MQ

 View Only

 NetLocalGroupGetInfo() failed with NERR_NotPrimary

John Hawkins's profile image
John Hawkins IBM Champion posted Wed September 10, 2025 05:52 AM

Hi Folks,

Intermittently we have an MQ (windows) server which loses security. We can't login to it in explorer - it registers the usual "Not authorised" to connect to QM etc. It looks like the APPConnect running against it it is fine - and its just runmqsc et al and Explorer that fail *(perhaps - haven't/can't prove) 

The only way out of this is to reboot the QM - then all is well again.

I see a few repeating FDC but none that I can see in google. These appear in patches and have appeared ever since the QM has been in service (4 years by the looks of it). The QM is directly authenticating against LDAP and not the OS.

XY200003 xgmWriteNTEventLog          xecF_E_UNEXPECTED_SYSTEM_RC   OK                                             WinNT error 1722 from RegisterEventSource.

(multiple of that above usually)

XC721015 xcsCreateFile               xecF_E_INVALID_PARAMETER      OK                                    3

xecF_E_UNEXPECTED_RC          MQRC_Q_SERVICE_INTERVAL_HIGH       2226        NetLocalGroupGetInfo() failed with NERR_NotPrimary

(is the above the interesting one??)

XC188022 xstSpinOffServer            xecS_E_NOT_CONNECTED          OK                                       24856 Unexpected error waiting for UKIEACEQMD process(amqxssvn.exe): [errorCode=0]                The operation completed successfully.

(completed succesfully but an FDC?)

And variations on that ordering.

Not sure if this is related but... Does the MQ wizard always create a DOM resource in dcomcnfg? I can't see an MQ Explorer object in there - does this mean the wizard never ran and that we may have a badly configured domain relationship? but why would that lead to intermittent errors and not permanent ones?

The MQ service is running using a domain userId with the require permissions (I believe they are correct - I can't actually see them myself)

Any thoughts anyone??

many thanks, as always !

John.

Morag Hughson's profile image
Morag Hughson IBM Champion posted Wed September 10, 2025 07:51 AM

Have you raised a case with IBM John? 

John Hawkins's profile image
John Hawkins IBM Champion posted Wed September 10, 2025 10:23 AM

We have - we're going down the route of the domain user - I can't believe the issue is that. So, I figured I'd reach out to the group as well :-) i suspect this is an underlying domain/win config issue - but, I specifically would like to understand why I don't see the DOM resource in dcomcnfg if anyone could help there and does it matter?

cheers

Francois Brandelik's profile image
Francois Brandelik IBM Champion posted Thu September 11, 2025 03:35 AM

Was the domain user ever configured using the MQ Configuration Wizard, or just set on the service manually?

This might explain a misconfigured dcom layer...

Looking at NetLocalGroupGetInfo() failed with NERR_NotPrimaryI would make sure that the user doing the LDAP lookup has the right rights to access the Windows LDAP...

John Hawkins's profile image
John Hawkins IBM Champion posted Thu September 11, 2025 04:28 AM

Hi Francois - I don't know if the wizard was run or not . What I would like to know is what effect it might have in this case - anyone know what the DCOM layer configuration does?

Because the issue is intermittent and the FDC are sporadic then the user rights don't seem to be the issue IMO?

update: I've just run the wizard and there is still no DCOM object for MQ - is that normal?

Francois Brandelik's profile image
Francois Brandelik IBM Champion posted Fri September 12, 2025 10:27 AM

Used to be that to run MQ correctly in AD you had to do several things:

  • Have a Service user able to read GroupMembership and GroupMembershipSAML at the domain level
  • Set the 7 local user rights assignments
  • Add the service ID to local admins and local mqm groups
  • run the MQ Config Wizard
  • add the Security Stanza for GroupModels=GlobalGroups

As I understand it, the MQ Config Wizard used to config the DCOM layer. Don't know if that is still being done in 9.4

You are using LDAP instead of windows authentication... so make sure the connection to the LDAP servers are solid and the userid connecting to LDAP has all the necessary rights on the LDAP directory. Could it be that the rights are insufficient for a specific group, hence the  error message? And looking at the error it seems that the system is complaining that the installation is not the primary installation when trying to retrieve local group membership? Is the service id member of the local admins?  Is it running in the correct context (setmqenv ?)

Hope it helps...

John Hawkins's profile image
John Hawkins IBM Champion posted Tue September 16, 2025 06:33 AM

Thanks Francois,

just done a clean install with someone else and it looks like DCOM objects aren't created any more - or the install/wizard screwed up :-)

I'd like to clarify the use of mqenv though - if you can help?

setmqenv sets the environment in a specific shell.

So, if the user is say, musr_admin - then what context are they running and what env vars do they need setting? I'd have thought that MQ would solve that problem for me when it creates the user or runs the wizard. But, looking at the win registry, e.g. musr_mqadmin doesn't seem to have any mq specific vars in its environment.- but it's running the service.

so, does it need any env setting for the service - I assume not !?

cheers for your help !

Morag Hughson's profile image
Morag Hughson IBM Champion posted Tue September 16, 2025 07:50 AM

I can't reply to your latest post, only seem to be able to reply to the first post. Hopefully the context will still make sense.

From IBM WebSphere MQ 7.1.0, the amqmsrvn.exe DCOM process is replaced by a Windows service, amqsvc.exe. (see here).

amqsvc.exe launches the amqpsrvn.exe process, so in the next step you might want to take a look at both of them.

If you're unsure what environment is associated with a process take a look using the following PowerShell command:

(Get-Process -id 9984).StartInfo.EnvironmentVariables

I don't know enough about domain users to help with your main question, but hope this answer some of your minor questions.

Cheers,
Morag

Francois Brandelik's profile image
Francois Brandelik IBM Champion posted Tue September 16, 2025 08:30 AM

Hi John,

It looks like you might have multiple installations on the same machine, or none has been made primary.

Look at the setmqinst -i command. At least one of the installations should be made primary so that most environment variables are present when the service runs. The service will be able to use other installations, not necessarily the one corresponding to the default environment.

To check which version is primary you can run dspmqver -i . Please note that if running under SYSTEM you can have domain users authenticate that are in the local groups. With MUSR_MQADMIN only local users and local groups can authenticate.

To use against a specific qmgr run call setmqenv -m QMNAME in the command file, or interactively in the command shell, so that your environment is setup for the installation running this qmgr.

Also make sure the qmgr is running as service or startup automatic. Otherwise (running as interactive) it will be shutdown the moment you logoff.

Hope it helps

John Hawkins's profile image
John Hawkins IBM Champion posted Tue September 16, 2025 12:36 PM

Morag - you're the fount that keeps giving - thanks for the dcom info !

Nice powershell command - and there was i thinking  you only worked in zOS ;)

Cheers !

Re interface- yurp, think they changed the interface a while ago - lost the 'reply' button.

Related Content