceMain{HealthServiceExecutive_cpp1446} Start failed with code -2147467259(E_FAIL).

When the problem happens, SCOM agent tries to access registry key WindowsAccountLockDownSD. This error can be caused by the key at HKLM\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Group\<Management Group Name Here> being invalid or non-present.

The easiest way to resolve the issue is to export the registry key WindowsAccountLockDownSD from a similar working system and then import it in to the registry of the server experiencing the problem.  Once this completes, the SCOM agent should start successfully.

Issue 2

We can find the following information in SCOM trace.

[1]1676.3140::09/22/2011-05:21:23.603 [MOMChannel] [] [Error] :MOMChannel::createTemporaryCertificate{SChannelUtil_cpp631} Unable to create self-signed certificate, error = 5(ERROR_ACCESS_DENIED)

[1]1676.3140::09/22/2011-05:21:23.603 [MOMChannel] [] [Warning] :MOMChannel::SChannelUtil::GetCertificateType{SChannelUtil_cpp2184}Unable to retrieve certificate for this machine, certificate may not be loaded

[1]1676.3140::09/22/2011-05:21:23.604 [MOMConnector] [] [Warning] :CMOMConnectorConfiguration::GetParent{MOMConnectorConfiguration_cpp1801}Parent health service #0 does not exist

[1]1676.3140::09/22/2011-05:21:23.672 [SecureStorageManager] [] [Error] :CSecureStorageManager::createCertificate{SecureStorageManager_cpp4256}Unable to create self-signed certificate, error = 5(ERROR_ACCESS_DENIED)

[1]1676.3140::09/22/2011-05:21:23.672 [SecureStorageManager] [] [Error] :CSecureStorageManager::Start{SecureStorageManager_cpp3800}Unable to create certificate : 5(ERROR_ACCESS_DENIED)

[1]1676.3140::09/22/2011-05:21:23.672 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::ManagerStartup{HealthServiceExecutive_cpp1681}Start of 3 manager failed with code 5(ERROR_ACCESS_DENIED).

[1]1676.3140::09/22/2011-05:21:23.672 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::ServiceInitialization{HealthServiceExecutive_cpp1933}ManagerStartup failed with code 5(ERROR_ACCESS_DENIED).

[1]1676.3140::09/22/2011-05:21:23.672 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::OnStartService{HealthServiceExecutive_cpp2064}ServiceInitialization failed with code 5(ERROR_ACCESS_DENIED).

[1]1676.3140::09/22/2011-05:21:23.673 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::ErrorShutdownServiceNoLock{HealthServiceExecutive_cpp1545}Shutting down service due to error. The supplied error code is 5(ERROR_ACCESS_DENIED) and the current service state is ServiceStateStarting.

[1]1676.3140::09/22/2011-05:21:23.757 [HealthServiceExecutive] [] [Error] :CHealthServiceExecutive::_ServiceMain{HealthServiceExecutive_cpp1446} Start failed with code 5(ERROR_ACCESS_DENIED).

From the above error message, it is clear that due to an access denied issue, SCOM agent is unable to create self-signed certificate. As a result, SCOM agent fails to start. These certificates are always stored at C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-8 when the service account is Local System. That is to say, the account has no enough permission to create a certificate to the folder.

We can simply grant Local System account Full Control permission on C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-8 to solve the problem. Here is a screen shot for reference.

- Henry Zhu