How do I troubleshoot AWS Replication Agent installation failures on my Windows server?

Short description

You must install the AWS Replication Agent on each source server for both Application Migration Service and Elastic Disaster Recovery. You might encounter the following installation failure errors:

• "CERTIFICATE_VERIFY_FAILED"
• "Downloading of path/AwsReplicationInstaller.exe failed."
• "ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host
{change"
• "invoke-webrequest : The underlying connection was closed: An unexpected error occurred on a send."
• "No permission to install"
• "This agent installer is not suitable for the current operating system"
• "Agent installation failed with "Unexpected Error"
• "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.', None, None) Failed to execute script install_agent_windows"
• "Agent installation fails of freezes when using the "--force-volumes" flag to specify disks"
• "[WinError 740] The requested operation requires elevation"
• "MissingDotNetVersionException"
• "UninitializedAccountException"
• "AccessDeniedException"

Resolution

Take the following troubleshooting actions based on the error that you receive.

"CERTIFICATE_VERIFY_FAILED"

This error occurs when the AWS Replication Agent installation fails because there are no Amazon root certificate authority (CA) certificates. You must have Amazon root CA certificates to authenticate to the AWS Management Console.

To resolve this error, complete the following steps:

1. Download the Amazon root CA certificates.
2. Import the Amazon root CA certificates to the Trusted Root Certification Authorities folder. For instructions, see Installing the trusted root certificate on the Microsoft website.


"Downloading of path/AwsReplicationInstaller.exe failed"

This error means that there were networking errors from the source instance when it connected to the following required service endpoints:

• Amazon Simple Storage Service (Amazon S3) endpoints
• Application Migration Service endpoints
• Elastic Disaster Recovery endpoints

To troubleshoot connection errors, open PowerShell, and then run the following commands to test the port 443 connection to each endpoint.

Amazon S3:

Test-NetConnection s3.us-east-1.amazonaws.com -Port 443


Application Migration Service:

Test-NetConnection mgn.us-east-1.amazonaws.com -Port 443

Elastic Disaster Recovery:

Test-NetConnection drs.us-east-1.amazonaws.com -Port 443

Note: Replace us-east-1 with the AWS Region that you use for Application Migration Service or Elastic Disaster Recovery.

You must also configure all proxies between the on-premises environment and the required endpoints for Application Migration Service or Elastic Disaster Recovery.

If your on-premises network isn't open to the required service endpoints, then use AWS PrivateLink to install the agent for Application Migration Service or Elastic Disaster Recovery.

"ConnectionResetError: [WinError 10054]" or "invoke-webrequest : The underlying connection was closed"

These errors occur when the client can't handshake with the Application Migration Service or Elastic Disaster Recovery service endpoint. This issue occurs when the client tries to connect with TLS 1.0 or TLS 1.1. Most AWS endpoints work with only the TLS 1.2 protocol.

To resolve this issue, take the following actions:

• Activate TLS 1.2 for the server and client subkey.
• Deactivate TLS 1.0, TLS 1.1, and other SSL versions through the registry.

For instructions, see Configuring registry settings for TLS 1.2 on the Oracle website.

After you change your TLS settings, restart the server, and then retry the installation.

When you use Invoke-WebRequest to download the agent installer, you encounter errors if you use outdated security protocols. This issue occurs when the target endpoint requires TLS 1.2, but the client's script or session doesn't enforce this protocol.

To enforce TLS 1.2, run the following command:

[System.Net.ServicePointManager]::SecurityProtocol = 'TLS12'

Then, retry the installation.

"No permission to install"

This error occurs when the user that installs the AWS Replication Agent doesn't have administrator domain permissions. This error also occurs if antivirus software blocks the installation.

To resolve this error, take the following actions:

• Open the command prompt or PowerShell as an administrator.
• Add C:\Program Files (x86)\AWS Replication Agent\ to the allowlist directory in your antivirus software.
  Note: To check whether the antivirus software blocks the installation, temporarily deactivate it when you install AWS Replication Agent.

"This agent installer is not suitable for the current operating system"

This error occurs when you install the wrong AWS Replication Agent version for the current source machine's operating system (OS). Windows Server versions 2003, 2003 R2, 2008, 2008 R2, 2012, and 2012 R2 use a unique agent version that's valid only for legacy Windows OS.

For 2003, 2003 R2, 2008, 2008 R2, use the AwsReplicationWindowsLegacyInstaller.exe installer.

For 2012 and 2012 R2, use the AwsReplicationWindows2012LegacyInstaller.exe installer.

For more information, see Installing the AWS Replication Agent on Windows servers.

"Agent installation failed with "Unexpected Error""

This error occurs when you use credentials that are not valid, or when the user's credentials lack required permissions.

To resolve this error, make sure that the AWS Identity and Access Management (IAM) role that you use exists in your AWS account. Also, make sure that the role has the required policies for Application Migration Service or Elastic Disaster Recovery.

If the permissions are correct and you still receive the error, then review the installation logs to further troubleshoot the issue. You can find the installation logs in the install_path\aws_replication_agent_installer.log file path.

"The service cannot be started... Failed to execute script install_agent_windows"

To use the AWS Replication Agent, you must activate the Windows Management Instrumentation (WMI) service. If the WMI doesn't work as expected, then you receive an error message similar to the following example in your logs:

File "install_agent_windows.py", line 28, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "installer_utils\init.py", line 5, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "installer_utils\cloud_utils.py", line 34, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "installer_utils\instance_id_utils.py", line 41, in <module>
  File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
  File "site-packages\wmi.py ", line 157, in <module>
  File "site-packages\win32com\client\init.py", line 72, in GetObject
  File "site-packages\win32com\client\init.py", line 87, in Moniker
pywintypes.com_error: (-2147023838, 'The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.', None, None)
Failed to execute script install_agent_windows"

To resolve this issue, activate the WMI service on the source machine. For instructions, see Setting up a remote WMI connection on the Microsoft website. For more information about the WMI, see Windows Management Instrumentation on the Microsoft website.

"Agent installation fails or freezes when using the "--force-volumes" flag to specify disks"

This error occurs when you don't describe disks in the correct order. When you use the --force-volumes flag, you must list the root disk first. In the following example command, PhysicalDisk1 is the root disk:

AwsReplicationWindowsInstaller.exe --region destination-region --aws-access-key-id your-access-key --aws-secret-access-key your-secret-access-key --force-volumes --drives=\\.\PHYSICALDRIVE1,\\.\PHYSICALDRIVE0 --no-prompt

Note: Replace destination-region with the destination Region. Also, replace your-access-key with the access key that you used to install the agent, and your-secret-access-key with the secret access key that you used to install the agent. For information about how to create the access key and secret access key, see Generating the required AWS credentials (Application Migration Service) or Generating the required AWS credentials (Elastic Disaster Recovery).

To check your disk names, run the following command:

wmic diskdrive list brief 

"[WinError 740] The requested operation requires elevation"

This error occurs when a user without administrative permissions tries to install the software. You must have administrative permissions to install and use AWS Replication Agent.

To run the agent installer file with administrator permission, open the context menu (right-click) AWSReplicationWindowsInstaller.exe, and then select Run as Administrator.

"MissingDotNetVersionException"

If you see the "MissingDotNetVersionException" in the agent installer logs, then the server lacks the required .Net framework.

To resolve this issue, take the following actions:

• If you use Windows Server 2008 R2 or later, then make sure that you installed .NET Framework version 4.5 or later on the server. For instructions, see How to: Determine which .NET Framework versions are installed on the Microsoft website.

• To check the .NET Framework version, run the following commands to check the required registry keys:

  reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP\v4\full"  
  
  reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v "Release"

• Confirm that your Group Policy doesn't block .NET installation or queries to the required registry keys.

"UninitializedAccountException"

This error occurs if you didn't initialize the account with Application Migration Service or Elastic Disaster Recovery. The error also occurs if the account doesn't use the default replication template.

The replication settings determine how the services replicate the data from source servers to AWS. You must configure these settings for Application Migration Service or Elastic Disaster Recovery before you install the agent.

"AccessDeniedException"

This issue occurs because of missing permissions. Confirm that you attached an IAM policy with the required permissions to the IAM role or user that you use to install the agent.

For Application Migration Service, attach AWSApplicationMigrationAgentInstallationPolicy. If your source server is an Amazon Elastic Compute Cloud (Amazon EC2) instance, then attach AWSApplicationMigrationServiceEc2InstancePolicy.

For more information about permissions for Application Migration Service, see Generating the required AWS credentials.

For Elastic Disaster Recovery, attach AWSElasticDisasterRecoveryAgentInstallationPolicy. If your source is an Amazon EC2 instance, then attach AWSElasticDisasterRecoveryEc2InstancePolicy.

For more information about permissions for Elastic Disaster Recovery, see Generating the required AWS credentials.

Also, make sure that a service control policy (SCP) doesn't block or deny required API actions for Application Migration Service or Elastic Disaster Recovery.

Related information

Troubleshooting agent issues