none
Adding NAP Role - Error

    Question

  •  I am currently running a 2003 R2 native domain consisting of (1) 2003 R2 DC,
    (1) 2003 DC and (2) 2008 Server DC's.

    My 2003 DC is an IAS server.

    I am trying to add the NAP role to my 2008 DC's but on both I recieve the
    following error:

    Network Policy and Access Services:  Installation Failed

    Attempt to install Server failed with error code 0x80070643.  Fatal error
    during installation.

    Can any one help me out with way I can not add this role?  IAS is the only
    service that is keeping me from from removing the 2003 servers and going all
    2008 Native.

    (I can not upgrade my 2003 Servers to 2008).

    Thanks - TD
    Monday, October 06, 2008 9:11 PM

Answers

  • TD,

    Can you please try the following procedures on your server to help troubleshoot the problem?

    1. Remove NPS and domain services.
    2. Enable tracing on the command line with netsh ras set tracing * enable
    3. Reboot the machine and try installing the services again (AD DS then NPS).
    4. Review and provide the output from logs in %windir%\tracing.
    5. When ready, disable tracing with netsh ras set tracing * dis

    Also check the Application logs on the server for error events. Specifically, there might be an error event logged by VSS during NPS installation.

    Thanks,
    -Greg
    Wednesday, October 08, 2008 7:54 PM

All replies

  • Hi,

    There is an identical thread to this one on the forum. Unfortunately, the problem wasn't identified.

    In the other thread, Chao Wang asked that the event log be checked. Can you please check this and reply with details?

    Thanks,
    -Greg

    Monday, October 06, 2008 9:53 PM
  • Greg -

    The only event viewer error message is this:

    Network Policy and Access Services:  Installation Failed

    Attempt to install Server failed with error code 0x80070643.  Fatal error
    during installation.

    Thanks -TD


    I removed Domain Services on this machine and was able in insatall NAP.  I then ran DCPromo on the machine again, at which time the NAP services stopped.  I then removed Domain Services at which time NAP services were able to start again..... 
    • Edited by TuckerDavis Tuesday, October 07, 2008 3:44 PM
    Monday, October 06, 2008 10:39 PM
  • Hi,

    I'm checking with the product team to see if there are ideas as to why you are seeing this error. I've installed NPS on a DC myself before with no issues, so I'm not sure why you are seeing this problem.

    -Greg
    Tuesday, October 07, 2008 10:55 PM
  • TD --

        Could you include a bit more information regarding your configuration ?

        You get an error trying to add the NAP role to your Windows Server 2008 domain controllers -- are these servers both Enterprise ?  Standard Servers?

        When you install Network Policy and Access Services, there are various checkboxes to choose role services.  Do you choose just "Network Policy Server" or other options also ?

        Are you familiar with what type of Certificate Authority is installed ?

        I'm trying to get a better grasp of your setup to try to understand the problem.

    Thanks

    Bob

    • Proposed as answer by Mnovak Wednesday, July 29, 2009 11:47 AM
    Wednesday, October 08, 2008 12:38 AM
  • Bob/Greg -

    Both DC's are x86 Standard 2008 Servers.  One is installed on a physical box, the other is a VHD file. 

    There is currently no CA in our local environment.

    I am purly trying to get the equvilant of IAS so I am only selecting the first check box for the NAP Server.  I also tried selcting that with the RRAS options but that also failed.

    The ONLY event viewer entry is the error I listed above.

    Thanks for your follow-up's. 

    TD
    Wednesday, October 08, 2008 2:10 PM
  • TD,

    Can you please try the following procedures on your server to help troubleshoot the problem?

    1. Remove NPS and domain services.
    2. Enable tracing on the command line with netsh ras set tracing * enable
    3. Reboot the machine and try installing the services again (AD DS then NPS).
    4. Review and provide the output from logs in %windir%\tracing.
    5. When ready, disable tracing with netsh ras set tracing * dis

    Also check the Application logs on the server for error events. Specifically, there might be an error event logged by VSS during NPS installation.

    Thanks,
    -Greg
    Wednesday, October 08, 2008 7:54 PM
  • Greg -

    I will need a little time to complete this and will post up the results.
     
    Thanks -

    TD
    Wednesday, October 08, 2008 8:14 PM
  •  Hi TD,

    Have you resolved the issue or are you able to provide these logs?

    Thanks,
    -Greg
    Thursday, October 23, 2008 9:16 PM
  • Greg -

    I am sorry for the delay and appreaciate your follow-up.  I had to move on to another project but I will be revisting this in a few days.  I will post the logs than.

    TD
    Tuesday, October 28, 2008 4:19 PM
  •  
    Greg,

    Was there any further developement/research on this issue?

    I am experiencing the same problem - after uninstalling NPS, it won't reinstall - nothing logged to event viewer, the servermanager log outputs the following:


    5064: 2008-12-01 11:40:57.477 [CbsUIHandler]              Initiate:
    5064: 2008-12-01 11:40:57.477 [InstallationProgressPage]  Installing...
    5064: 2008-12-01 11:46:19.756 [CbsUIHandler]              Error: -2147021879 :
    5064: 2008-12-01 11:46:19.756 [CbsUIHandler]              Terminate:
    5064: 2008-12-01 11:46:19.756 [CBS] Error (Id=0) Function: 'NativeMethods.GetPackageStatus(out status)' failed: 80070bc9 (-2147021879)
    5064: 2008-12-01 11:46:19.756 [CBS]                       ...done installing 'IAS NT Service '. Status: -2147021879 (80070bc9)
    5064: 2008-12-01 11:46:19.756 [InstallationProgressPage]  Verifying installation...
    5064: 2008-12-01 11:46:19.756 [Provider]                  Skipped configuration of 'NetworkPolicyServer' because install operation failed.

    ...But nothing else is logged in eventlog, etc.

    (The box is a DC, 2008 enterprise x64..)


    ???


    Monday, December 01, 2008 3:27 AM
  • Greg,
    I am having the same problem reinstalling NPS after uninstalling it.
    Additionally, I have some of this same info in.
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.win2000.active_directory&m-3dcb-4870-8cb6-c79812a8cf27

    The event viewer only contains very generic failure information on the
    subject of adding the role.
    In the setup log it lists Event 1616 ServerManager
    Installation Failed
    Network Policy and Access Services
    Error: Attempt to install Network Policy Server failed with error code
    0x80070643. Fatal error....

    This is a very generic fatal error code. So I looked in ServerManager.log
    and it also shows very little detail. Only on the last lines does it notice
    the failure but gives no other information.

    So I dig deeper into the CBS.log file and discover that right before the
    installation process reverses and begins uninstalling itself, there is a
    failure to start the NPS service.

    The relevant CBS log line is:
    "Attempting to start service {IAS} synchronously" then
    "Service did not run. Current state (3) Exit code (-2147467259) Service
    specific exit code (0) Check point (1) Wait hint (300000) "

    further down in the cbs.log is the data regarding how it was trying to start.
    <serviceData xmlns="urn:schemas-microsoft-com:asm.v3" name="IAS"
    displayName="@%SystemRoot%\system32\ias.dll,-1000" errorControl="normal"
    imagePath="%SystemRoot%\System32\svchost.exe -k netsvcs" start="delayedAuto"
    type="win32ShareProcess" description="@%SystemRoot%\system32\ias.dll,-1001"
    dependOnService="RPCSS" objectName="LocalSystem"
    startAfterInstall="synchronous"
    requiredPrivileges="SeTcbPrivilege,SeChangeNotifyPrivilege,SeCreateGlobalPrivilege,SeImpersonatePrivilege,seAuditPrivilege">

      <securityDescriptor name="WRP_REGKEY_IAS_NETWORK_SERVICE_START" />


    Then it begins a complete rollback after the failure to start the service.
    Not very much debugging info to go on. Obviously, it depends on RPCSS but
    this service is already started and running.

    Is there a way to generate or find more data about why NPS can not start. That is the reason I uninstalled it in the first place, because it could not start and there was not data that I could find regarding why not.

    server is SBS 2008, 64bit, AD DC (lone server) in production.

    -Brian H

    • Edited by hublerb Thursday, December 04, 2008 5:15 PM more logs added
    Thursday, December 04, 2008 5:12 PM


  • this didn't solve my issue, but at least microsoft is looking at it ...:

    http://blogs.technet.com/sbs/archive/2009/02/20/the-network-policy-server-service-ias-fails-to-start-or-be-installed.aspx
    Wednesday, February 25, 2009 3:22 AM
  • I am experiencing just about the same exact error. However, the error code returned from the failed launch is slightly different:

    2009-02-26 17:34:56, Info                  CSI    000000cf Begin executing advanced installer phase 38 (0x00000026) index 29 (0x000000000000001d) (sequence 156)
        Old component: (null)
        New component: Microsoft-Windows-Networking-Internet_Authentication_Service_NTService, Version = 6.0.6001.18000, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
        Install mode: install
        Installer ID: {51d504ad-4868-464c-a504-e6cc8a210a97}
        Installer name: [7]"Service"
    2009-02-26 17:35:07, Error                 CSI    00000001 (F) Logged @2009/2/27:01:34:56.302 : [ml:96{48},l:94{47}]"Attempting to start service {IAS} synchronously"
    [gle=0x80004005]
    2009-02-26 17:35:07, Error                 CSI    00000002 (F) Logged @2009/2/27:01:35:07.331 : [ml:250{125},l:248{124}]"Service did not run. Current state (1) Exit code (-2147014848) Service specific exit code (0) Check point (0) Wait hint (0) "
    [gle=0x80004005]
    2009-02-26 17:35:07, Error                 CSI    00000003@2009/2/27:01:35:07.362 (F) CMIADAPTER: Inner Error Message from AI HRESULT = HRESULT_FROM_WIN32(10048)
     [
    [94]"Only one usage of each socket address (protocol/network address/port) is normally permitted."
    ]
    [gle=0x80004005]
    2009-02-26 17:35:07, Error                 CSI    00000004@2009/2/27:01:35:07.362 (F) CMIADAPTER: AI failed. HRESULT = HRESULT_FROM_WIN32(10048)
     Element:
     [814]"<serviceData xmlns="urn:schemas-microsoft-com:asm.v3" name="IAS" displayName="@%SystemRoot%\system32\ias.dll,-1000" errorControl="normal" imagePath="%SystemRoot%\System32\svchost.exe -k netsvcs" start="delayedAuto" type="win32ShareProcess" description="@%SystemRoot%\system32\ias.dll,-1001" dependOnService="RPCSS" objectName="LocalSystem" startAfterInstall="synchronous" requiredPrivileges="SeTcbPrivilege,SeChangeNotifyPrivilege,SeCreateGlobalPrivilege,SeImpersonatePrivilege,seAuditPrivilege">  <securityDescriptor name="WRP_REGKEY_IAS_NETWORK_SERVICE_START" />  <failureActions resetPeriod="18000">    <actions>      <action type="restartService" delay="120000" />      <action type="restartService" delay="300000" />      <action type="none" />    </actions>  </failureActions></serviceData>"
    [gle=0x80004005]
    2009-02-26 17:35:07, Error                 CSI    000000d0@2009/2/27:01:35:07.362 (F) d:\rtm\base\wcp\cmiadapter\installers.cpp(356): Error HRESULT_FROM_WIN32(10048) originated in function Windows::WCP::CmiAdapter::CMIWrapperBasicInstaller::ResolveAndInvokeInstaller expression: hr
    [gle=0x80004005]
    2009-02-26 17:35:14, Error                 CSI    00000005@2009/2/27:01:35:14.928 (F) CMIADAPTER: Exiting with HRESULT code = HRESULT_FROM_WIN32(10048).
    [gle=0x80004005]
    2009-02-26 17:35:14, Error                 CSI    000000d1@2009/2/27:01:35:14.928 (F) d:\rtm\base\wcp\cmiadapter\installers.cpp(123): Error HRESULT_FROM_WIN32(10048) originated in function Windows::WCP::CmiAdapter::CMIWrapperBasicInstaller::Install expression: hr
    [gle=0x80004005]
    2009-02-26 17:35:18, Info                  CSI    000000d2@2009/2/27:01:35:18.267 CSI Advanced installer perf trace:
    CSIPERF:AIDONE;{51d504ad-4868-464c-a504-e6cc8a210a97};Microsoft-Windows-Networking-Internet_Authentication_Service_NTService, Version = 6.0.6001.18000, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral;22470949

    My situation is a Windows 2008 x64 DC.  It is also running the DHCP, DNS, file services, Printer services, Web server and WSUS roles.

    Friday, February 27, 2009 2:27 AM
  • FINALLY!!! I got NPS installed!!

    With help from the following link: http://amalgamman.livejournal.com/3841.html I realized I was seeing VSS errors "Volume Shadow Copy Service error: Unexpected error NetGroupGetUsers().  hr = 0x80070005" in addition to my inability to install NPS with error codes 0x80070643;

    To resolve, I uninstalled Windows Server Backup, added "read" permission for "Authenticated Users" to Active Directory "Builtin" object, then reinstalled Windows Server Backup, reboot, and install Network Policy and Access Service.

    Note: Active Directory User and Computers>View>select "Advanced Features">right-click the "Builtin" object, select Properties, select Security, add "Read" permission to "Authenticated Users" (NOTE: Specifcally added to non-inherited entry and applies to "This Object Only" property).

    Simply adding the "read" permission didn't appear to work; possibly not reinstalling Windows Server Backup may have worked, but at this point I'm just glad I finally got this installed. It was unusual to see the Builtin object to have NO permissions set whatsoever, and I'm not sure why or how that occured. It would be interesting to see what a fresh install creating a new domain would look like, but at this point I'm just happy to get a Radius Server back onto my domain controller.
    • Proposed as answer by dkpruett Saturday, March 28, 2009 4:59 PM
    Saturday, March 28, 2009 4:55 PM
  • Did any solution ever come from this discussion? I am having much the same problem, though rather than it being on SBS 2008, it is on Server 2008. I tried the solution that dkpruett suggested, but it did not seem to apply to my situation.

    I would really appreciate any suggestions/advice.
    Friday, April 24, 2009 2:23 PM
  • I had exactly the same problem and same error in ServerManager.log on Windows 2008 Ent sever x32

     

    'IAS NT Service' to 'InstallRequested'

    4152: 2009-07-02 11:18:03.795 [CBS]                       ...'IAS NT Service' : applicability: Applicable

    4152: 2009-07-02 11:18:58.910 [CbsUIHandler]              Initiate: 

    4152: 2009-07-02 11:18:58.956 [InstallationProgressPage]  Installing...

    4152: 2009-07-02 11:24:27.274 [CbsUIHandler]              Error: -2147021879 : 

    4152: 2009-07-02 11:24:27.274 [CbsUIHandler]              Terminate: 

    4152: 2009-07-02 11:24:27.290 [CBS] Error (Id=0) Function: 'NativeMethods.GetPackageStatus(out status)' failed: 80070bc9 (-2147021879)

    4152: 2009-07-02 11:24:27.290 [CBS]                       ...done installing 'IAS NT Service '. Status: -2147021879 (80070bc9)


    Also I used VSS on one drive (not system)

    For me, the solution was to disable VSS on all drives while installing NAP. After that my NAP service was installed successfully. 

     

     

    Wednesday, July 29, 2009 11:59 AM
  • Greg: Just to clarify my answer, I'm not running SBS either. From what I remember, when I'd go through the logs to see why SBS wouldnt install, I "think" it was tring to do a VSS image just before trying to install NPS. Thus to get NPS installed I had to fix the VSS problems first, and those problems were due somehow to the Windows Server Backup I had installed and subsequent rights problems. I spent months on this before I finally go running.... I'd look into the "permissions" issue I was seeing closer to at least ensure you don't have similar problems
    Wednesday, July 29, 2009 12:09 PM
  • I noticed that  few more people in this thread are facing issues on install NPS Role. This could be that some other service is using the same TCP/UDP port , look in the this thread for more information http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/79053f1b-d3c4-494b-9fb8-ed87d3984a2e

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Friday, November 06, 2009 10:35 PM
  • Hi All,

    I lost many hours in a project because of this problem. I tried everything and googled everything etc.. I reckon I came accross every blog, expertsexchange post and technet forum.

    Nothing would fix it.

    Out of the blue, I just thought I would change the service to "Automatic" instead of it being "Automatic - Delayed Start" and it works. No matter how many times I rebooted the server, it works still.

    I service packed the server to 2008 R2 SP1 and it still works.

    Other notes of interest:

    • There seems to be no errors in the event log because of the change which is good.
    • The server in question happens to have Trend (not SEP) and Shadow Protect 4.1 installed, It has DC (FSMO)  DNS, DHCP etc., I could not find any vss errors or shared ports. I even tried it on other servers in the domain (server 2008 R2 and plain ol' 32 bit server 2008 and I had the same issues on them - the service wouldn't start..)
    • The existing server 2003 IAS boxed worked fine though.

    I hope my post helps many others with this problem.

    David
    MCSE, MCITP(SA,EA,EMA,W7EDA), VMware VCP4


    • Edited by marcu5 Thursday, March 24, 2011 9:09 AM edited
    Thursday, March 24, 2011 9:08 AM