5 Replies Latest reply on Mar 14, 2012 3:46 PM by jjcopela

    RCS-Backup.ps1 issue


      Hi, I’m having the following problem:


      When I try and do a backup using the RCS-Backup.ps1 PowerShell script included in the SCS 7.1 download the backup fails.


      After turning on debugging in the script I identified the following error:

      C:\Documents and Settings\All Users\Application Data\Intel_Corporation\RCSConfServer\scsadmin.dat Does not exist (or permissions problem).


      This refers to the following file: scsadmin.dat — Contains a record for each system configured using Intel SCS 5.x/6.x and the password of its default Digest admin user. This file only exists if the admin passwords were migrated from Intel SCS 5.x/6.x.


      I do not have this file in the RCSConfServer directory as I did not do an upgrade/migrate from an earlier versions, I did a clean install of V7.1.


      The syntax I’m using is as follows:

      .\RCS-Backup.ps1 -Operation Backup -Password "********" -Profiles "D:\SOURCE\vPro\vpro powershell\Backup\profiles.bak" -PSK "D:\SOURCE\vPro\vpro powershell\Backup\PSK.bak" -Cred "D:\SOURCE\vPro\vpro powershell\Backup\cred.bak" -DMP "D:\SOURCE\vPro\vpro powershell\Backup\dmp.bak" -SkipUserVerification $True


      However, if I remove the –cred parameter I still get the same error.


      Any assistance will be greatly appreciated.


      Many thanks


        • 1. Re: RCS-Backup.ps1 issue

          Hi, further to this, I've created an empty scsadmin.dat file in the directory, now I'm getting a different error:


          PS D:\SOURCE\vPro\vpro powershell> .\RCS-Backup.ps1 -SkipUserVerification $True

          DEBUG: RCS-Backup: backup with "D:\SOURCE\vPro\vpropowershell\Backup\prof.bak", "D:\SOURCE\vPro\vpropowershell\Backup\psk.bak" [ ]

          DEBUG: RCSServer's status is Running

          DEBUG: RCSServer's status is Running

          DEBUG: Stopping RCSServer .

          DEBUG: Waiting for RCSServer to be Stopped

          DEBUG: RCSServer's status is Stopped

          DEBUG: RCSServer's start mode is Auto

          DEBUG: RCSServer Disabled

          DEBUG: DpDecrypt-File: C:\Documents and Settings\All Users\Application Data\Intel_Corporation\RCSConfServer\Profile.xml start

          ConvertTo-SecureString : Key not valid for use in specified state.


          At D:\SOURCE\vPro\vpro powershell\RCS-Backup.ps1:361 char:32

          +     $sstr = ConvertTo-SecureString <<<<  ([BitConverter]::ToString($ba) -replace ('-',''))

             + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException

             + FullyQualifiedErrorId :ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand


          DEBUG: DpDecrypt-Bytes: could not be decrypted.Exception:Value cannot be null.

          Parameter name: s

          DEBUG: Exception caught:21

          DEBUG: RCSServer's start mode is Disabled

          DEBUG: RCSServer Auto

          DEBUG: Restarting RCSServer


          I also get the above error when #blocked out any references to scsadmin.dat file.



          • 2. Re: RCS-Backup.ps1 issue

            Hi Pierre,

            Thanks for the post. I will look into this and see what is happening.



            • 3. Re: RCS-Backup.ps1 issue

              Hi Josh, I found some part of the solution to the problem.


              If you register the RCS Service under a local or domain user account during installation and run the backup script under this account the backup is successfull. However if you register the RCS Service under the Network Service system account (most secure) you cannot do a backup.


              I've trawled through the Intel Setup and configuration Service - User Guide a few times and I found the following:


              On page 27 the guide tells you that you can run the RCS using a built-in Security account, extract below:


              • You can also run the RCS using a built-in security account. To do this, enter “Network Service” in the Username field or click Browse to select it. If you want to use this account, see “Using the Network Service Account” on page 30.
              • The user you select to run the RCS must have a password (unless it is the Network Service user account).


              On page 30 it informs you that using this account is the most secure option, extract below:


              The Windows operating system includes a built-in security account named “Network Security”. During installation of the RCS you can select this account to run the RCS. When the RCS runs under this account, the RCS communicates on the network using the credentials of the computer running the RCS. This can increase security because it is not easy to impersonate a computer.


              To do a succesfull backup using the Network Service account it states on page 31 you need to create a task in Task Scheduler that runs under the Network Service account, extract below:


              Backup User Verification
              Make sure that you run the backup using the Network Service account. To do this, you can create a task in Task Scheduler that runs under the Network Service account. If you use the RCS-Backup.ps1 Powershell cmdlet, make sure that you use the -SkipUserVerification parameter.


              However, to be able to schedule a task with task scheduler to run under the "NT AUTHORITY\NETWORKSERVICE" account you require Task Scheduler 2.0. see URL: http://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx - extract


              /RU username

              A value that specifies the user context under which the task runs. For the system account, valid values are "", "NT AUTHORITY\SYSTEM", or "SYSTEM". For Task Scheduler 2.0 tasks, "NT AUTHORITY\LOCALSERVICE", and "NT AUTHORITY\NETWORKSERVICE" are also valid values.


              Task Scheduler 2.0 is only available on Windows 2008 and Windows Vista, see URL: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383614(v=vs.85).aspx - extract


              The Task Scheduler requires the following operating systems.

              • Task Scheduler 1.0: Client requires Windows Vista, Windows XP, Windows 2000 Professional, Windows Me, or Windows 98. Server requires Windows Server 2008, Windows Server 2003 or Windows 2000 Server.
              • Task Scheduler 2.0: Client requires Windows Vista. Server requires Windows Server 2008.


              In my environment I've installed RCS on a Windows 2003 server, therefore I'm not able to run the backup under the NT Authority\NetworkService account due to the version of Task Scheduler.




              • 4. Re: RCS-Backup.ps1 issue

                Hi Pierre,

                Thank you for the follow-up, I will be sure to feed this back to the development team and let them know you found the cause.



                • 5. Re: RCS-Backup.ps1 issue

                  Hi Pierre,

                  After your post, I received some additional information from the development team:


                  • If you don’t have an admin password file DON’T add dummy.(it will fail…) delete the dummy file and try to run
                  • “.\RCS-Backup.ps1 -Operation Backup -Password "********" -Profiles "D:\SOURCE\vPro\vpro powershell\Backup\profiles.bak" -PSK "D:\SOURCE\vPro\vpro powershell\Backup\PSK.bak" -DMP "D:\SOURCE\vPro\vpro powershell\Backup\dmp.bak"
                  • Please make sure that the user that run this script is the same as the RCS service user and on the same machine as the RCS.(we use Kerberos DPAPI decryption)
                  • “Key not valid for use in specified state.” Is a Microsoft error returned from the decryption function. Please verify that your client is sync with you AD(no trust issues)
                  • This post : ” http://www.sitefinity.com/devnet/forums/sitefinity-4-x/general-discussions/key-not-valid-for-use-in-specified-state.aspx ” have some suggestions that helped them.(don’t forget to backup before deleting anything)


                  Thanks again for your follow-up