This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New setup - cant deploy to users - installation could not be started

Hi guys

OK i have installed

Enterprise Console 5 on a server 2008 machine.

I had problems with the database at first and it wouldnt load the interface.  Followed steps online and after lots of messing around I managed to load the console succesfully.

I have managed to protect the server it is already on OK

However, this is a new domain with new antivirus - I can see the 1st workstation i have setup when I do a scan via active directory.  But when I try to protect the computer after a while I get:

Installation could not be started 0x0000002e

Ive done the usual google searches and cant get it to work.

The workstation I am trying to protect is windows 7 64bit.

I have tried to follow the below:

http://www.sophos.com/en-us/support/knowledgebase/111180.aspx

I think I have done it correctly 

Firewall rules and services seem to be correct.

Are there any tests I can do to see what I have missed?

when i do protect computer the administrator password is accepted but then at the end i get the error

Can it be to do with a problem connecting to the database still? If i right click the problem computer in sophos to view computer details i get the error "cannot open database sophos51.  Login failed for user sophosm (which is what the account is in active directory)

Any help appreciated, I did try to follow the setup steps but what they dont seem to match with what I have on screen

thanks!

:27283


This thread was automatically locked due to age.
  • Hi,

    Edited: Thanks to Christian being on the ball!

    The first thing I would try is:

    1. On the Sophos management server run:

    runas /user:[domain]\sophosm cmd.exe

    replacing [domain] with your domain name.

    2. In the new command prompt running in the sophosm context, I would run:

    sqlcmd -E -S .\sophos -d SOPHOS51 -Q "Exec dbo.SDDMBootstrapDataGet"

    Does this return an error or some XML?

    If it errors, maybe: http://www.sophos.com/en-us/support/knowledgebase/116454.aspx would be of use?

    The main things to check with deployment are:

    1. The user you are entering in the deployment wizard can log on to the management server.

    2. The computer you are protecting can be accessed using the netbios machine name, i.e.

    \\[computer]\C$

    I would suggest, testing this whilst logged on to the SEC server as the same account you are using to deploy.

    3. I would check that the scheduled task is being created on the target endpoint.

    4. The client can resolve the CID location based on the path in the scheduled task.  If maybe that the Server creates the task asking the client to run setup.exe, but the client is then unable to locate setup.exe in the CID. 

    http://www.sophos.com/en-us/support/knowledgebase/12455.aspx gives an overview of what takes place.

    That should be a good start.  As you're using SEC 5.1, the deployment to the endpoint should be more reliable than even SEC 5.0.

    The article:

    http://www.sophos.com/en-us/support/knowledgebase/116754.aspx

    should be used for SEC 5.1 in a domain environment.

    Regards,

    Jak

    :27285
  • thanks will try all that tomorrow when back in the office

    the user i am entering in deployment wizard is the administrator account and thats what logs into the machine.

    at first i couldnt access the machine i am trying to protect via netbios, after tinkering, i think i had to create firewall rules on the machine for it to be seen my the management server.  thing is will i have to do this on each terminal i want to install on??

    in regards to the schedule task, i browsed to the machine i am trying to protect via netbios - sophos says to right click and go new task. i dont have this option. just  a .txt file in the folder??

    thanks again its doing my head in!

    :27289
  • HI,

    The article (http://www.sophos.com/en-us/support/knowledgebase/116754.aspx) details how you can roll out the firewall changes using Group Policy.

    Going to:

    \\netbioisofclient\C$\windows\tasks\

    behaves differently if you connect to XP/2003 or Vista+.  If you connect to XP/2003 you can choose to create a scheduled task right from Explorer.  I guess this is what was being asked.  Just being able to access the admin C$ share as the deployment user is evidence enough that you have admin rights on the remote machine.  I assume the "Task Scheduler" service is started as is the "Remote Registry" on the client..

    If you hit a brick wall, it is also possible just to run the setup.exe (http://www.sophos.com/en-us/support/knowledgebase/12570.aspx) on the clients with switches to deploy the endpoint software.  For example: http://www.sophos.com/en-us/support/knowledgebase/13090.aspx.

    Regards,

    Jak

    :27295
  • still struggliing with this :(

    i followed the first step and its saying the sophos db admin doesnt exist. But i can see it in active directory

    is there anyway to completely remove sophos + databases etc... and start again.  ive messed around with it so much I am completely confused now!

    thanks

    :27321
  • Hello dalboy,

    if you can't reset the server ('cause it's not virtual or you don't have an appropriate snapshot) you can remove all components using Programs and Features (start with the AutoUpdate endpoint component), postpone any reboot requests until the last component has been removed. Note that the SQL instance will be kept as well as the databases themselves (so you might want to drop these).

    After reboot run the installer. Might seem tedious but carefully note the steps you've taken (and any problems met) as this information might be adjuvant if you encounter an error(which will hopefully not be the case).

    Christian

    :27325
  • HI,

    The Windows security group "Sophos DB Admins" is used to grant the "database" account, in your case: "sophosm" access to the databases. i.e. SOPHOS51, SOPHOSENC51 and SOPHOSPATCH51.

    When you install SEC on a DC, "Sophos DB Admins" will be a domain local group.

    If you install on a member server or in a workgroup, then the group will be a local group.

    You should be able to:

    1. Re-create the databases using the batch files as per:

    http://www.sophos.com/en-us/support/knowledgebase/116768.aspx

    So essentially you are running against the Sophos instance of SQL:

    C:\sec_51\ServerInstaller\DB\Core\Installdb.bat .\sophos [domainname] SOPHOS51

    where [domainname] should be the short form of your domain as "Sophos DB admins" is a domain group.

    C:\sec_51\ServerInstaller\DB\Patch\CreatePatchDB.bat .\sophos [domainname] SOPHOSPATCH51

    C:\sec_51\ServerInstaller\DB\Encryption\InstallEncryptionDB.bat .\sophos [domainname] SOPHOSENC51

    This will create you the 3 new databases, and grant the Sophos DB admins group the correct access.  As long as "sophosm" is a member of the group you should be ok.

    Re-running the core and patch databases drop and re-create the database, the encryption database isn't dropped, so you may have to run:

    SQLCMD -E -S .\sophos -Q "DROP DATABASE SOPHOSENC51"

    If it says it is in use, stop the service "Sophos Encryption Business Logic Service"

    Regards,

    Jak

    :27329
  • Sorry guys for the late reply.

    Still struggling!

    OK this is what I have done.  Ive setup a brand new server and installed sophos. 

    All was OK,  but I still cannot deploy to the same PC user that I have searched for in active directory.

    I get the error code:

                   
    0000002e  The installation could not be started. The computer may need additional configuration before installation. See article 29287.

    So back to square one again - The databases should be fine as the installation went smoothly and had no errors.  It was also a fresh install on a fresh server.

    Anyone got any more ideas?  I tried a different username and password when protecting the end computer and the error changes saying that it is not correct so the one i was using seems OK but I get the above error.

    I can browse to c$ of the end user from the server.  I can ping the server from the end user as well.

    I tried using a script and command line.  I can run the setup.exe from the end user pc thinking I would just do it this way but updating fails.  I think the comnand line switches were maybe wrong.  The sophos examples are not that clea to understand?!  Id still rather get it working via the console to each user

    Ive turned off all firewalls on the end user as well and still get the error.

    And I followed the sophos steps found here (server 2008):

    http://www.sophos.com/en-us/support/knowledgebase/111180.aspx

    again any help really appreciated :)

    :27697
  • Hello dalboy,

    I can run the setup.exe from the end user pc [...] but updating fails

    does the product install completely (i.e. you can access the Anti-Virus settings using the local GUI) and does the client "appear" in the console? And could you be more specific about the update failure (e.g. error message or code)?

    Christian

    :27699
  • Hi QC

    I get the shield in the bottom right

    hovering over it says update failed.

    i then double click it and everything is greyed out?

    if i right click and go update it says could not contact server...?

    :27701
  • Hello dalboy,

    everything is greyed out

    is View updating log also grey (or not existing)? Please check the ALUpdate log(s) in %ProgramData%\Sophos\AutoUpdate\logs for details of the error. Without knowing them I'd conjecture there's something wrong with your updating credentials (i.e. the account specified in the updating policy). BTW - could you post the command line you used for running setup.exe? Looks like the initial setup succeeds but then AutoUpdate fails to pull "the rest" from the specified update location.

    Christian

    :27707