Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Error 11501: Unable to create the database for Symantec Endpoint Protection Manager.

Created: 06 May 2010 • Updated: 12 Nov 2010 | 12 comments

I am receiving the following error during the install of Symantec Endpoint Protection Manager RU6a on Windows Server 2008 R2 with a remote SQL 2005 Server database:

Error 11501: Unable to create the database for Symantec Endpoint Protection Manager. Please click here < http://service1.symantec.com/support/ent-security.... > for more information.

I am receiving this error when I click Next on the Management Server Configuration Wizard page where it asks for the Database server, SQL server port, Database name, etc. I follow the instructions (http://seer.entsupport.symantec.com/docs/330748.htm) and followed the steps exactly because in our environment our SQL administrator must create database:

An existing database must define file groups PRIMARY, FG_CONTENT, FG_LOGINFO, FG_RPTINFO, and FG_INDEX. The user account for database access must have privileges db_ddladmin, db_datareader, and db_datawriter.

I even check the above instructions. It isn’t a port issue (tested with telnet command) or a username and password. I read over the referenced Knowledge Base article, http://service1.symantec.com/support/ent-security...., but there isn’t an issue with the network connectivity between this SEPM and the SQL server and the TCP/IP protocol is not disabled. Any ideas why this is failing?

Comments 12 CommentsJump to latest comment

sandra.g's picture

Is this a 64-bit server?  Is the SQL Client installed on the SEPM server-to-be? Are you local to the server when installing, or using a remote session?  (You probably know how we in Support feel about non-console RDP ;) )

Please upload the installation log (as a file, not as a copy-paste)--there may be a clue in there.  (%temp%\SEPM_INST.log)

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Mudit Kumar's picture

As you mentioned that SQL Server is remote, Check if UAC is disabled on the SQL Server if it is on Windows Server 2008. Alos Make sure that SQL 2005 has atleast SP2 installed.

When you enter the SQL Server name in the Management Server Configuration wizard, make sure you also mention Instance Name
Eg. ServerName\InstanceName.

Thanks & Regards,
Mudit Kumar
 

AravindKM's picture

Using SQL client which is present in the SEPM server are you able to login to remote SQL serer?
Both SEPM server and SQL server are present in the same LAN?

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Scott K.'s picture

Thanks for your suggestions and below are the answers to your questions:
 
- The server that I am trying to install SEPM on is Windows Server Standard 2008 R2, which is 64-bit.
- The SQL client is installed on the server that I am trying to install SEPM on.  Specifically I installed Microsoft SQL Server Native Client and Microsoft SQL Server 2008 Command Line Utilities from http://www.microsoft.com/downloads/details.aspx?FamilyId=228DE03F-3B5A-428A-923F-58A033D316E1&displaylang=en.  Are there any additional software that must be installed?
- Tried the install via RDP and also the local console via VMware.
- The remote SQL Server 2005 does have SP2 and is running on Windows Server 2003 R2 x64.
- Yes, for the SQL Server name I am using <server_name>\<instance_name>.
- Both the SEPM and SQL servers are on the same LAN and subnet.
- I am not aware of how to use the SQL client to login to a remote SQL server.  Can you provide me instructions or link me to some so I can test this?
 
Attached is the installation log as Sandra requested.
 
Please let me if there any more suggestions.

AttachmentSize
SEPM_INST.LOG_.txt 12.24 MB
sandra.g's picture

Did not see any value 3s, which would indicate an install error.

Is traffic on UDP port 1434 allowed bi-directionally between SEPM server and SQL server?

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Scott K.'s picture

I am not sure how to test bidirectional UDP traffic on a port between the server I am trying to install SEPM on and the SQL server. There is nothing that should be blocking this except if the default configuration of the SEP client would block this, but it isn’t in the logs. However I was able to get a little further I think.

I decided to test the user account on the SQL Server with the SQL Server Management Studio and found it would only connect if I used for the Server Name field and \ doesn’t work. So for the SEPM install I used instead of \ and now I receiving the following error:

Initialization of the database failed. A log file has been generated in the following location: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\install_log.err

Attached is this log file.

AttachmentSize
install_log.err_.txt 17.6 KB
Mudit Kumar's picture

Please make sure that Port 1433 is listening both ways from SEPM Server to Remote SQL and from Remote SQL to SEPM Server.

Was SEPM installed with the same SQL before some time as there may be Database entries present there for Sem5 and SEPM is not able to over write. Check in SQL Server it there is any entry  related to Sem5 or try creating a Database with another name.

Thanks & Regards,
Mudit Kumar
 

sandra.g's picture

You could use Portquery from Microsoft to test UDP 1434.

However... your log file says the following:

First it says this:

SqlPropPanel >> CheckDBConnection > Fail to connect to database. Vendor's
error code is [0], SEPM's error code is [11501]. Error message is [Unable
to get information from SQL Server: helios.].

Then it says this (I redacted the first line):

SQL Command: CREATE TABLE BASIC_METADATA( CHECKSUM char(32) NOT NULL, ...[PRIMARY]
SQLState: 42000 Message:
CREATE TABLE permission denied in database 'sem5'.
Vendor: 262
java.sql.SQLException: CREATE TABLE permission denied in database 'sem5'....

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Scott K.'s picture

Using PortQryV2 (http://support.microsoft.com/kb/832919) from Microsoft I have found the SQL Server 2005 is listening with TCP and not UDP on port 1433:
C:\PortQryV2>PortQry.exe -n helios -e 1433 -p both

Querying target system called:

helios

Attempting to resolve name to IP address...

Name resolved to 10.0.176.190

querying...

TCP port 1433 (ms-sql-s service): LISTENING

UDP port 1433 (ms-sql-s service): NOT LISTENING

Also the SQL Server is not listening on port 1434. The “Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control” for RU 6a only states that protocol TCP/IP (and not UDP) and port 1433 (not 1434) are required in chapter 4. Why are you asking about UDP protocol on the SQL Server? Why are you asking about port 1434 on the SQL Server?

There is nothing that is blocking port 1433 on the server that I am installing SEPM. This is the first time we have tried to use a SQL Server with SEPM so there are not database entries from a previous install.

The user account I am using, sem5, has the permission as stated in the installation guide:

The user account for database access must have privileges db_ddladmin, db_datareader, and db_datawriter.

I even used the SQL Server Management Studio and accessed the this database with this user account and password, so I don’t understand why the log files says “permission denied.”

sandra.g's picture

I found one internal note that suggested this might be a cause of this issue if the response while querying UDP 1434 from the SEPM server to the SQL is 'filtered'.  There is no explanation on this note as to why that particular port--I was just throwing it out there as a possibility.

I don't know what else would return the "java.sql.SQLException: CREATE TABLE permission denied" message aside from sem5 not having the db_ddladmin privileges you say it already has.  Sorry. :(

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Scott K.'s picture

Sandra,

So it appears that you are saying is that commutation via UDP 1434 from SEPM to the SQL is required, correct? If that is the case then I will need to work our SQL administrator when he gets back from vacation to see if it is possible to enable port 1434. Is there a better document explaining what is required to use SQL Server than the installation guide?

sandra.g's picture

I'd still recommend the documentation included with SEP for setting up SQL for use as a database.  The information I gave above is about all I have; as I said there no additional explanation as to why UDP 1434 showing as 'filtered' would make a difference one way or another.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!