I'm wondering if you might be running into a connection issue with MR we've started to see due to Windows updates, as mentioned in our blurb below:
If MR was working and then suddenly stopped, it is most likely related to the November Windows updates which have a known issue with Kerberos when installed on a domain controller server. The KB numbers vary based on the OS but these are the ones we have noted so far:
Server 2016:
KB5019964 support.microsoft.com/.../november-8-2022-kb5019964-os-build-14393-5501-5c195bd1-91d5-402e-a973-813373ba4357
Server 2019:
KB5019966 support.microsoft.com/.../november-8-2022-kb5019966-os-build-17763-3650-b09dad62-5cd7-47cd-992f-b7d01f2956c1
Server 2022:
KB5019081 support.microsoft.com/.../november-8-2022-kb5019081-os-build-20348-1249-14345324-e5d1-4710-a364-76d69d7aaa7c
From what we have seen, the issue can be intermittent. There were out of band (OOB) patches released to address this known issue. We are seeing it fix the issue for some but not all:
Server 2016:
OOB Fix 5021654: support.microsoft.com/.../5021654
Server 2019
OOB Fix 5021655: support.microsoft.com/.../5021655
Server 2022
OOB Fix 5021656: support.microsoft.com/.../5021656
The OOB patches, and their prerequisite KBs, need to be applied to all domain controller servers. You may need to reboot again after rebooting for the update for them to take effect.
Some users are able to work around the issue by creating SPN’s. Create two SPNs for the domain account running the MR services. You must log in as a full domain administrator to do this. To create an SPN for this domain account, run the Setspn tool at an elevated command prompt (Run as Administrator) with the following commands:
setspn -S HTTP/Mrservername domain\customAccountName
setspn -S HTTP/MRservername.fullyqualifieddomainname domain\customAccountName
"MRservername" should be replaced with the MR server name where the MR Application Service is installed.
"domain\customAccountName" should be replaced with the domain account running the MR Services (check the MR Configuration Console for this account)
"MRservername.FullyQualifiedDomainName" should be replaced with the fully qualified domain name of the MR server where the MR Application Service is installed.
Another potential work-around is to reinstall the MR services using one of the built-in Local Service or Network Service accounts. This is only an option if the MR services are installed directly on the SQL server. Here are the steps:
1. Get all users out of MR and make a backup of the ManagementReporter SQL database.
2. Log into the MR server as a user who is an Administrator in MR, an Administrator on the server, and a sysadmin in SQL.
3. Start the MR Configuration Console.
4. Select the integration and use the Remove link at the top-right to remove it.
5. Under Services, use the Remove links at the top right to remove the process service and then the application service.
6. Close the Configuration Console.
7. Delete the ManagementReporterDM database from SQL if it exists.
8. In SQL under Security -> Logins, right-click -> Properties -> User Mapping on the account that you want to run the MR services. Add the account if it isn’t there yet (right-click on Logins).
9. Mark the ManagementReporter database and ensure the GeneralUser and public roles are selected.
10. Start the MR Configuration Console. It may pop up asking what to deploy. If not, click File -> Configure.
11. Choose to deploy just the two MR services (application and process). Wait to deploy the integration until later.
12. Select the Local Service or Network Service account (whichever was added to SQL), mark the “Connect to an existing database checkbox”, and select the ManagementReporter database from the dropdown.
13. Click File -> Configure and deploy the integration. Use the ‘sa’ credentials to select the DYNAMICS database. If using the data mart, enable it and wait for it to fully load.
If none of the above works, the recommended action at this point is to roll back the November updates from the domain controllers.