Planning Analytics 2.0.5
Microsoft Windows 2016 server

How do i copy files from one server to another server and keep the NTFS security?

Check you have a file share on source server.
Create a file share on destination server.
Give everyone full access to the share.
Ensure that the user running the script is local administrator on both servers
Open notepad
Enter below line (modify it for your server names)
robocopy \\serverSource\ShareA \\serverDestination\ShareA /MIR /COPYALL /DCOPY:T /R:1 /W:1 /NP /TEE /LOG:d:\temp\ShareA-RobocopyResults.log
Save file as d:\temp\robocopyfiles.cmd

Open a command prompt as administrator
move to the folder where the script is

Check the log files for errors when it is done.

(solution is from this site
TITLE “Copying ShareA from TestSource to TestDestination”
robocopy \\TestSource\ShareA \\TestDestination\ShareA /MIR /COPYALL /DCOPY:T /R:1 /W:1 /NP /TEE /LOG:C:\Logs\ShareA-RobocopyResults.log

The switch functions are as follows:

/MIR – Creates a mirror copy.

/COPYALL – Copies ALL file attributes

/DCOPY – Copies (ie retains original) Directory Creation/Modified Timestamps. If you don’t include this, all directories will be recreated with NEW timestamps

/R:1 – Retry copy once on failure

/W:1 – Wait 1 second between retries

/NP – No Percentage Completion written to output

/TEE – Output progress to Command Window (I guess TEE = Terminal Emulation)

/LOG – Write out and save to a specified Log File

More information:

Planning Analytics 2.0.8
Microsoft Windows 2016 server

When you click on a TM1 application Web link in Cognos Connection (from Cognos Analytics 11) you get a error. You also noted that the SSO did not work to your Cognos Analytics 11 webpage.
You can also get into pmpsvc page, but with wrong colors.

error, see logs

To make a link from CA work to Planning Analytics Web (PMPSVC) you must login correct to Cognos Analytics (CA11) first.
Ensure you surf to http://servername/ibmcognos and not to http://servername:9300/bi/v1/disp

Please also try to, in Internet Explorer change the Compatibility view settings to be blank.

“Display intranet sites in Compatibility View” should be checked off.

More information:

Planning Analytics Workspace version 36
Microsoft Windows 2016 server

After some time use, the user can not access the paw. They can not login.
This happen after the server have rebooted during a Microsoft Windows Patching.
To find out if your PAW installation is damage, check this steps:
When you run a docker ps command, you see services listed as restarting.
When you run a ./paw.ps1 stop command, you see services that does not stop, even after 20 minutes.

Error message:
503 The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Follow this guide lines to troubleshoot:

If nothing helps do this:
– increase to 8 cpu cores on your Microsoft Windows 2016 box
– turn off your anti virus software (McAfee and Symantec)
– turn off Windows Defender Real-Time Protection
– uninstall latest windows patch applied before last reboot of Windows server
– run paw.ps1 command as is, to repair containers (if they exist with strange names)
– remove paw and install it again
– restore your paw database backup with the ./restore.ps1 script

If you do not have a backup of paw database content, you need to do this steps;
– set docker service to manual
– stop cognos and planning service
– reboot the windows server
– after windows have started fine, manually start the docker service
– in powershell, enter docker ps, to monitor that the containers have started
– enter the command ./paw.ps1 stop
– when all containers is stopped, run the ./backup.ps1 command to get the backup zip files created.

Remove paw
– copy the configuration files from folder d:\ibm\paw\config to a different temp folder
– copy the backup files from folder d:\ibm\paw\backup to a different temp folder
– run ./paw.ps1 stop to stop all containers
– run ./paw.ps1 down –rmi all -v
– run docker ps -a to list all containers
– run docker rm $(docker ps -a -q) to remove all containers
– run docker images to list all images still there
– run docker rmi <image-id> to remove any Hello-World containers
– run docker network ls to show the docker networks
– rename the d:\ibm\paw\log folder to log-old
– create a new empty d:\ibm\paw\log folder
– copy the config/paw.ps1 file to a temp folder
– remove the d:\ibm\paw\config\paw.ps1 file

In case you need to remove docker, follow the steps last on this page

To install docker on Windows 2016, follow this steps

Run below command to test that docker works, before installing PAW.

docker container run hello-world:nanoserver-sac2016

Reinstall paw

– start the IBM Cognos Planning Analytics Services
– run ./Start.ps1 answer Yes to both questions.
– Inside the Administration web page, enter all the values (check in your old paw.ps1 file for values)
– click on validate
– click on update
– you may get a error, open the newly created d:\ibm\paw\config\paw.ps1 file in notepad++
– add manually the configuration values for $env:PAGatewayHTTPPort=”9580″ and $env:ProxyTimeoutSeconds=”600″ to the config/paw.ps1 file. Check from you backup config/paw.ps1 file what values you used last, when it was working.
– Inside the Administration web page, click on restart
– wait for paw containers to start
– surf to your paw page, does it work, but the folders are missing?
– run the ./restore.ps1 d:\temp\backup\yyyy-mm-dd  command to restore from your backup
– surf to your paw page, hopefully all is there.

If you still have issues, please contact IBM Cognos support for better instructions.

There can be new versions of other software that have issues with Docker containers;
If the system goes down after a few minutes, try to stop the VMware Tools service to see if that helps.

More information:

To prevent this from happening, you must:
Always run the ./paw.ps1 stop script before you restart docker service or reboot the server.
Every week run the ./backup.ps1 script, to make a zip backup of the content inside PAW.
Exclude the docker folders from your anti virus software.
Turn off Real Time Protection.
Set the Docker service to Automatically (Delayed Start)
Ensure there is at least 100 GB free space on the hard disk for docker files.
Add ./shutdown.ps1 script to windows shutdown policy.

More info about Anti-virus software:

“We find out with premier support that normally when container starts NET_LUID index for an NDIS loopback interface is allocated from registry key HKLM\SYSTEM\ControlSet001\Services\NDIS\IfTypes\24\IfUsedNetLuidIndices and when container stops it will be released.

But if you restart computer where is running containers then those values will not be released and if you have multiple automatically starting containers and scheduled restarts then eventually that registry key value will run out of free indexes and you are not anymore able to start containers”

Planning Analytics 2.0.9
Microsoft Windows 2016 server

After upgrade to Planning Analytics 2.0.9, user of TM1 Application web (contributor) get a blank page or below error in web browser when they try to open a link.


Clear the web browser cache before you surf to PMPSVC webpage.

You can also try a script to clean the browser cache, please test the script in your lab first.
Below script will clean Chrome browser cache:

REM echo %username% > C:\ProgramData\user.$$$

ECHO       Clearing Chrome cache
taskkill /F /IM “chrome.exe”

REM Set /p uname=< C:\ProgramData\user.$$$
REM set ChromeDataDir=C:\Users\%uname%\AppData\Local\Google\Chrome\User Data\Default

set ChromeDataDir=C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default
set ChromeCache=%ChromeDataDir%\Cache
del /q /s /f “%ChromeCache%\*.*”
del /q /f “%ChromeDataDir%\*Cookies*.*”

set ChromeDataDir=C:\Users\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default
set ChromeCache=%ChromeDataDir%\Cache
del /q /s /f “%ChromeCache%\*.*
del /q /f “%ChromeDataDir%\*Cookies*.*”
ECHO      Clearing Chrome cache DONE

More Information:

Cognos Analytics 11.0.12
Microsoft Windows 2016 server

The users can not login with SSO, they have to enter name and password at the IBMCOGNOS website.
Only a few Cognos CA11 gateway servers are affected.

Suggested solution:
Go into the Cognos Configuration on gateway servers and click save.
Does it help?

Recommend is to on all Cognos Configuration installation change the “common symmetric key lifetime in days” from 365 to a higher value like 1825 (5 years).

Inside Cognos Configuration on the CA11 servers
Go to Local Configuration -> Security -> Cryptography
Modify the value for: Common symmetric key lifetime in days
Also go to Local Configuration -> Security -> Cryptography -> Cognos
Modify the value for: Certificate lifetime in days
Save the configuration and start the services.
You must start the Content Manager first, then the gateway servers last.

The issue can also be caused by changes to IIS setup for the SSO part.

More Information:
By default, the cryptographic keys are valid for 365 days.

This value is configured inside Cognos Configuration
Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days

Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.

You must restart the services every so often to ensure the new keys are actually being used.

If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.

If you miss above, you will get in a years time this error;
“The Cognos gateway is unable to connect to the Cognos BI server. The server may be unavailable, or the gateway may not be correctly configured”

Cognos Analytics 11.0.13
Microsoft Windows 2016 server

When test the data source connection in cognos connection administrative page, you get a error for the JDBC Dynamic connection. The Compatible Query Mode is working. Happens on server with not default temp and data folder.

Oracle (JDBC) /Dynamic Failed DPR-ERR-2002 Unable to execute the request because there were no connections to the process available within the configured time limit.

Suggested Solution:
Go into Cognos Configuration.
Stop the Cognos service.
Change temp and data locations back to default values.
Save and start the Cognos Service.
Surf into IBMCOGNOS again and test the data sources.

Can be that corrupted files in the temp and data folder does not make the Query/Report service to start correct.

More information:

Cognos Analytics 11.0.13
Microsoft Windows 2016 server

Sometimes when user create a report they get a error similar to below, if you clear the users browser cache, you often get the error.

Message from webpage
Error: Startup Request Failed: The web request failed.:500
URL Rewrite Module Error
at Anonymous function…

Check the cognos folders, like C:\Program Files\ibm\cognos\analytics\webcontent\bi\samples\images\ for web.config files that is wrong.
Turn off IIS.
Remove the damage web.config file.
Start IIS.
Check that your BI folder rewrite rules for SSO is correct.
Check that WEBDAV is correct setup on your image folder.

More information:

Planning Analytics 2.0.8
Microsoft Windows 2016 server

What is the requirements for the windows service account to run TM1 servers?

Solution (from IBM web):

User accounts for running TM1 services on Windows

The account must have the following privileges on the local computer:

Act as part of the operating system

Bypass traverse checking

Increase quotas (Adjust memory quotas for a process)

Replace a process level token

Log on as a service

Have read and write privileges on the Windows Registry item

If you use “local system” you will not be able to use Kerberos, or have access to read csv files from external file shares.

In integrated login mode (security mode 3), TM1 authentication compares the user’s domain-qualified Microsoft Windows login name to the contents of the UniqueID element of the }ClientProperties cube.

If there is a match, the user is authenticated to TM1. If Active Directory groups have been imported into the TM1 Server, Active Directory group memberships are honored.

If no match is found, TM1 displays an error message stating that the client name does not exist. TM1 Server does not prompt for login information.

Users who want to access TM1 data in a server that is configured for integrated login must authenticate to Microsoft Windows first and then use TM1 clients to access the TM1 Server.


  1. Run ETLDAP and import the user and group information from your LDAP server, as described in Running ETLDAP. Or update the }ClientProperties cube with other TI scripts.
  2. Shut down the TM1 Server.
  3. Edit the following parameters in the tm1s.cfg file located in your TM1 Server data directory:
    • Set the IntegratedSecurityMode parameter to 3.
    • Set the SecurityPackageName parameter to the security protocol you use for integrated login.

    In the following example, the server is configured to use Kerberos.

  4. Save and close the tm1s.cfg file.
  5. Restart the TM1 Server.
  6. Optional: Configure the TM1 clients to use integrated login by setting the Use Integrated Login option in the associated user interface.

Follow the directions from IBM knowledge articles for most accurate information.

More Information:

Enabling Cognos single signon to use Kerberos authentication with constrained delegation

You must configure the constrained delegation in the Active Directory Users and Computers administration tool. On the Delegation tab for all users (IISUser, CognosCMUser, and CognosATCUser), you must select Trust this user for delegation to specified services only and Use Kerberos only to use Kerberos with constrained delegation. Select Trust this user for delegation to specified services only and Use any authentication protocol if you are using the S4U Kerberos extension.