Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
nikhil_d Honored Contributor.
Honored Contributor.
353 views

Windows Clients upgrade after upgrade to DP 10

I recently upgraded an installation from 9.09 to 10.30.

Unix/Linux clients upgrades are without any problem, however with Windows Clients we are facing a strange problem.

 

If we use OB2UPGRADEOVERINET=1 then the push installation fails with following message:

[Critical] <clientname>  [70:32] Digital Signature verification of the install kit failed.

[Critical] <clientname>    Cannot start setup process from the Data Protector share on

      your Installation Server, system error:

      [87] Falscher Parameter.

      (System error should give description of the problem.)

     

In general:

      * Make sure that Data Protector share on your Installation Server is visible on the network

        (in MS-DOS prompt on client type: dir \\\OmniBack)

      * Make sure that Data Protector Inet process is not running under a user account, which does

        not have access to the Data Protector share on the Installation Server computer

        (usually this is local account)

 

[Critical] <clientname>  [110:1026] Lost connection to client clientname:

      Details unknown.

 

If we do not use the above mentioned omnirc parameter, then one client at a time can be upgraded, but it asks for user credentials for the upgrade:

[Normal]  Valid username and password must be specified...

If we select two or more clients, the credentials are asked only once and at the time when second client upgrade starts, the account "which has started the GUI" is locked on the windows domain controller level.

Same thing happens when we start a second installation while first installation is running.

[Critical] [110:1027] Error connecting to client:
[1909] The referenced account is currently locked out and may not be logged on to.

 

This has been bugging us since we have around 300 windows machines to be upgraded, and for many of the machines we are not supposed to log on to do local installation.

MF Support has been seriously disappointing, they are tossing the case here and there, suggesting useless alternatives, in short of no help...hence thought of asking here in the community.

 

Cheers

Labels (3)
0 Likes
7 Replies
Micro Focus Expert
Micro Focus Expert

Re: Windows Clients upgrade after upgrade to DP 10

Hello @nikhil_d,

First of all, this upgrade issue only occurs when upgrading from 9.x to 10.x. Later upgrades from 10.30 to 10.40 for example are smooth again.

I have seen the annoying user account lock-out issue several times. Most likely this is caused by running the Data Protector GUI with a user account not having any admin rights for the remote push. I would recommend starting the GUI with the user you use for remote upgrades, too.

Also check omniinetpasswd -list on the Windows Installation Server and make sure the same user is used here for Installation Server (look for *) use.

For some clients I had to use the OB2UPGRADEOVERINET option with value 1 and for others 0. Try it out.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
0 Likes
nikhil_d Honored Contributor.
Honored Contributor.

Re: Windows Clients upgrade after upgrade to DP 10

@Sebastian.Koehler  Thanks.

As an idea, starting GUI with the Windows User that has Admin rights in DP sounds good...I even went one step further, I logged on the IS using that account and started GUI and upgrade.

I chose two exchange clients, in cluster, and the result was devastating. It asked for the credentials at least 20 times before giving up... 😞

So, no, it does not work.

[Normal] Connecting to client exchange1...

[Warning] Invalid username or bad password has been specified (DOMAIN\ADMINUSER).

[Normal] Connecting to client exchange1...

[Warning] Invalid username or bad password has been specified (DOMAIN\ADMINUSER).

[Normal] Connecting to client exchange1...

[Warning] Invalid username or bad password has been specified (DOMAIN\ADMINUSER).

[Critical] Too many invalid usernames or bad passwords for the client exchange1.

[Normal] Data Protector is already installed on the remote computer, updating it...

[Normal] Connecting to client exchange2...

[Normal] Valid username and password must be specified...

[Normal] Connecting to client exchange2...

[Warning] Invalid username or bad password has been specified (DOMAIN\ADMINUSER).

[Normal] Connecting to client exchange2...

[Warning] Invalid username or bad password has been specified (DOMAIN\ADMINUSER).

[Normal] Connecting to client exchange2...

[Warning] Invalid username or bad password has been specified (DOMAIN\ADMINUSER).

[Critical] Too many invalid usernames or bad passwords for the client exchange2.

[Normal] Installation session finished on Wednesday, July 24, 2019, 4:22:46 PM.


============================================================================
Session completed with errors!
============================================================================

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Windows Clients upgrade after upgrade to DP 10

Hello @nikhil_d,

The purpose of the omnirc option is that there is no question asked for remote installation (similar to what we had before 10.x). There is no benefit of continuing when asked for the password a second time. Based on your GPO the account lock-out will happen if you go further.

OB2UPGRADEOVERINET=0 will ask for a password, OB2UPGRADEOVERINET=1 should not. You can change the option on the fly without restarting/closing anything. Just perform another remote push upgrade. Start small, with one client at a time until you figured out what is working for you.

I use the following options on Windows IS systems.

# Remote Upgrade of legacy clients via INET (10.20 and later)
OB2UPGRADEOVERINET=1

# push without ping reply
SUPPRESSECHO=1

# Allow push install to clients with firewall enabled
OB2FWPASSTHRU=1

Is your Windows IS and the clients part of the same domain? The digital signature issue you shared earlier might be caused by clients not having an updated Windows certificate information.

Is a local upgrade (run setup.exe from Omniback\x8664) working without issues? Make sure to run omnicc -update_host <ClientFQDN> from CM after the client was upgraded locally.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
nikhil_d Honored Contributor.
Honored Contributor.

Re: Windows Clients upgrade after upgrade to DP 10

Hi @Sebastian.Koehler

Local installation works without issues, after local installation, accept_host (for secure_comm) and update_host are also going well.

Our problem is there are too many clients (270 as of now) we are slowly upgrading the 300+ client environment fighting with lockout issues etc, and around 150 of these 270 remaining, we are not supposed to log in (belong to external service providers)...I mean backdoors exist always, but am reluctant to use it.

The signature problem might be caused by windows not updating the root certificate. I think the IS missed the 2019-03 Rollout from Windows where the Windows got new certificates, will have to check that with MS/Windows guys...if I remember we had the same problem with DP 9.07 upgrade where new certificates were introduced, we had to first distribute the HP Certificates and then the push install works...

thanks for the tip for omnirc, but this was already tried. The error which we get when using these is consistent:

Cannot start setup process from the Data Protector share on
your Installation Server, system error:
[87] The parameter is incorrect.
(System error should give description of the problem.)

I don't know why support is reluctant to investigate more on the certificate issue, or this error 87? I have given up on the MF support, my office colleagues who have no knowledge of DP are more competent than them 😞

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Windows Clients upgrade after upgrade to DP 10

Hello @nikhil_d,


@nikhil_d wrote:

Cannot start setup process from the Data Protector share on
your Installation Server, system error:
[87] The parameter is incorrect.


In that case you should check what happens on one of the problematic Windows clients when you execute \\IS\OmniBack\x8664\installservice.exe. Try this as the user that you use for remote upgrades. Do you see issues with executing the binary from the share? Sometimes this is blocked by GPO or by the fact that the IS or the client is in a WORKGROUP instead of a domain.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
nikhil_d Honored Contributor.
Honored Contributor.

Re: Windows Clients upgrade after upgrade to DP 10

Hi @Sebastian.Koehler 

I have been a bit busy, but today again tried to do some upgrades.

Basically when from client, I run the setup.exe then first a security warning appears...

security_warning.PNG

Then when I click yes, another warning, this time the standard administrator dialog appears. The installation works in the end, showing CM fingerprint and all....and update host on CM again shows the fingerprint of client...and all is well...

Trusted_Source.PNG

I guess same would happen if I run and exe (say InstallService.exe or csetup.exe) from the IS.

0 Likes
nikhil_d Honored Contributor.
Honored Contributor.

Re: Windows Clients upgrade after upgrade to DP 10

Now that the summer holidays are over, a quick update here.

Only one combination, where one client is selected, and one installation server is used (where the INET works under a domain account, and not System) works. Meanwhile, me and my colleagues have managed to select 10-15 clients a day as and when time permitted, and have upgraded a 250+ client environment in 2-3 weeks, so this is not a pressing issue for us anymore. I can only guess one of these are the issues:

1. Untrusted installer - IS on Win 2012 did not work with Win 2016 clients. Even the local installation gives many error/warning messages...

2. Named User - INET running as a domain user works, as opposed to INET running as System.

@Sebastian.KoehlerThanks for the help.

PS: The support has been more or less non-existent (yes we have a valid contract etc). We opened 3 calls last month, 2 of them critical, but due to very slow response we had to rely on personal contacts/expertise to resolve them. This is going to be a serious issue in case of a disaster/critical restore request.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.