How do I troubleshoot AWS Replication Agent installation failure on my EC2 Windows instance?

Short description

The AWS Replication Agent must be installed on each source server for both Application Migration Service and Elastic Disaster Recovery. The following are common installation failure errors:

• CERTIFICATE_VERIFY_FAILED
• Downloading of path/AwsReplicationInstaller.exe failed.
• ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host
• No permission to install
• This agent installer is not suitable for the current operating system
• The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.', None, None) Failed to execute script install_agent_windows
• Agent installation fails of freezes when using the "--force-volumes" flag to specify disks

Resolution

CERTIFICATE_VERIFY_FAILED

This error occurs when the AWS Replication Agent installation fails because Amazon root CA certificates are missing. Amazon root CA certificates are required for authentication to the AWS Management Console.

To resolve this error, do the following:

1. Download the necessary Amazon root CA certificates.
2. Import the Amazon root CA certificates to the Trusted Root Certification Authorities folder (LOCAL COMPUTER).

For more information, see Installing the trusted root certificate on the Microsoft Documentation website.

Downloading of path/AwsReplicationInstaller.exe failed

This error indicates networking errors from the source instance when connecting to the following endpoints:

• Application Migration Service endpoints
• Elastic Disaster Recovery endpoints
• Amazon Simple Storage Service endpoints

To troubleshoot connection errors, open PowerShell and perform a Test-NetConnection to the required endpoint in Port 443, as shown in the following example:

Test-NetConnection mgn.us-east-1.amazonaws.com -Port 443

Note: If your on-premises network isn't open to the preceding list of endpoints, then you can install the AWS Replication Agent using PrivateLink. Also, any proxies between the on-premises environment and the required endpoints must be configured under environment variables.

ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host

This error indicates that the client can't handshake with the Elastic Disaster Recovery endpoint. Handshake with the Elastic Disaster Recovery endpoint fails if the client attempts to perform a TLS 1.0 connection. Most AWS endpoints only work with the TLS 1.2 protocol.

To resolve this error, do the following:

1. Make sure that TLS 1.2 is turned on for the server and client subkey.
2. Make sure that TLS1.0, TLS1.1, and other SSL versions are turned off through the registry.
3. Restart the server and try the installation again.

For more information, see Configuring registry settings for TLS 1.2 on the Oracle documentation website.

No permission to install

This error might occur when the user attempting to install the AWS Replication Agent is missing administrator domain permissions. This error might also occur if an anti-virus software is blocking the installation process.

To resolve this error, do the following:

1. Open a command prompt or PowerShell with administrator rights.
2. Add C:\Program Files (x86)\AWS Replication Agent\ to the allow list directory in the anti-virus software.
   Note: You can temporarily turn off the anti-virus software and test the installation to determine if the installation is being blocked.

This agent installer is not suitable for the current operating system

This error might occur due to the wrong agent being installed for the current source machine operating system. Microsoft Windows Server versions 2003, 2003 R2, and 2008 (except 2008 R2) use a unique version of the AWS Replication Agent that's only valid for legacy Windows operating systems (AwsReplicationWindowsLegacyInstaller.exe). The download location is https://aws-application-migration-service-region.s3.amazonaws.com/latest/windows_legacy/AwsReplicationWindowsLegacyInstaller.exe.

Note: Replace region with the AWS Region that you're replicating to.

Agent installation failed with "Unexpected Error"

This error might occur due to invalid credentials or user credentials that are missing necessary permissions.

To resolve this error, make sure that the AWS Identify and Access Management (IAM) role exists and has the correct policies attached. For more information, see the following:

• AWS managed policies for Application Migration Service
• Elastic Disaster Recovery initialization and permissions

If the permissions are correct and you still receive the error, review the installation logs to further troubleshoot the issue. The installation logs are located in install_path\aws_replication_agent_installer.log.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.', None, None) Failed to execute script install_agent_windows

The AWS Replication Agent depends on the Windows Management Instrumentation (WMI) service. WMI is the infrastructure for management data and operations on Windows-based operating systems.

The following is an example of the failure log showing the Failed to execute script error:

Traceback (most recent call last):
  File "install_agent_windows.py", line 28, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "installer_utils\__init__.py", line 5, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "installer_utils\cloud_utils.py", line 34, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "installer_utils\instance_id_utils.py", line 41, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "site-packages\wmi.py ", line 157, in <module>
  File "site-packages\win32com\client\__init__.py", line 72, in GetObject
  File "site-packages\win32com\client\__init__.py", line 87, in Moniker
pywintypes.com_error: (-2147023838, 'The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.', None, None)
Failed to execute script install_agent_windows"

To resolve this error, turn on the WMI service in the source machine. For more information, see the following:

• Windows Management Instrumentation on the Microsoft Documentation website
• Setting up a remote WMI connection on the Microsoft Documentation website

Agent installation fails or freezes when using the "--force-volumes" flag to specify disks

This error might occur when attempting to install when disks aren't described in the correct order. When the --force-volumes flag is invoked, include the root disk as the first disk on the list, as shown in the following example:

installer_windows.exe --no-prompt --force-volumes -t <TOKEN> --drives="\\?\PhysicalDisk1,\\?\PhysicalDisk2,\\?\PhysicalDisk3,\\?\PhysicalDisk4"

Note: Use the wmic diskdrive list brief command in PowerShell to locate disk names.

Related information

Troubleshooting agent issues