locked
Access denied when trying to connect Managemement server from Runbook Designer which is in other trusted domain. RRS feed

  • Question

  • Hi,

    We are trying to deploy Runbook designer of other remote trusted domain in a deployment manager. When we trying to deploy we are getting access denied error after loading for long time. We are using the same Management server service account of  primary domain for deployment. And there is no firewall in between runbook designer and management server. We have also configured DCOM as per the fix recommended by KD article.

    What we are missing here? Can any one please help here to fix this.


    Thursday, May 7, 2020 9:03 AM

All replies

  • Hi,

    When using the Deployment Manager to distribute the Runbook Designer, it will connect to both Management Server and the Orchestrator database to configure necessary settings.

    Do you have any firewall blocking the Orchestrator database?

    Note: You can also install the Runbook Designer manually (without deployment) from the Orchestrator installation media.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, May 7, 2020 10:15 AM
  • Thank you for your reply

    Yes, we have tried both the ways. We installed the Runbook designer standalone in the server and tried to connect the management server from designer and also tried deploying the same in deployment manager both giving the same error as "Access Denied". And no Firewall in between, also OS firewall is turned off.

    Thursday, May 7, 2020 11:05 AM
  • Which account is being used to run the Runbook Designer? 
    Is the account a member of the OrchestratorUsersGroup group on the Orchestrator management server?

    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, May 7, 2020 11:33 AM
  • It is a Management server service account and it is the member of OrchestratorUserGroup.
    Thursday, May 7, 2020 2:26 PM
  • Hi,

    when you open Deployment Manager your account is used to deploy the IPs or Runbook Designer.

    The Account which excutes Deployment Manager needs admin access to the Remote Server. You can check trying to to access \\remoteSystem\c$.

    You can also install Runbook Designer from Orchestrator Setup directly or an IP which you should find on Management Server in C:\Program Files (x86)\Microsoft System Center\Orchestrator\Management Server\Components\Objects

    Regards,

    Stefan


    More and news about System Center at stillcool.de and sc-orchestartor.eu .

    Thursday, May 7, 2020 3:16 PM
  • Assuming you have a two-way domain/forest trust, you should simply be able to run the Runbook Designer as another user -> write the DOMAIN\ScorchServiceAccount (where "DOMAIN" is the domain where the Orchestrator management server is located in).

    Then Connect to the Orchestrator management server Actions -> Connect > write the FQDN of the Orchestrator management server (example: SCORCH2019.contoso.com)


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, May 7, 2020 4:01 PM
  • Yes. we are able to access the c drive but still not able to connect the management server from designer.
    Friday, May 8, 2020 9:20 AM
  • We have tried with run as different user and also given fqdn name when connecting management server. But still no luck.
    Friday, May 8, 2020 9:22 AM
  • Do you want to deploy Runbook Designer from Management Severr with Deployment Manager ?

    Or when Runbook Designer is installed, connect to Management Server with Designer?

    If Runbook Designer is already deployed the User connecting to the Management Sever must be member of the OrchestratorUserGroup specfified during setup. When nothing chnges it's a local group on Orchestrator Management Server. But it is recommended to specify a AD Group.

    To get the group, logon to Management Server and check the Group as described in https://support.microsoft.com/de-de/help/2779526/access-denied-in-runbook-designer-when-connecting-to-the-system-center:

    1. On the System Center Orchestrator Management Server, launch dcomcnfg to open up the Component Services applet.
    2. Expand Component Services, then Computers, then My Computer.
    3. Right-click My Computer, then click Properties.
    4. Click the COM Security tab.
    5. Under Access Permissions, click Edit Limits.
    6. Click Add then enter details of the desired local or Active Directory based security group and click OK.
    7. Click the new entry and then select the Allow checkbox for each permission then click OK.
    8. Under Launch and Activation Permissions, click Edit Limits.
    9. Click Add then enter details of the desired local or Active Directory based security group and click OK.
    10. Click the new entry and then select the Allow checkbox for each permission then click OK.
    11. Click OK to close the My Computer Properties dialog.
    12. Expand My Computer, then click DCOM Config.
    13. Locate omanagement, then right-click and choose Properties.
    14. Click the Security tab.
    15. Under Launch and Activation Permissions, click Edit.
    16. Click Add then enter details of the desired local or Active Directory based security group and click OK.
    17. Click the new entry and then select the Allow checkbox for each permission then click OK.
    18. Under Access Permissions, click Edit.
    19. Click Add then enter details of the desired local or Active Directory based security group and click OK.
    20. Click the new entry and then select the Allow checkbox for each permission then click OK.
    21. Click OK to save the changes.
    22. Close the Component Services applet.
    23. Open Command Prompt.
    24. Type sc stop omanagement and press Enter.
    25. Type sc start omanagement and press Enter.

    Also check in Designer that this grup has Full Control to the top-llevel folders (Runbooks, Conputer Groups, Runbook Server and Variables, Counters, Schedules.

    Regards,

    Stefan


    More and news about System Center at stillcool.de and sc-orchestartor.eu .


    Friday, May 8, 2020 9:41 AM