Recently, I had to perform an upgrade to FIM 2010 R2 SP1 from FIM 2010 (pre-R2) in a development environment. After a few issues performing the upgrade, I was installing the FIM 2010 R2 SP1 Service and Portal on SharePoint Foundation 2013 and I kept running into the error: Forefront Identity Manager Service and Portal Setup Wizard ended prematurely.
Background
Because I was upgrading directly from FIM 2010, I couldn’t use the R2 to R2 SP1 Update from KB2772429, which requires you to already be running FIM 2010 R2 build 4.1.2273.0 or later, so I had to perform an upgrade using the full installation media. My FIM Sync Service installation detected it was an upgrade and went through fine. Very pain free! However, when I installed the FIM Service and Portal, it didn’t seem to detect my existing installation. When I told it to proceed anyway, and told it to use my existing database, it didn’t install the SP1 Portal, it just uninstalled my existing Portal instead.
This was a bit weird, but since my Portal had already been uninstalled anyway, I decided I’d give it another try, but this time take it as an opportunity to upgrade to SharePoint Foundation 2013.
Installing FIM 2010 R2 SP1 on SharePoint Foundation 2013
I referred to the Microsoft documentation regarding Installing FIM 2010 R2 on SharePoint Foundation 2013 and found it to be pretty pitiful. In fact, there really doesn’t seem to be any benefit to using SPF2013 with FIM unless you’re running Windows Server 2012 (no SPF2010 support until SP2), and several reasons not to (I’ll get to that in a later post) but I was committed by this stage.
The main hurdle was that Classic Authentication has been deprecated in SPF 2013 and removed from the GUI options for creating a web application. Since FIM 2010 doesn’t support Claims-Based authentication, you have to create the web application using the SharePoint 2013 Management Shell. Of course, the “Standalone” installation method with SPF2013 pre-installs your application with Claims Based, so you first need to delete that web application, then create another one via the Management Shell… anyway, all things for a later post.
FIM R2 SP1: FIM Service and Portal Setup Wizard ended prematurely
In true FIM fashion, this error is about as undescriptive as they come. So, in order to delve a little deeper, I executed the installation exceutable with verbose logging switched on:
msiexec /i “Service and Portal.msi /L*v “c:\temp\file.log
This time, when the installer ran, I was able to glean a bit more information:
MSI (s) (54:1C) [14:26:22:593]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI2922.tmp, Entrypoint: AddServiceToPerformanceMonitors SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI2922.tmp-\ SFXCA: Binding to CLR version v2.0.50727 Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.AddServiceToPerformanceMonitors Adding FIMService account to 'Performance Monitor Users' group Property name = 'ServiceAccount', value = 'ourDomain\FIMService'. DomainName='ourDomain' AccountName='FIMService' Domain AD found Exception thrown by custom action: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable. at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName) at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.ChangeUserMembershipInGroup(Session session, Boolean addUser) --- End of inner exception stack trace --- at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture) at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr) CustomAction AddServiceToPerformanceMonitors returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 14:26:25: InstallExecute. Return value 3.
Note the three bolded bits: While trying to add the FIMService account to the Performance Monitors group, the ChangeUserMembershipInGroup method throws “The RCP Server is unavailable”. I put this information up on a post I started on Microsoft Technet and was also able to find another post by Robin Gaal over at Traxion who had been having a similar issue when upgrading to FIM 2010 R2, which I posted on to see if he could provide more detail.
Between the two posts, the three bits of advice that came back were:
- Ensure you’re using a domain user and a local admin
Well, the account I was using was a domain user, a domain admin, a local admin and domain admins were also in the local admins group. I was also running the installer as administrator. I ruled this one out pretty quickly, but was good to do a sanity check. - Check for AD Security customisations
This one came from Glenn Zuckerman at Microsoft in reply to my Technet post, who had debugged a similar issue and found that it was caused by some AD changes made in order to lock down security in the organisation. The result of these changes was that “the ‘Authenticated Users’ group had been removed from the Pre-Windows 2000 Compatible group” – so, another permissions issue. I had a look at our AD, but couldn’t see anything obvious that would cause any issues with performing the necessary tasks – I mean, I was able to add the user manually to that group, using the same user account performing the installation. - DNS Suffix Incorrectly Configured – SUCCESS!
Robin Gaal had previously reported in his post that this was the issue behind their installation issue and that he was able to resolve it, so I asked him for some more detail. It turns out, his situation was very similar to mine – he was installing the FIM Service and Portal into a Test/Acceptance environment, where the default server configuration was registering the server to the production domain. The solution was as easy as going into the advanced settings for the server’s network adapter, and changing the DNS settings:
Of course, when I tried this, the FIM Service and Portal installed perfectly first try, and I was even able to use and upgrade my existing database (which took almost no time at all to upgrade). Success!!
Overall, a very frustrating installation experience – I’d planned the upgrade to take two days, which I thought was pretty generous, and it ended up taking me about 7. The good news is, I learnt a lot about installing and configuring SharePoint Foundation 2013, as well as some new tricks for debugging FIM installations. Thanks to the folks on the Technet forums for their help, particularly Robin Gaal, Glenn Zuckerman and Varun Kohli.
Glad to hear your problem is solved. Easy solution for a very tricky problem when you don’t know where to look.
Yeah, certainly very frustrating! Longest FIM install I’ve ever had to do. I was a day away from lodging an MS support case. Thanks for the help!
Well, I lodged an MS support case for 4 weeks in the days I was having this issue and they couldn’t help me at all, so that was kinda waste of time.
Yeah, I was using it as a “last resort” for that reason. I figured it would be something obscure that PSS might have a tough time finding.
Hello All,
I´m presenting the same issue,
When trying to Upgrade my Test environment, FIM 2010 R2 to SP1 i can apply the upgrade to SP1 of the Synch Service without issue but the FIM Service shows the same error of this post, i´ve also validated the 3 points mention in the post.
Do i need to uninstall the FIM Portal and then apply the Upgrade?
i´m looking to made a transparent transition.
I´m using Windows SharePoint Services 3.0 SP2.
Will appreciate the comments.
Regards,
Elias
Hi Elias,
From what I’ve seen, you shouldn’t have to uninstall the FIM Portal to apply the update – the only reason I did was because the first upgrade from FIM 2010 -> FIM 2010 R2 SP1 uninstalled my portal anyway. I keep meaning to see if I can reproduce this in a dev environment. Regardless, upgrading from R2 -> R2 SP1 should be as simple as applying the patch.
I’m assuming you turned verbose logging on for the installer and got the same error message, at around the same point? If so, from what I could tell it really relates to a permission issue – in suggestion 1) the issue was not installing using an account with domain privileges; in issue 2) it was that configuration had been changed on AD so that the account no longer had required permissions and; issue 3) Bad DNS config seemed to be pointing me to the wrong domain controller, where the other domain account had no permissions.
Not sure if that helps you at all.. if you manage to figure it out, let us know.
Hello Ross,
Thanks for your response, Just to share with you that at this moment i´ve not been able to fix the error in my test environment(still working on it), but having your comment regarding that this patch doesnt require modifications from a Scenario of FIM 2010 R2 to SP1(also commented in this blog: http://fimfacts.wordpress.com/2013/01/22/upgrading-to-fim-2010-r2-service-pack-1/), also having validated that the times i try to upgrade in my test environment and present the error, the current installation was not affected.
So i proceed to apply the Patch direct to the Production environment:
Reviewing the following Check List:
– Backup FIM Databasess
– Backup FIM Web.config File
(C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config)
– Stop the FIM Services
– Start the installation, with an account that have: Privileges in FIM Database, domain user and local admin.
– Start with the Update of Synch Service and then FIM Service.
The Patch was executed without issues but after the services were started and try to access the portal, i present the error: Service Not available, a restart of the server doesnt fix the issue and i remember that in previous updates i´ve fixing this issue accessing the new Web.config file reviewing the http portal that can be replaced with localhost or another parameter:
After made the correction and saved the file i´ve restarted FIM Services and could access normally to FIM Portal.
Hope this helps,
Elías
Who was it who said “it’s always DNS”? 😉
In my case the issue was slightly different but still name resolution related. In the original installation (I have 2 portal servers load balanced – not a SharePoint Farm, standalones)I created the “http://localhost” Alternate Access Mapping (AAM) in SharePoint Admin for both servers pointing to the URL that was to be used. The localhost URL was used during the FIMService & Portal installation but deleted later from AAM in SharePoint as it was not needed. However, the SP1 installation references it and fails with the 1603 error as it is not able to find it. Re-adding it back in SharePoint resolved my issue.
Hi im installing FIM 2010 and when i run the msi installer with logging from the cmd here’s where it hangs :
Action start 14:57:27: InstallExecute.
CAQuietExec: “netsh” http delete urlacl url=http://+:5725/
CAQuietExec:
CAQuietExec: URL reservation delete failed, Error: 2
CAQuietExec: The system cannot find the file specified.
CAQuietExec:
CAQuietExec:
CAQuietExec: Error 0x80070001: Command line returned an error.
CAQuietExec: Error 0x80070001: CAQuietExec Failed
CustomAction DeleteResourceEndpointAcl returned actual error code 1603 but will be translated to success due to continue marking
CAQuietExec: “netsh” http add urlacl url=http://+:5725/ user=SECURE-ID\FIM Service sddl=D:(A;;GA;;;S-1-5-21-449262665-2380532975-3770530234-1112)
CAQuietExec: The parameter is incorrect.
CAQuietExec:
CAQuietExec:
CAQuietExec: Error 0x80070001: Command line returned an error.
CAQuietExec: Error 0x80070001: CAQuietExec Failed
CustomAction AclResourceEndpoint returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:57:38: InstallExecute. Return value 3.
CAQuietExec: “netsh” http delete urlacl url=http://+:5725/
CAQuietExec:
CAQuietExec: URL reservation delete failed, Error: 2
CAQuietExec: The system cannot find the file specified.
CAQuietExec:
CAQuietExec:
CAQuietExec: Error 0x80070001: Command line returned an error.
CAQuietExec: Error 0x80070001: CAQuietExec Failed
CustomAction RollbackAclResourceEndpoint returned actual error code 1603 but will be translated to success due to continue marking
Action ended 14:57:40: INSTALL. Return value 3.
Action ended 14:57:40: ExecuteAction. Return value 3.
Action start 14:57:40: FatalError.
Action ended 14:57:54: FatalError. Return value 2.
Action ended 14:57:54: INSTALL. Return value 3.
Faced the same issue, it was not a DNS issue, I had to add the http://localhost entry in the Sharepoint Alternate Access Mapping for the website created to host the FIM portal..
Once done setup went fine.
Thanks this article helped resolve my R2 upgrade install problems. Thanks again.
Same problem when installing the HOTfix FIM 4.1.3419.0
After doining some trouble shooting i changed the configured user voor de FIMservice service account from [email protected] to AD101\srvFIMservice and started and stopped the service.
The installation went correct after that.
I’m having a similar issue, I’m trying to go to 4.1.3496.0 on the FimService and the FIMSyncService from 4.1.2273.0. My domain account looks fine. On my dev system, both components upgraded with no problem but on my production server I can’t get FimService to go to 4.1.3496, the FimSyncService upgrades fine. Now the FimService service doesn’t want to start on my prod server. I’m not able to see why this is happening from the log file. There seems to be a secondsequence property it is having problems deleting? Any help would be much appreciated. Here is a snippet of my log file:
MSI (s) (84:DC) [14:26:14:448]: Restoring environment variables
MSI (s) (84:DC) [14:26:14:448]: Destroying RemoteAPI object.
MSI (s) (84:14) [14:26:14:448]: Custom Action Manager thread ending.
MSI (c) (A8:EC) [14:26:14:448]: Back from server. Return value: 1603
MSI (c) (A8:EC) [14:26:14:448]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (A8:EC) [14:26:14:448]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is ‘1’.
Action ended 14:26:14: ExecuteAction. Return value 3.
MSI (c) (A8:EC) [14:26:14:448]: Doing action: FatalError
Action 14:26:14: FatalError.
Action start 14:26:14: FatalError.
MSI (c) (A8:EC) [14:26:14:448]: Transforming table CustomAction.
MSI (c) (A8:EC) [14:26:14:463]: Transforming table CustomAction.
MSI (c) (A8:EC) [14:26:14:463]: Note: 1: 2262 2: CustomAction 3: -2147287038
MSI (c) (A8:58) [14:26:14:463]: Transforming table Binary.
I get this error in a fresh installation with Windows Server 2012 R2 und Sharepoint Foundation 2013 SP1. Problem solved with installing .NET Framework 3.5
Great stuff. helped me find some odd dns config.