ArcGIS Server D Drive Site Creation about arcgis-powershell-dsc HOT 20 CLOSED

Hi @cameronkroeker,

I just did another default install on a new physical host and have the same issues reported:

[]PowerShell DSC resource ArcGIS_Server failed to execute Set-TargetResource functionality with error message: CreateSite Failed. Error:- Failed to create the site. Configuration store error. Cannot get persistence. File system 'D:\arcgisserver\config-store' connection failed. The specified location is not accessible. Ensure that the ArcGIS Server account has read and write access to the location.

pdsc had no problem setting up the portal content directory on the D:\Portal\content\arcgisportal location.

I'm going to manually create these folders, grant full to the 'run as' account and try it again this afternoon.

from arcgis-powershell-dsc.

@pfoppe Closing this issue. Please reopen if you have any further questions.

from arcgis-powershell-dsc.

@esri-mdonnelly .. This was on an AWS instance with Esri provided AMI's correct?

from arcgis-powershell-dsc.

No, this was on an Windows AMI (no Esri stack).

I ended up not using the scripts and managed to get distributed deployment working manually.

from arcgis-powershell-dsc.

This issue is related to Windows AMI on AWS which is not currently supported. We are working toward supporting this in an upcoming release.

from arcgis-powershell-dsc.

Hello,

I just faced the exact same issue: no mention of a D drive in my config file but I get the following error: "PowerShell DSC resource ArcGIS_Server failed to execute Set-TargetResource functionality with error message: CreateSite Failed. Error:- Failed to create the site. Configuration store error. File system 'D:\arcgisserver\local\config-store' connection failed. The specified location is not accessible. Ensure that the ArcGIS Server account has read and write access to the location."

I am running the setup on Windows Server 2016 so nothing to do with Windows AMI on AWS !
So it might be a bug rather than an enhancement.

NB1: I also tried manually with ArcGIS Server Manager to configure it. The arcgisserver directories were defaulted to D drive and even when I changed them to be C drive the site creation failed with the same error as above.

NB2: VM is provided by Openstack

NB3: I mounted a D drive to solve the issue. It worked. Site creation was successful. But if I look at the folders, "D:\arcgisserver\local\config-store" is empty while "C:\arcgisserver\config-store" is full. I don't know where this "local" folder comes from. Here is my server directories config:
...
"ServerDirectoriesRootLocation": "C:\arcgisserver\directories",
"ConfigStoreLocation": "C:\arcgisserver\config-store"
...

Finally, once the site is successfully created, if I go to:
https://arcgiserver.company.com:6443/arcgis/manager/site.html both config-store and directories are set on C just like in the config...

A workaround could be to mount a useless to D drive for the setup ?

Cheers

from arcgis-powershell-dsc.

@Biboba we found a property (default config store in hostname.properties file in server install dir/framework/etc folder) we set that can be the cause of this issue. We will validate this soon and if so we will implement a workaround.

from arcgis-powershell-dsc.

@shailesh91
FYI, I just tried a 10.7 installation and did not have this issue any more.
Indeed, hostname.properties file does not contain the 'defaultDirectoriesRoot' property anymore

from arcgis-powershell-dsc.

I'm having similar challenges on a physical Windows 2016 host. I've been successful on many of our VM Windows 2016 hosts that are spun from a standard image. But having issues writing to both C: and D:. I was able to track it back to file system permissions on the C: and D: .

--- setup ---

I am a member of an AD global group. The AD Global group is nested in to the local Administrators Group. I am running Powershell DSC from a remote server.

I have received errors with my config file pointing to both C: and D: as such:

[]PowerShell DSC resource ArcGIS_Server failed to execute Set-TargetResource functionality with error message: CreateSite Failed. Error:- Failed to create the site. Configuration store error. Cannot get persistence. File system 'D:\ArcGISServer\config-store' connection failed. The specified location is not accessible. Ensure that the ArcGIS Server account has read and write access to the location.

I had same issues trying to use the C:\ArcGISServer location.

I tried to create the D:\ folders before powershell DSC and received a similar issue, but instead on the C:\Local config store location:

[]PowerShell DSC resource ArcGIS_Server failed to execute Set-TargetResource functionality with error message: CreateSite Failed. Error:- Failed to create the site. Configuration store error. File system 'C:\arcgisserver\local\config-store' connection failed. The specified location is not accessible. Ensure that the ArcGIS Server account has read and write access to the location.

I compared GPOs on both system and they are identical. I compared C:\ and D:\ file system permissions and there was a difference. I had to add the local USERS group the ability to:

• Local USERS - Create folders/append data to this folder and subfolders
• Local USERS - Create files/write data to subfolders only
• CREATOR OWNER - FULL CONTROL to Subfolders and files only

and final permissions on the system looks like (yellow highlight is what I had to add):

I'm running a final test on another physical host to ensure this is the correct permissions to apply.

I am a little perplexed as I am running this from my account that is an admin (via the AD Group addition to local Administrators). I mirrored the same C:\ and D:\ permissions that are set by our standard VM template.

attached is the redacted config (.json) file I'm using
sample.txt

Thanks for any help/advise you may have.

from arcgis-powershell-dsc.

@pfoppe

I think the issue is because AGS by default creates C:\arcgisserver\local\config-store to use for when the AGS Site Mode is changed to 'Read-Only'.

Even if a non-defualt path is used for the config-store and directories, like D:\arcgisserver or even C:\ags it will still attempt to create/access C:\arcgisserver\local\config directory. I believe this path can only be changed after the site has been created via the AGS Admin API. Therefore, the AGS run-as account will need the correct read/write permissions to C:\arcgisserver\local\config-store in order for the AGS site to be created successfully.

The default location for the local repository is <ArcGIS Server installation drive>\arcgisserver\local.

from arcgis-powershell-dsc.

Hey @cameronkroeker

Thanks for the response! I've been watching the server side operations (on the host receiving the install) and I can see that the icalcs.exe is being executed which I assume is granting the correct permissions for the 'run as' account. I can also see some messaging about this in the resultant log:

[<SERVER_NAME>]: [[ArcGIS_Service_Account]Server_RunAs_Account] RunAsAccount Username:- DOMAIN\SVC_ACCOUNT_NAME
[<SERVER_NAME>]: [[ArcGIS_Service_Account]Server_RunAs_Account] Install Dir for ArcGIS Server is C:\Program Files\ArcGIS\Server
[<SERVER_NAME>]: [[ArcGIS_Service_Account]Server_RunAs_Account] Testing Permission for User DOMAIN\SVC_ACCOUNT_NAME on Directory C:\Program Files\ArcGIS\Server
[<SERVER_NAME>]: [[ArcGIS_Service_Account]Server_RunAs_Account] Providing RunAs Account 'DOMAIN\SVC_ACCOUNT_NAME' has the required permissions to C:\Program Files\ArcGIS\Server
[<SERVER_NAME>]: [[ArcGIS_Service_Account]Server_RunAs_Account] icacls.exe C:\Program Files\ArcGIS\Server /grant DOMAIN\SVC_ACCOUNT_NAME:(OI)(CI)F
[<SERVER_NAME>]: [[ArcGIS_Service_Account]Server_RunAs_Account] Restarting Service ArcGIS Server

So I'm assuming that powershell DSC (pdsc) is correctly setting the file system permissions (but not sure why the C:\ and D:\ needed the extra permissions I gave it (noted above) since I was in local admin.

--- Also...

I have completed another install from scratch and got past those permissions issues noted, however I ran into a few other issues.

The pdsc execution indicated that it could not get the data store registered with the server -

[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Checking if Relational Datastore is registered
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] The machine <SERVER_NAME> with FQDN '<SERVER_NAME>.DOMAIN' does NOT participates in a registered 'Relational' data store
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Registering datastores Relational
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Adding Relational as a data store type
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Register DataStore at https://localhost:2443/arcgis/datastoreadmin with DataStore Content directory at D:\arcgisdatastore for server https://<SERVER_NAME>.DOMAIN:6443/arcgis
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Register DataStore Attempt 1
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Register DataStore on Machine <SERVER_NAME>.DOMAIN
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] POST https://localhost:2443/arcgis/datastoreadmin/configure with 238-byte payload
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] received -1-byte response of content type application/json;charset=UTF-8
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Response:- {"error":{"code":500,"message":"Read from configuration store failed.. Extended error message: An I/O error occurred while sending to the backend.","details":null}}
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] Error Response - @{code=500; message=Read from configuration store failed.. Extended error message: An I/O error occurred while sending to the backend.; details=}
[<SERVER_NAME>]: [[ArcGIS_DataStore]DataStore<SERVER_NAME>] [WARNING]:- ERROR: failed. Read from configuration store failed.. Extended error message: An I/O error occurred while sending to the backend.

These messages are in the output (verbose) logs. Only messages in the error logs are:

PowerShell DSC resource ArcGIS_DataStore failed to execute Set-TargetResource functionality with error message: Register Data Store Failed after multiple attempts.
The SendConfigurationApply function did not succeed.

So the error indicates another I/O file system error (possibly permissions related again).

At this point, can you provide some clarity on what permissions need to be applied on the C:\ and D:\ locations? Again.. Im assuming that my access (as administrator) would be sufficient and that the pdsc would set the correct permissions on the 'run as' account for the back-end file system (config-store/directories).

Hoping we can get this resolved as I'm looking at a fairly large number of deployments over the next couple years. Thanks again for any help you can provide.

from arcgis-powershell-dsc.

Hi @pfoppe,

I suspect that the issue here is that PowerShell DSC is only setting the correct permissions for the specified domain AGS/DS 'run-as' account to the following locations (from your sample.txt):

"InstallDir": "C:\\Program Files\\ArcGIS\\Server",
        "InstallDirPython": "C:\\Python27",
"ServerDirectoriesRootLocation": "D:\\ArcGISServer\\directories",
      "ConfigStoreLocation": "D:\\ArcGISServer\\config-store",

I bet it's not setting correct permissions to C:\arcgisserver\local\config-store location.

I recommend manually setting the permissions outlined here to all of the following locations:

• C:\Program Files\ArcGIS\Server
• C:\Python27
• D:\ArcGISServer\directories
• D:\ArcGISSerever\config-store
• C:\arcgisserver\local\config-store

If you manually create these locations and explicitly set the permissions, described in the doc above, to the domain AGS/DS run-as account, then run the PowerShell DSC script does it resolve the issue?

from arcgis-powershell-dsc.

I granted the run as account to have full control on all the specified directories. It made it further but died again:

[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] Register DataStore at https://localhost:2443/arcgis/datastoreadmin with DataStore Content directory at D:\arcgisdatastore for server https://HOSTNAME.DOMAIN:6443/arcgis
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] Register DataStore Attempt 1
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] Register DataStore on Machine HOSTNAME.DOMAIN
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] POST https://localhost:2443/arcgis/datastoreadmin/configure with 238-byte payload
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] received -1-byte response of content type application/json;charset=UTF-8
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] Response:- {"error":{"code":500,"message":"Attempt to configure data store failed.. Extended error message: Attempt to configure data store failed.. Extended error message: Attempt to configure data store failed.. Extended error message: Unable to create directory 'D:\arcgisdatastore'.","details":null}}
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] Error Response - @{code=500; message=Attempt to configure data store failed.. Extended error message: Attempt to configure data store failed.. Extended error message: Attempt to configure data store failed.. Extended error message: Unable to create directory 'D:\arcgisdatastore'.; details=}
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] [WARNING]:- ERROR: failed. Attempt to configure data store failed.. Extended error message: Attempt to configure data store failed.. Extended error message: Attempt to configure data store failed.. Extended error message: Unable to create directory 'D:\arcgisdatastore'.
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] Attempt [1] Failed. Retrying after 30 seconds
[HOSTNAME]: [[ArcGIS_DataStore]DataStoreHOSTNAME] Register DataStore Attempt 2

I'll manually create the D:\arcgisdatastore reference, grant full control to the run as account and try again.

from arcgis-powershell-dsc.

That corrected the arcgis server datastore issue. So it seems that pdsc is not granting the appropriate permissions for the 'run as' accounts to create the content directories (primarily server and datastore). Portal seems fine.

from arcgis-powershell-dsc.

@pfoppe Does the same issue occur if a local account is specified in the role json file rather than the domain service account?

from arcgis-powershell-dsc.

Confirmed, same issue with a local account (unable to write to D:\arcgisserver\config-store).

I ran an uninstall, purged all server side directories, manually created a local account and re-executed the InstallLicenseConfigure option with the local account in the JSON file. I can see it did set the correct local account for the windows NT services to 'run as'. Just failed on the file system permissions again.

from arcgis-powershell-dsc.

I am still running into file system permissions with both the pdsc InstallLicenseConfigure operations AND after pdsc execution is reported are successful. Many of the posts above show the issues with the actual pdsc execution, however as I'm looking through some of our other environments we are testing, we are also running into further issues. And it doesnt seem to be consistent...

For example - One of the Federated ArcGIS Server sites pdsc InstallLicenseConfigure that indicated it succeeded but didnt actually complete the file system permissions successfully. During server startup, logs throw a SEVERE error -

Failed to start the server machine 'SERVER.DOMAIN'. Configuration store error. File system 'C:\ArcGISServer\config-store\machines\SERVER.DOMAIN.json' put failed. C:\ArcGISServer\config-store\machines\SERVER.DOMAIN.json (Access is denied)

And sure enough, the service account is not granted the rights to that file:

And the service account is granted full control to just the folder above it (all the way up to the config-store)... which are considered 'special permissions':

The CREATER OWNER is the service account and also has Full Control to this subfolder and files only:

Even after running the Configure ArcGIS Server Account utility on the local machine, the permissions are still not set on the machine.json file so the site cannot startup. The vendor doc for changing the arcgis server account indicate that it will

Use this utility instead of trying to manually change the ArcGIS Server account with your operating system tools. The utility is designed to apply permissions to all necessary directories (as explained above) across all the machines in your deployment. If you try to change the account manually and you make a mistake, you could experience server failure and downtime.

At this point... I'm at somewhat of a loss on this situation... It seems the only valid solution is to manually setup the folders ahead of time with the service account having 'full control' at the root before the powershell DSC execution. and if we are manually setting up, i'm having a hard time justifying spending more time on trying to optimize/automate the system build. I guess we could build our own scripts to setup the file permissions to get pdsc to run successfuly but at some point when do we throw in the towel?

Was it intended that pdsc would grant the appropriate permissions (and there is an issue here)? Or is this expected behavior?

Also... would you prefer me starting my own issues thread on this topic as it seems related but different to the original thread? I was going to start my own but jumped on this one as I thought it was related to a D:\ installation. Turns out its also problematic on a C:\

Thanks.

from arcgis-powershell-dsc.

@pfoppe

I recommend migrating this issue to a new thread to keep it separate, since its not entirely the same issue as the original one posted here and, also, it may be worth contacting Esri Technical Support to have them help troubleshoot and/or attempt to reproduce the issue.

Is the Configure-ArcGIS module being ran with a given credential or as local system account?

For example:
Configure-ArcGIS -ConfigurationParametersFile [[Path to Configuration JSON File]] -Mode [Install | InstallLicense | InstallLicenseConfigure | Uninstall | Upgrade] -Credential [Config RunAs - Optional]

from arcgis-powershell-dsc.

Thanks... I'll get a new issue going and try to summarize the experiences.

I am currently running with just:
Configure-ArcGIS myfile.json InstallLicenseConfigure
I am logged into the script host server as an administrator and am executing to a remote system where I am also an administrator. I am NOT providing any explicit credentials. In fact, we do not have administrative username/password credentials on our environments; only OS administrative access is through a client certificate on a Personal Identity Verification (PIV) card.

from arcgis-powershell-dsc.

@pfoppe if you don't use credentials you are essentially running your DSC Scripts triggered from Configure-ArcGIS commandlet are running as the system account.

from arcgis-powershell-dsc.