cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP SOlution Manager Installation - Error - Preparation steps

Go to solution
Former Member

on ‎10-28-2014 4:49 PM

0 Kudos

Hi ,

Am getting this below eror before the installation and in the preparation steps.

Environment :

SAP Solution Manager 7.1 Installation

Database : MSSQL server 2008 R2

OS : Windows Server 2008 R2

Error message : System error message number: '5'. Message: 'Accessis denied. '.

Please find attached log file and the error screenshot for more details.

Please suggest

Thanks, Ganesh

sapinst_dev.log.zip
Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

giri_ayyagari
Active Participant
‎10-28-2014 9:26 PM
0 Kudos

Hi Ganesh

looks like you need more Authorization on AD/ Local admin. i suggest you check permissions first.

-giri

Show replies
Show replies
Former Member
‎11-06-2014 2:51 PM
0 Kudos

All,

Yes, the user does not have permission to create users in active directory.

I have skipped this step and completed Solution manager installation.

Windows team asking for the justification to create this user at active directory.

please suggest on the below,

  • Business requirement for ldap user and group. (not the technical steps/configuration) why we need this  (Ldap user/group) ?
  • what data will be in ldap directory ?
  • what data will it exchange between SAP systems ?
  • Is it mandatory for SAP Solution Manager environment ?

Plz suggest.

- Thanks

hasanajsh
Active Contributor
‎11-06-2014 3:26 PM
0 Kudos

From the documentation:

**********************************************************************************************************************

You have to perform a domain installation if one of the following applies:

  • You install a system distributed over several hosts.
  • You install a high-availability system with Microsoft Failover Clustering. (Only valid for: HA (MSCS))
  • You want to use Single Sign-On.
  • You use a common transport host for several SAP systems running on different computers.

**********************************************************************************************************************

Matt_Fraser
Active Contributor
‎11-06-2014 4:01 PM
0 Kudos

Ganesh,

The LDAP connection is not required for Solution Manager. It's completely optional. The purpose for it is to allow Active Directory to be your user account repository for Solution Manager (and/or other SAP systems) instead of using the ABAP user store, which is the default. You would only do this if you currently use, or plan to use, Active Directory as the user store for your whole SAP landscape. You wouldn't normally do this just for Solution Manager and not for your ERP system, for instance.

Using LDAP and AD for your user strategy is a key decision point when planning your landscape strategy. It's not something you do lightly. You will need to work with your landscape architects and/or project team and overall IT strategists to determine if this is a fit for your organization.

So, the bottom line is it is not mandatory at all. We don't do it here.

We do have some LDAP synchronization between AD and ERP, but we did not extend the AD schema in any way, and we don't use AD to store the SAP user accounts. We just synchronize things like email addresses and organizational data back and forth between AD and the user masters and employee records in ERP. For that, we only needed an AD service account, no schema extension.

Regards,

Matt

Matt_Fraser
Active Contributor
‎11-06-2014 4:11 PM
0 Kudos

To follow up on that, however, you most likely will need some AD service accounts to run your SAP systems, including Solution Manager. However, you don't use this LDAP connection task to set that up.

It is possible to not use any AD accounts, only local server host accounts, but this is not recommended. It will cause lots of difficulties.

So, to set up the service accounts, there are two methods. The installation program (SWPM) will do this automatically when installing Solution Manager, but this only works if the person running SWPM is a Domain Admin or has the right to create AD users and groups.

If the installer (i.e., you) doesn't have this privilege, then you can ask that someone who does setup the users and group ahead of time. To do that, there is an installation option in SWPM for creating the users and group in advance, or they can simply be made manually.

It's easy enough to make them manually. Have your Domain Admin create them as follows. In this case, since the SID you are using is SX2, you will need a Global Group created called SAP_SX2_GlobalAdmin (the case is important). Then you will need two users, SAPServiceSX2 and sx2adm (again, case is important). Both users need to be a member of SAP_SX2_GlobalAdmin, as well as Domain Users. Both users need to have the property Password never expires set, and ideally should be set to not run logon scripts upon logon -- in other words, ask your Domain Admin to create them like he/she would create service accounts, not user accounts (though you will be logging onto your server as sx2adm).

That's it. The Domain Admin can put the group and users into whatever OU in your domain fits with the strategy there -- it doesn't matter to SAP, as long as the users are accessible. Then, when you run the installation, you supply the password and SWPM will detect that the users already exist and use them.

By the way, don't run the installer as sx2adm. Run it using a different account with local Administrator privileges to the server (i.e., yourself, perhaps).

Regards,

Matt

Answers (2)

Answers (2)

Matt_Fraser
Active Contributor
‎10-28-2014 9:20 PM
0 Kudos

Hi Ganesh,

Most likely this is caused by not having privileges in Active Directory for creating objects (i.e., groups and users). Furthermore, you need the privilege for extending the Active Directory schema to add the SAP LDAP object types. If you aren't a Domain Admin, you may need to have your network administrator or domain administrator run this task for you.

Regards,

Matt

Show replies
Show replies
Former Member
‎10-28-2014 9:16 PM
0 Kudos

Hello.

Found in log:

d:\depot\bas\720_rel\bc_720-2_rel\gen\optu\ntamd64\ins\sapinst\impl\src\syslib\synxcuser.cpp: 104: CSyUserImpl::CSyUserImpl(PSyUserDataInt, bool)

Account user="GLOBAL\sapldap" does not exist.

Failed action:  with parameters

Error number 207 error type SPECIFIC_CODE

TRACE      2014-10-27 11:50:25.865 [iaxxgenimp.cpp:301]

           CGuiEngineImp::showDialogCalledByJs()

<dialog sid="d_nw_ads_ldap_user_windows_confirm">

<password confirm="true" enabled="true" highlight="false" sid="ldapPassword">

<caption>Password of SAP LDAP User</caption>

<helpitem id="common.PasswordCreateExistsOS"/>

<encrvalue maxlength="14" minlength="5">*****</encrvalue>

</password>

<dialog/>

Please verify if account exists and installation user has rights to create user groups at LDAP.

BR,

K.

Show replies
Show replies
Ask a Question