Share This Post

Troubleshooting On-premises Deployments – Part 2

This article is a continuation of On-premises Deployments Troubleshooting. On-premises deployments of MS Dynamics 365 for Finance and Operations are not aided on any public cloud infrastructure, including Azure.


LCS is an application management portal that provides tools and services for managing the application life cycle of your Microsoft Dynamics 365 for Finance and Operations implementations in the cloud and on-premises.
LCS features, such as business process modeling, software deployment and patching and monitoring and diagnostics, are used to help support on-premises deployments.

On-premises Deployments Troubleshooting Steps (Continued)

11. An Error Occurs when Local Agent Services are Started

When local agent services are started, you might receive the following error:

Could not load file or assembly ‘Lcs.DeploymentAgent.Proxy.Contract, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies.

This error tells that strong name verification is turned on. You can switch off this verification by utilizing Configure-PreReqs.ps1. To validate that strong name verification is no longer turned on, run Test-D365FOConfiguration.ps1.

12. A “Validation in Progress” Message is Shown for Several Minutes in LCS

Follow these steps to troubleshoot general issues with local agent validation.

  • Execute Configure-PreReqs.ps1 on all orchestrator machines to configure the machines correctly.
  • Check that the Test-D365FOConfiguration.ps1 script passes on all the orchestrator machines.
  • Verify that the installation of LocalAgentCLI.exe is successfully completed.
  • In Service Fabric Explorer, verify that all the applications are healthy.
  • If the applications aren’t healthy, find the primary node for the service that is failing. In Event Viewer, look for events in the following locations:
    • Custom Views > Administrative Events
    • Applications and Services Log > Microsoft > Dynamics > AX-LocalAgent

13. Local Agent Errors


Error: You might receive the following errors in On-premises Deployments Troubleshooting:

Unable to process commands

Unable to get the channel information

RunAsync failed due to an unhandled exception causing the host process to crash: System.ArgumentNullException: Value cannot be null. Parameter name: certificate

Reason: These errors can arise because the certificate that is specified for the OnPremLocalAgent certificate either isn’t valid or isn’t correctly configured for the tenant.

Steps: Follow these steps to resolve the error.

  • Run Test-D365FOConfiguration.ps1 on all orchestrator nodes to make sure that all checks pass.
  • Verify that the certificate that is specified in the local agent configuration is correct.
    • Make sure that the thumbprint that you specify in LCS and in the ConfigTemplate.xml file has no special characters.
    • The certificate should be the same certificate that is specified in the following section in infrastructure\ConfigTemplate.xml.

<Certificate type=”Orchestrator” exportable=”true” generateSelfSignedCert=”true”>

  • Make sure that the same certificate that is specified in the local agent configuration in LCS was utilized to complete the steps in the Configure LCS connectivity for the tenant section of the relevant setup and deployment for your environment.
  • Uninstall the local agent.
  • Specify the correct certificate in the local agent configuration, and download the configuration file again.
  • Install the local agent again by using the new configuration file.

Error: During servicing, you receive an Unable to download asset error, and the details state, The credentials supplied to the package were not recognized.

Reason: The ACL was not correctly defined on the certificates.


Check whether ACL was removed from client certificate on orchestrator machines. Run the .\Test-D365FOConfiguration.ps1 script on orchestrator machines, and verify the ACL.

To resolve the error, run the .\Set-CertificateAcls.ps1 script to reset the ACLs.



Access to the path ‘\…\agent\assets\’ is denied.

Reason: The file share that is specified in the local agent configuration isn’t valid.

Steps: Follow these steps to resolve the error in On-premises Deployments Troubleshooting.

  • Verify that the specified share exists.
  • Verify that the local agent user has full permission on the share. The local agent user is the Domain Name System (DNS) name that is specified in the following section in ConfigTemplate.xml.

<ADServiceAccount type=”gMSA” name=”svc-LocalAgent$” refName=”gmsaLocalAgent”>

  • Make sure that the “Set up file storage” section of the appropriate setup and deployment for your environment is completed.
  • Uninstall the local agent.
  • Specify the correct file share in the local agent configuration, and download the configuration file again.
  • Install the local agent again by using the new configuration file.

Error: When you do a servicing operation, you receive the following error:

Unable to get extract setup folder for command

Reason: The file share has been removed or changed.

Steps: To see what the file share is set to, open Microsoft SQL Server Management Studio, and run the following query on the orchestrator database:

select * from OrchestratorCommandArtifact where CommandId = ‘xxx’



Login failed for user ‘D365\svc-LocalAgent$’. Reason: Could not find a login matching the name provided. [CLIENT:]

Reason: The local agent user cannot connect to the orchestrator database. This issue can arise because the users have been deleted and then recreated in Active Directory Domain Services (AD DS). Therefore, the security identifier (SID) of the user has changed, and any access that was given to the user for the SQL Server instance or the database no longer works.

Steps: Follow these steps to resolve the error in On-premises Deployments Troubleshooting.

  • Run the following script on the SQL Server instance.

.\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName Orchestrator

This script creates an empty orchestrator database, if an empty database doesn’t already exist. It then inserts the local agent user to the database and provides it with the db_owner permission.

After the correct permissions are provided, the application should automatically go to a healthy state.

  • If any settings, such as the fully qualified domain name (FQDN) of the SQL Server instance, the database name, or the local agent user, were provided incorrectly in LCS, change the settings and then reinstall the local agent.

If the previous steps do not resolve the error, manually remove the local agent user from the SQL Server instance and the database, and then rerun the Initialize-Database script.

If the user is recreated in AD DS, remember that the SID will change. In this case, remove the previous SID for the user, and add a new SID.



Unable to migrate database


  • Verify that you have access to the SQL Server listener.
  • If you’re doing testing, you can start over and use an empty orchestrator database.

When you performing the Configure the databases procedure, if the SQL Server instance is a named instance, use the -DatabaseServer [FQDN/Instancename] parameter.


The local agent user can’t connect to the SQL Server instance or the database.

Steps: Follow these steps to resolve the error in On-premises Deployments Troubleshooting.

  • Delete the svc-LocalAgent user from the SQL Server primary node databases and then delete the login from both servers.
  • Run the following scripts.

.\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName Orchestrator
.\Configure-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName Orchestrator

14. Restart Applications (such as AOS)

In Service Fabric, expand Nodes > AOSx > fabric:/AXSF > AXSF > Code Packages > Code. Select the ellipsis button (), and then select Restart. When you’re prompted, enter the code.

15. Upgrade Service Fabric

Service Fabric Explorer will show a message that resembles the following message:

Unhealthy event: SourceId=’System.UpgradeOrchestrationService’, Property=’ClusterVersionSupport’, HealthState=’Warning’, ConsiderWarningAsError=false. Please view available upgrades using Get-ServiceFabricRegisteredClusterCodeVersion and upgrade using Start-ServiceFabricClusterUpgrade.

Because the minimum requirement is one Microsoft SQL Server Reporting Services (SSRS) node and one Management Reporter node, you must pass in a parameter to skip PreUpgradeSafetyCheck.

Follow these steps to upgrade Service Fabric in Windows PowerShell.

  • Connect to the Service Fabric cluster. In the following command, replace 123 with the server/star thumbprint, and use the appropriate IP address.

Connect-ServiceFabricCluster -connectionEndpoint -X509Credential -FindType FindByThumbprint -FindValue 123 -ServerCertThumbprint 123

  • Get the latest version that was downloaded.


  • Start the upgrade. For -CodePackageVersion, enter the latest version.

Start-ServiceFabricClusterUpgrade -Code -CodePackageVersion 6.1.472.9494 -Monitored -FailureAction Rollback -UpgradeReplicaSetCheckTimeout 30

  • Get the upgrade status.


If you receive a warning in Service Fabric Explorer after you upgrade, make a note of the node, and then restart by expanding Nodes > AOSx > fabric:/AXSF > AXSF > Code Packages > Code. Select the ellipsis button (), and then select Restart.

16. Error: “Unable to Load DLL ‘FabricClient.dll'”

If you receive an error that states, “Unable to load DLL ‘FabricClient.dll’,” close and restart Windows PowerShell. If the error persists, restart the machine.

17. What Cluster ID Should be Used in Agent Configuration?

The cluster ID can be any globally unique identifier (GUID). This GUID is used for tracking purposes.

18. Encryption Errors

Some examples of encryption errors include “AXBootstrapperAppType,” “Bootstrapper,” “AXDiagnostics,” “RTGatewayAppType,” “Gateway potential failure related,” and “Microsoft.D365.Gateways.ClusterGateway.exe.”

You might receive one of these errors if the data encipherment certificate that was utilized to encrypt the AOS account password was not installed on the machine. This certificate might be in the certificates (local computer), or the provider type might be incorrect.

To resolve the error, validate the credentials.json file. Verify that the text is correctly decrypted by entering the following command (on AOS1).

Invoke-ServiceFabricDecryptText -CipherText ‘longstring’ -StoreLocation LocalMachine | Set-Clipboard

This error can also occur if the  parameter isn’t defined in the ApplicationManifest file. To determine whether this parameter is explained, in Event Viewer, go to Custom Views > Administrative Events and verify the following information:

  • The encrypt credentials for the credentials.json file have the correct layout/structure. For more information, see the “Encrypt credentials” section of the appropriate setup and deployment for your environment.
  • A closing quotation mark appears at the end of the line or on the next line.

In Event Viewer, under Custom Views > Administrative Events, note any errors in the Microsoft-Service Fabric source category.

For more information on Microsoft Dynamics 365 F&O On-premises Deployments Troubleshooting, please contact us. For getting the continuation of the previous steps please refer to the previous article: and for the continuation of the further steps please refer to this article:

Share This Post

Leave a Reply

Notify of
Skip to toolbar