Solved: It turned out to be DNS

bjorn_b · ‎12-09-2011

I am setting up a new Enterprise Vault environment that looks like this

Enterprise Vault in one domain

SQL Server in another domain

Everything works fine untill we put on some GPOs that locks down the server.

Fine enough; I got to live with that.

The only service that doesn't start after we put on the GPOs is Enterprise Vault Indexing Service, and the event viewer shows an error with this text:

The Indexing Service could not complete all the required startup routines. The account that this Service is running under is not a member of the local IIS_IUSRS group on this computer. Service will be stopped..

The event ID is 41312

The VSA is a member of the IIS_IUSRS-group.

What services NEED to be running, and what else could block this? I have rerun the Deployment Scanner just to make sure any prerequisite services, roles or features were closed down, but that went through quite well.

The environment is Windows 2008 R2, Enterprise Vault 10.0 and SQL 2008 R2

Any ideas?

bjorn_b · ‎12-13-2011

It turned out to be DNS issues

View solution in original post

TonySterling · ‎12-09-2011

Sounds like the GPO's you applied may have changed the IIS_IUSRS group. Can you read through the GPO's and verify the actions they took?

MarkBarefoot · ‎12-09-2011

I presume the Indexing Service is set to run under the VSA? You can DTRACE the EVIndexAdminService as this is what performs the checks, like below:-

709 13:18:41.035 [2044] (EVIndexAdminService) <5620> EV-L {ServiceBaseEx.OnStart} Starting Indexing Service ...
710 13:18:41.035 [2044] (EVIndexAdminService) <5620> EV-H {ServiceBaseEx.StartServiceThread} Starting service background thread for Indexing Service.
711 13:18:41.050 [2044] (EVIndexAdminService) <5620> EV-H {ServiceBaseEx.StartServiceThread} Started service background thread Id:6 for Indexing Service.
712 13:18:41.050 [2044] (EVIndexAdminService) <5620> EV-L {ServiceBaseEx.OnStart} Start up grace time [120000 ms]
713 13:18:41.050 [2044] (EVIndexAdminService) <5620> EV-H {ServiceBaseEx.OnStart} Waiting for some more time for Indexing Service to start. Start time[13:18:41], Log Time[13:18:41], Elapsed Time[00:00:00.0156251 ms]
714 13:18:41.066 [2044] (EVIndexAdminService) <3536> EV-L {ServiceBaseEx.Run} Starting Indexing Service startup/initialization routines in a background thread
715 13:18:41.066 [2044] (EVIndexAdminService) <3536> EV-L {ExecutionContext.Run} Executing OnPerformStartup()
716 13:18:41.144 [2044] (EVIndexAdminService) <3536> EV-L {ServiceBaseEx.Run} Starting Index Admin Service startup routines in a background thread
717 13:18:41.144 [2044] (EVIndexAdminService) <3536> EV-L {ServiceBaseEx.Run} Indexing service startup pre-reqs started
718 13:18:41.160 [2044] (EVIndexAdminService) <3536> EV-L {IndexAdminService.OnPerformStartup} Checking if current user has administrator rights.
719 13:18:41.160 [2044] (EVIndexAdminService) <3536> EV-L {IndexAdminService.OnPerformStartup} Current user has administrator rights.
720 13:18:41.238 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Local Dir Entry String = WinNT://EV,computer
721 13:18:41.238 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Domain Dir Entry String = WinNT://DOMAIN 722 13:18:41.331 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} User Dir Entry String = WinNT://DOMAIN/VSA

723 13:18:41.378 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Full name of user WinNT://DOMAIN/VSA= ServiceAccount Symantec Enterprise Vault
724 13:18:41.394 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} SID of user WinNT://DOMAIN/VSA= S-1-5-21-601843414-1660434687-227697207-24642
725 13:18:41.394 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Checking if user VSA is member of IIS_IUSRS
726 13:18:41.394 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.GetUsersInLocalGroup} Local Dir Entry String = WinNT://EV,computer
727 13:18:41.410 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.GetUsersInLocalGroup} Trying to find first member in group IIS_IUSRS by calling FindOne()
728 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.GetUsersInLocalGroup} Number of members in group IIS_IUSRS = 1
729 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.GetUsersInLocalGroup} Found member DN CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=NL,DC=FSG,DC=Local in group IIS_IUSRS
730 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.GetUsersInLocalGroup} Found user S-1-5-17 in group IIS_IUSRS
731 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Checking user VSA against member S-1-5-17 of group IIS_IUSRS
732 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Checking user ServiceAccount Symantec Enterprise Vault against member S-1-5-17 of group IIS_IUSRS
733 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Checking user S-1-5-21-601843414-1660434687-227697207-24642 against member S-1-5-17 of group IIS_IUSRS
734 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} Could not find user WinNT://DOMAIN/VSA by enumerating members, calling IsMember to check for membership
735 13:18:41.956 [2044] (EVIndexAdminService) <3536> EV-M {StateManager.AddVSAToIIS_IUSRSGroup} User VSA already exists in group IIS_IUSRS

bjorn_b · ‎12-13-2011

It turned out to be DNS issues

VOX

Index Service won't start after putting om GPO restrictions. What other services need to be started?