on 03-18-2015 3:15 PM
Hallo guys,
I am new to SAP Systems and SCN, so I hope my post is right here.
I have got a SAP IDES System running an Windows Server 2008 (SP2) Enterprise Edition.
This Server is a mamber of an Domain.
When I start the Windows Server I can see an SAP specific Error in the Windows Event Log under Applications.
The error ist following:
----------
Failed to update service environment from user (SAPIDES\hp2adm) environment. [ntservmgr.cpp 222]
Source: SAPHP2_01
----------
After start of the System in the SAP MMC I get further errors in syslog in the SAP MMC:
----------
SAP-Basis System: Operating system call gethostbyname failed (error no. 11004)
USER: DDIC
Programm: SAPMSSY1
Process Type: D0
SAP-Basis System: Operating system call gethostbyname failed (error no. 11004)
USER: DDIC
Programm: SAPMSSY1
Process Type: B13
Communications data: Could not send SLD data
Programm: RSLDAGDS
Process Type: B13
SAPIDES is the name of the System and hp2adm is a local user on this server.
The IDES System can be started and I can also log in to the System.
At the moment I don't know where to start the error analysis.
Please tell me if you need additional information.
Greetings
Martin
hi,
I would prefer to get a more complete picture of your installation.
We differentiate between a local or a domain based installation.
A local installation is using a account created on the computer to run the system a domain installation is using a domain account.
Typically you should use a domain account running your system, because the system will normally interact with other computers on file system level (remote file access). When using a domain based configuration this is easy to administrate - if you are using computer accounts it will get a nightmare the get this beast configured and running). Unfortunately a lot of people installing SAP Systems did not read our recommendations or did not understand the difference of a domain and local account and end up with a local installation.
Can you please provide following information (output of commands running in an elevated cmd.exe under account hpdadm):
In below mentioned section computer or domain in front of a group name indicates that the right entry depends on the installation type (domain --> you have to use the domain name here, computer --> you need to use the computername here).
User Right Assignment Restore Files and Directories:
Access Control List of Registry Keys:
HKEY_LOCAL_MACHINE\Software\SAP\HP2
HKEY_CURRENT_USER\Environment (you need to be logged in with the right hp2adm (domain/local). This user must also be specified in HKEY_LOCAL_MACHINE\Software\HP2\AdmUser)
This should do the job.
regards
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You will have more info when viewing these errors using SAPGUI and seeing them in SM21.
by default, all SM21 errors are replicated in Windows event viewer.
to change that behavior, see SAP note 72616 .
then, investigate these errors one by one.
thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Martin,
Welcome to SCN!
As you probably know, the SAP service at the OS level runs under the user context SAPService<SID>, i.e. since your SID is HP2, the service user will be SAPServiceHP2. Furthermore, you have a second user, hp2adm, which is the OS-level "administrative" user. hp2adm is intended for user logins on the server console, for the purpose of things like running SAPMMC, etc, whereas SAPServiceHP2 is a system user for running the SAPHP2_00, SAPHP2_01, etc, services, and not intended for direct user login.
So, there is a clever mechanism that the SAP start service uses to take the Windows user environment from hp2adm -- i.e., environment variables like DBMS_TYPE, MSSQL_SCHEMA, PATH, etc -- and 'copy' them to the SAPServiceHP2 environment each time the service is started.
For this to happen, a few things need to be correctly setup for both users. Normally, these two users are domain users, yet you mentioned that hp2adm, at least, is a local user. That can be made to work, but it's not the standard configuration. Normally, the installation is done with a domain administrator account, so that the installer can setup the Active Directory global groups as well as the two domain users. However, you can setup the users and groups in AD ahead of time, and then use a local administrator account to do the install. The installation guide has a sub-chapter on installing without being a domain administrator that details this strategy (and it's the strategy I use in my organization).
So, my guess is something about the setup of the service users and groups is not correctly configured, and it may be related to how you did the install, and to using local users instead of domain users. Using local users is not a supported option, by the way.
To remedy it, I would stop the system, delete (or rename) the local users, then at the domain level create the users again, plus the group SAP_HP2_GlobalAdmin, and add the users to the group. Then at the local level create the groups SAP_LocalAdmin and SAP_HP2_LocalAdmin (these may already exist from your installation), and add the domain group to both of these. If they already existed, you should be good to go, but if not, you'll need to ensure they have privileges to the saploc and sapmnt shares and the \usr\sap folders. Add hp2adm to local Administrators (you don't need to add SAPServiceHP2). Make sure that SAPServiceHP2 has Log on as a service set in local policies (gpedit.msc).
I think that should do it.
Regards,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matt
to be precise:
Every Start operation in MMC or sapcontrol will wipe and recopy the environment variables of the sidadm user.
Just starting the service will have no effect on it.
Furthermore I would use the SAPInst Rename Service to move a local installation to a domain installation (in place).
There are some more things to do (especially some very special security settings of files in the instance\sec directories) in order to get it running again.
regards
Peter
Hallo Matt,
fist of all thank you for the reply and explanation. For further information this is a testing system for me to learn SAP and will not go productive.
I checked the users and groups on the domain controller and the local users on the SAP System.
I have to admit it was quite weird because:
1. SAPServiceHP2 user was local and on the domain controller
2. hp2adm user was local and on the domaincontroller
3. SAP_HP2_GlobalAdmin group was local and on the domain controller
The services sapccmsr.oo, SAPHP2_00, SAPHP2_00 were configured with the local user SAPServiceHP2 and I changed it to the domain user SAPServiceHP2@pechtor.local since pechtor.local is the domain.
The service SAPOsCol was also configured with a local user and I changed it to the specific domain user.
There is also another service SAPSMD_98 with a local user names smdadm.
The user smdadm is at the moment only local on the SAP System.
In the domain it doesn exist.
Should I do anything with this user for the moment?
After that I restarted the OS and logged in as pechtor\hp2adm.
Before this post I logged in as domain administrator.
If I unterstod your explanation right, the pechtor\hp2adm is the right user to log on the SAP System?
In the event log there are three errors (see event_log_overview)
The the details of the three errors are in the other screenshots.
The last screenshot shows the services as they are at the moment configured.
Regards,
Martin
When you start the system with SAPMMC, you should provide the logon credentials for hp2adm when it asks. If you are logged onto the server console when doing this, it's best (but not critical) to logon as hp2adm.
Peter Simon is the expert on this stuff, however, so I would definitely defer to his knowledge. In other words, download the SWPM tool from the SAP Service Marketplace and use the System Rename option within the tool to switch from a local to domain installation without having to reinstall. This will be cleaner than trying to change it manually.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.