Troubleshooting XProtect Management Server Failover

If you have multiple network adapters on Node 1 or Node 2, the wizard might not resolve their IP addresses or host names.

Solution: Check the address resolution on the nodes using DNS lookups . If the IP address or host name of a node does not resolve as expected, disable all network adapters except the one you use for the failover cluster. You can re-enable the network adapters after you configure the failover cluster.

The failover cluster configuration fails because the SQL Server instance name does not match the name in the configuration files.

Solution: Check the SQL Server instance names on Node 1 and Node 2. See View the SQL Server instance name. If the instance name of your SQL Server is not MSSQLServer, you need to update the contents of the configuration files.

Before you make any changes, make a backup of the configuration files.

You can find the configuration files at C:\Program Files\Milestone\XProtect Management Server Failover\scripts. You must replace MSSQLServer with the name of your SQL Server instance:

• ConfigureServices.ps1 - you can open the file with a text editor.

• videoos.safe - open the file with a file archiver such as 7zip and go to the bin folder. Edit the start_prim.cmd and stop_prim.cmd files.

The system uses port 9001 to connect to the safecaserv service and generate a server certificate. If the port is in use by another service, for example the Recording Server service, the configuration fails..

Solution: Stop all services that use port 9001 on Node 1 and Node 2. Then, configure the failover cluster. The safecaserv service is necessary only during configuration.

During the configuration of the failover cluster, the wizard runs PowerShell scripts in the background. Your PowerShell execution policy might block the scripts from running.

Solution: Set your PowerShell execution policy to Unrestricted and configure the failover cluster again. See Execution Policies.

When you log in to XProtect clients and services as a basic user, your request goes to the Identity Provider. The Identity Provider keeps the certificate keys that were generated during the initial VMS configuration. To ensure the users have access to the resources you have allowed them to, you must remove the certificate keys before you configure the failover cluster.

Solution: Remove the failover cluster configuration, then set up data protection and remove the existing certificate private keys for the Identity Prover, then configure the failover cluster again. See Update the data protection settings for Identity Provider.

The system uses port 9001 to connect to the safecaserv service to remove the stored server certificate. If the port is in use by another service, for example the Recording Server service, the configuration fails.

Solution: Remove the existing failover cluster configuration, then stop all services that use port 9001 on Node 1 and Node 2. After you have removed the configuration, you can start the services that use port 9001.

If you have removed the configuration and you have logged in as a standard user in Windows or administrator user that is not added to administrator role in XProtect, the services may fail to register.

Solution: Log in to the computer with an AD user that has administrative permissions in XProtect and remove the configuration.

The services fail to register as the configuration still keeps the virtual IP of the failover cluster.

Solution: From the Server Configurator, register the management server and event server with the address of the management server computer.