ITAA 2023 on domain controller

Hi! I have been experiencing similar issue as well, if you move on past the assignment of Network account credentials and abort the installation, I found no way of getting the prompt back. Aborting and Repeating the installation will not ask for the Network account credentials ever again.

Only way to change credentials in this case is to finalize the installation and change the Network account after the installation is completed using the Change network account.

But in the description of your issue you state that this is your intention since the installation fails.

The thing is that the user you enter as network account is not related to the installation in it self, (or should not be). 

So make sure that the user that is logged in when starting the installation has sufficient rights, also please review the Windows Event log to see if it gives an idea on what is failing.

Lastly, I recall that most Aveva products does not support being installed on the same node as a Domain Controller, but I'm not sure about InTouch Access Anywhere, this have to be checked.

My bad. Perhaps its only the GR Node that does not support being installer on a Domain Controller.

Hello Richard,

Thank you very much for reply. 
Problem that I can’t finish installation because of aaLogger can’t be started. User, under which I started installation, is the domain administrator, under which I installed SP on other nodes connected to this domain. I found a few keys Wonderware, AVEVA, Archestra in Registry, deleted them but it doesn’t help return Network Account dialog back. So should be something else additionally where installation has remembered NA user. Good idea with anonymous logon in Secpol, I will check it. Maybe some other security settings might be helpful? Or uncheck aaLogger from installation options if it is possible, to finish installation. Or maybe there are a some option keys to run setup.exe?
By the way, do you know if it s right that Change Network Account doesn’t accept Name of Domain if one start installation at Domain Controller?

Yes, I know note about GR on domain controller but never tried. Definitely will do it just to check if it is really not possible .

Thanks. 

This issue is interesting and I must try and see what happens if I set up a Domain controller and install SP.

I also went down the rabbit-hole of trying to delete reg keys and files to get the prompt back, but to no success. I even tried to monitor what files and reg. keys are created at the point of that prompt, but I guess in all the ways of making the software secure, only Aveva knows what goes on at that step.

It can not be just a simple reg key or file, since that would be a good attack vector for any malicious user to monitor to capture this information.

I will let you know the results of my test on installing ITAA on a domain controller in my lab environment. 

A thing I came to my mind.

Is your domain administrator named 'Administrator' ?

I recall some issues of using a domain user with the same name as an existing local account.

What I mean is that I know there are issues when you have a local account created, let say named Richard.

This would then be LocalComputername\Richard as user name, and the same user name exists in the domain, mydomain\Richard.

This could cause some issues if used as Network Account.

Please try to create a unique domain user and try to use this as the username for the aveva network account.

But I guess since you are stuck in a scenario where you can not get the prompt again and are unable to finalize the installation, you are in a challenging scenario.

I would create a new domain-user that is local admin, and use this to try and complete the installation. 

A thing I came to my mind.

Is your domain administrator named 'Administrator' ?

I recall some issues of using a domain user with the same name as an existing local account.

What I mean is that I know there are issues when you have a local account created, let say named Richard.

This would then be LocalComputername\Richard as user name, and the same user name exists in the domain, mydomain\Richard.

This could cause some issues if used as Network Account.

Please try to create a unique domain user and try to use this as the username for the aveva network account.

But I guess since you are stuck in a scenario where you can not get the prompt again and are unable to finalize the installation, you are in a challenging scenario.

I would create a new domain-user that is local admin, and use this to try and complete the installation. 

I can at least confirm that I am unable to use the domain account "Administrator" on the domain controller.

And I could reproduce the issue of fail to start services upon installation, but in my case it was the AVEVA Agent, Watchdog Service.

this with the usage of the Administrator domain admin account.

Need to do some more testing to find a workaround, but at least you know it is reproducible and nothing personal ;)

Hello Richard Köhlerstrand 

Thank you very much for your reply.

User, under which I logs to domain controller is domain administrator and really has name Administrator. But for network account I use other domain user SPAdmin, also with administrative rights.

Finally I finished installation with PDF documents only via Customize installation and de-selecting everything but PDFs. After I removed System Platform and thought that now I have clean PC and start installation at new and provide another Network Account. But at new installation Network Account dialog didn't appear. This means, one have only one attempt to install System Platform components.

Taking in account previous experience, I tried install ITAA server on domain controller of other test domain. As far domain name is not accepted in Network Account in previous installation, this time in Network Account dialog I provided name of machine (not domain name), new user SPAdminloc with password and checked "Create local account". Local account SPAdminloc was created as domain user (if I understand right, domain controller has no local users), installation continued and finished successfully. So, if installation begun on domain controller, one have provide machine name (not domain) and Create local account. Later, after installation, I changed Network Account from machine name and SPAdminLoc to domain name and SPAdmin, as it is used on other nodes, and Change Network Account dialog normally accepts this. Not sure if it is by design.

After I Configure with connection to existing SMS. Certificate from existing SMS was downloaded and installed but configuration failed because ports needed (80 and 443) are occupied by someone else.

Netsh tells that this ports are reserved by ArchestraWebHosting.

If I redefine ports via Advanced, configuration also failed but with error

Just to be sure that problem not in Network Account, I changed it on SMS and domain controller to the user SPAdminloc - it doesn't help, same result. 

So, challenge still go on but I'm out ideas.

Thanks.

Hello Richard Köhlerstrand 

Thank you very much for your reply.

User, under which I logs to domain controller is domain administrator and really has name Administrator. But for network account I use other domain user SPAdmin, also with administrative rights.

Finally I finished installation with PDF documents only via Customize installation and de-selecting everything but PDFs. After I removed System Platform and thought that now I have clean PC and start installation at new and provide another Network Account. But at new installation Network Account dialog didn't appear. This means, one have only one attempt to install System Platform components.

Taking in account previous experience, I tried install ITAA server on domain controller of other test domain. As far domain name is not accepted in Network Account in previous installation, this time in Network Account dialog I provided name of machine (not domain name), new user SPAdminloc with password and checked "Create local account". Local account SPAdminloc was created as domain user (if I understand right, domain controller has no local users), installation continued and finished successfully. So, if installation begun on domain controller, one have provide machine name (not domain) and Create local account. Later, after installation, I changed Network Account from machine name and SPAdminLoc to domain name and SPAdmin, as it is used on other nodes, and Change Network Account dialog normally accepts this. Not sure if it is by design.

After I Configure with connection to existing SMS. Certificate from existing SMS was downloaded and installed but configuration failed because ports needed (80 and 443) are occupied by someone else.

Netsh tells that this ports are reserved by ArchestraWebHosting.

If I redefine ports via Advanced, configuration also failed but with error

Just to be sure that problem not in Network Account, I changed it on SMS and domain controller to the user SPAdminloc - it doesn't help, same result. 

So, challenge still go on but I'm out ideas.

Thanks.