Thursday, April 3, 2014

Quick Tip: Installing System Center 2012x? Use UPN’s Instead Of User Logon Names

Issue
When installing any System Center 2012x component it’s better to use the User Principal Name (UPN) for the required service accounts instead of the User Logon Name. The UPN will be resolved successfully without any issues at all.

However, under certain circumstances, when using the User Logon Name you might bump into this error message while trying to install a SC 2012x component, like SCOM 2012 R2:
image

And every time you’re 100% sure you entered the correct credentials! And you know what? You’re right. But there’s something else happening here.

Cause
When your SC 2012x service accounts do have User Logon Names with more than 20 characters and during the setup phase of the SC 2012x component you enter the User Logon Name (20+ characters) this error will pop up.

This isn’t a fault in the installer of the related SC 2012x component nor an AD fault. It’s just the way how AD works. You can logon to AD by using the UPN or the pre-Windows 2000 logon name. As long as your accounts are 20 characters or less, you won’t bump into this issue. But when your accounts are 20+ characters, you’ll hit this brick wall.

Example
Let’s take a closer look at an AD account with 21 characters, for example svc_scom2012r2_action.

In AD the Account properties of this account look like this:
image

Because the account name has 21 characters, the pre-Windows 2000 name lacks the last character, the ‘n’ of ‘action’. And that’s a whole different account for AD!

Since AD accepts only TWO types of user name logon names (UPN or pre-Windows 2000) the full blown service name (svc_scom2012r2_action) won’t fly, since it’s neither a UPN nor the pre-Windows 2000 account. Therefore the account can’t be authenticated and will be refused by the DC.

Solution
Instead of checking the total amount of characters of each account to be used for your SC 2012x installation, it’s far more better to use the UPN instead. This will save you a lot of time and frustration Smile.

Example
So in the case of the svc_scom2012r2_action account, the UPN is svc_scom2012r2_action@sc.local. This can be found in the Account properties of the related account as well:
image

So when installing any SC 2012x component this UPN will accepted since the DC can resolve these credentials.

Recap
When installing any SC 2012x component use UPNs and you’ll save yourself some time troubleshooting installation issues.

No comments: