cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Failed to update service environment from user... in Windows Event Log.

Former Member

on ‎03-18-2015 3:15 PM

0 Kudos

Hallo guys,

I am new to SAP Systems and SCN, so I hope my post is right here.

I have got a SAP IDES System running an Windows Server 2008 (SP2) Enterprise Edition.

This Server is a mamber of an Domain.

When I start the Windows Server I can see an SAP specific Error in the Windows Event Log under Applications.

The error ist following:

----------

Failed to update service environment from user (SAPIDES\hp2adm) environment. [ntservmgr.cpp 222]

Source: SAPHP2_01

----------

After start of the System in the SAP MMC I get further errors in syslog in the SAP MMC:

----------

SAP-Basis System: Operating system call  gethostbyname failed (error no. 11004)

USER: DDIC

Programm: SAPMSSY1

Process Type: D0

SAP-Basis System: Operating system call  gethostbyname failed (error no. 11004)

USER: DDIC

Programm: SAPMSSY1

Process Type: B13

Communications data: Could not send SLD data

Programm: RSLDAGDS

Process Type: B13

SAPIDES is the name of the System and hp2adm is a local user on this server.

The IDES System can be started and I can also log in to the System.

At the moment I don't know where to start the error analysis.

Please tell me if you need additional information.

Greetings

Martin

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎03-18-2015 7:10 PM

hi,

I would prefer to get a more complete picture of your installation.

We differentiate between a local or a domain based installation.

A local installation is using a account created on the computer to run the system a domain installation is using a domain account.

Typically you should use a domain account running your system, because the system will normally interact with other computers on file system level (remote file access). When using a domain based configuration this is easy to administrate - if you are using computer accounts it will get a nightmare the get this beast configured and running). Unfortunately a lot of people installing SAP Systems did not read our recommendations or did not understand the difference of a domain and local account and end up with a local installation.

Can you please provide following information (output of commands running in an elevated cmd.exe under account hpdadm):

  1. hostname
  2. sc.exe qc SAPHP2_01 
    --> SERVICE_START_NAME : NT5\SAPServiceXXL
    contains the information about the used account - a computername or "." in front of the account name does indicate a local installation, a domainname at this position indicate a domain installation.
  3. dir c:\users
    (the directory names will tell us whether there is some confusion about computer/domain accounts)

In below mentioned section computer or domain in front of a group name indicates that the right entry depends on the installation type (domain --> you have to use the domain name here, computer --> you need to use the computername here).

User Right Assignment Restore Files and Directories:

  • in above cmd.exe start secpol.msc
  • open Local Policies - User Rights Assignment
  • double click on the policy "restore Files and directories" and report us the users, which have this right assigned (computer or domain\SAP_HP2_GlobalAdmin or computer\SAP_SID_LocalAdmin or computer or domain\SAPServiceHP2 must have this right)

Access Control List of Registry Keys:

HKEY_LOCAL_MACHINE\Software\SAP\HP2

  • run regedit.exe in above cmd.exe
  • open HKEY_LOCAL_MACHINE\Software\SAP\HP2
  • rightclick on the Environment key and Select Permissions
    • report the permissions defined for this registry key (Domain or computer\SAP_HP2_GlobalAdmin or computer\SAP_HP2_Localadmin must have full control on this key)

HKEY_CURRENT_USER\Environment (you need to be logged in with the right hp2adm (domain/local). This user must also be specified in HKEY_LOCAL_MACHINE\Software\HP2\AdmUser)

  • run regedit.exe in above cmd.exe
  • open HKEY_CURRENT_USER
  • rightclick on the Environment key and select Permissions
    • SAP_HP2_LocalAdmin group needs to have Read Access on this Registry Key.

This should do the job.

regards

Peter

Show replies
Show replies
former_member232750
Explorer
‎11-19-2015 11:21 AM
0 Kudos

Hi All.

I had the same problem. The recommendations of Peter Simon are very helpful for me.


Regards,

Andrey


former_member204746
Active Contributor
‎04-01-2015 9:35 PM
0 Kudos

You will have more info when viewing these errors using SAPGUI and seeing them in SM21.

by default, all SM21 errors are replicated in Windows event viewer.

to change that behavior, see SAP note 72616 .

then, investigate these errors one by one.

thanks.

Show replies
Show replies
Matt_Fraser
Active Contributor
‎03-18-2015 3:54 PM
0 Kudos

Hi Martin,

Welcome to SCN!

As you probably know, the SAP service at the OS level runs under the user context SAPService<SID>, i.e. since your SID is HP2, the service user will be SAPServiceHP2. Furthermore, you have a second user, hp2adm, which is the OS-level "administrative" user. hp2adm is intended for user logins on the server console, for the purpose of things like running SAPMMC, etc, whereas SAPServiceHP2 is a system user for running the SAPHP2_00, SAPHP2_01, etc, services, and not intended for direct user login.

So, there is a clever mechanism that the SAP start service uses to take the Windows user environment from hp2adm -- i.e., environment variables like DBMS_TYPE, MSSQL_SCHEMA, PATH, etc -- and 'copy' them to the SAPServiceHP2 environment each time the service is started.

For this to happen, a few things need to be correctly setup for both users. Normally, these two users are domain users, yet you mentioned that hp2adm, at least, is a local user. That can be made to work, but it's not the standard configuration. Normally, the installation is done with a domain administrator account, so that the installer can setup the Active Directory global groups as well as the two domain users. However, you can setup the users and groups in AD ahead of time, and then use a local administrator account to do the install. The installation guide has a sub-chapter on installing without being a domain administrator that details this strategy (and it's the strategy I use in my organization).

So, my guess is something about the setup of the service users and groups is not correctly configured, and it may be related to how you did the install, and to using local users instead of domain users. Using local users is not a supported option, by the way.

To remedy it, I would stop the system, delete (or rename) the local users, then at the domain level create the users again, plus the group SAP_HP2_GlobalAdmin, and add the users to the group. Then at the local level create the groups SAP_LocalAdmin and SAP_HP2_LocalAdmin (these may already exist from your installation), and add the domain group to both of these. If they already existed, you should be good to go, but if not, you'll need to ensure they have privileges to the saploc and sapmnt shares and the \usr\sap folders. Add hp2adm to local Administrators (you don't need to add SAPServiceHP2). Make sure that SAPServiceHP2 has Log on as a service set in local policies (gpedit.msc).

I think that should do it.

Regards,

Matt

Show replies
Show replies
Former Member
‎03-18-2015 7:12 PM
0 Kudos

Hi Matt

to be precise:

Every Start operation in MMC or sapcontrol will wipe and recopy the environment variables of the sidadm user.

Just starting the service will have no effect on it.

Furthermore I would use the SAPInst Rename Service to move a local installation to a domain installation (in place).

There are some more things to do (especially some very special security settings of files in the instance\sec directories) in order to get it running again.

regards

Peter

Matt_Fraser
Active Contributor
‎03-18-2015 8:21 PM
0 Kudos

Thanks for the clarification. I've not previously had to move an installation from local to domain, and I didn't realize the Rename tool would do that, so I figured it would have to be manual.

Former Member
‎03-18-2015 10:34 PM
0 Kudos

Hallo Matt,

fist of all thank you for the reply and explanation. For further information this is a testing system for me to learn SAP and will not go productive.

I checked the users and groups on the domain controller and the local users on the SAP System.

I have to admit it was quite weird because:

1. SAPServiceHP2 user was local and on the domain controller

2. hp2adm user was local and on the domaincontroller

3. SAP_HP2_GlobalAdmin group was local and on the domain controller

The services sapccmsr.oo, SAPHP2_00, SAPHP2_00 were configured with the local user SAPServiceHP2 and I changed it to the domain user SAPServiceHP2@pechtor.local since pechtor.local is the domain.

The service SAPOsCol was also configured with a local user and I changed it to the specific domain user.

There is also another service SAPSMD_98 with a local user names smdadm.

The user smdadm is at the moment only local on the SAP System.

In the domain it doesn exist.

Should I do anything with this user for the moment?

After that I restarted the OS and logged in as pechtor\hp2adm.

Before this post I logged in as domain administrator.

If I unterstod your explanation right, the pechtor\hp2adm is the right user to log on the SAP System?

In the event log there are three errors (see event_log_overview)

The the details of the three errors are in the other screenshots.

The last screenshot shows the services as they are at the moment configured.

Regards,

Martin

Matt_Fraser
Active Contributor
‎03-18-2015 10:55 PM
0 Kudos
  • hp2adm and SAPServiceHP2 should be domain users (no need for local copies).
  • SAP_HP2_GlobalAdmin should be a domain group (not local).
  • Local (not domain) groups should be:
    • SAP_HP2_LocalAdmin
    • SAP_LocalAdmin
    • Possibly other groups related to Diagnostics and Host Agents (SMD, DAA, etc)
  • The two local groups should contain the global/domain group
  • The global group should contain the two domain users
  • Local users (not domain) could include daaadm (for diagnostics agent), sapadm (for host agent), and SAPServiceDAA (for diagnostics agent). Or, these might be with SMD instead of DAA. These are not critical to running the SAP system, they are for monitoring by Solution Manager, so may not be needed for your personal test system.
  • Services:
    • SAPDAA_98 (or SAPSMD_98) should run as the local user SAPServiceDAA (or SAPServiceSMD)
    • SAPHP2_00 and _01 should run as the domain user SAPServiceHP2
    • SAPHostControl (if exists) should run as local user sapadm (and be manual start)
    • SAPHostExec (if exists) should run as Local System
    • SAPOsCol is a deprecated service, replaced by SAPHostControl, etc, mentioned above. However, if you still have it, I think it can run as Local System. No harm in using the domain account, just not necessary.

When you start the system with SAPMMC, you should provide the logon credentials for hp2adm when it asks. If you are logged onto the server console when doing this, it's best (but not critical) to logon as hp2adm.

Peter Simon is the expert on this stuff, however, so I would definitely defer to his knowledge. In other words, download the SWPM tool from the SAP Service Marketplace and use the System Rename option within the tool to switch from a local to domain installation without having to reinstall. This will be cleaner than trying to change it manually.

Ask a Question