I have been following Standard Environments for Automated Deployment and Testing and I have run into some errors.

I have two servers, one Windows Server 2008 R2 and another Windows Server 2012. On both I've installed Web Deploy 3 and the service Web Deployment Agent Service is running on both machines. I have the service account in my domain and I added the account on both machines to Administrators group. I also used this account for the Build and Test controller and agent.

The 2008 server is the build server and I want to deploy a website with the build server to the 2012 server. I have one build definition that makes the package with the zip and deploy.cmd etc. with the standard TFS 2012 Update 2 process template (added /p:DeployOnBuild=True as MS build argument).

I have another build definition based on the LabDefaultTemplate TFS 2012 update 2 template. In the lab process templates I added the following command on the deploy tab:

"$(BuildLocation)\_PublishedWebsites\UI.Web.Mvc4_Package\UI.Web.Mvc4.deploy.cmd" /y /m:SERVERNAME_OF_THE_2012_SERVER

When I run the second build definition, I get the "Access Denied" error. I don't know where it is coming from. I don't see any special things here happening. I also set the log to diagnostic but that doesn't work.

When I make a connection with Remote Desktop to the 2008 build server and manually run the same deploy.cmd, everything is working. The site is deployed on the 2012 server and everything is running.

Can someone help me?

Thanks

Added log from the build:

Deploy Build on Environment

00:22
Deploying Build

00:22
Run Deployment scripts
Initial Property Values
Values = Web Server | $(BuildLocation)\_PublishedWebsites\UI.Web.Mvc4_Package\start.bat

00:22
Run Deployment Task
Initial Property Values
BuildLocation = \\AP-GDA06-TFSB\DropFolder\Dev MVC4\Dev MVC4_20130510.11
DeploymentScriptDetails = Web Server | $(BuildLocation)\_PublishedWebsites\UI.Web.Mvc4_Package\start.bat
LabEnvironmentUri = vstfs:///LabManagement/LabEnvironment/3
MaxWaitTime = 00:30:00
ThrowOnError = True
UseRoleForDeployment = True
Deployment Task Logs for Machine: 2012_SERVER
 Access is denied
 Exception Message: Team Foundation Server could not complete the deployment task for machine '2012_SERVER', script '\\2008_SERVER\DropFolder\Dev MVC4\Dev MVC4_20130510.11\_PublishedWebsites\UI.Web.Mvc4_Package\start.bat' and arguments ''. (type LabDeploymentProcessException)
Exception Stack Trace: 
Server stack trace: 
   at Microsoft.TeamFoundation.Lab.Workflow.Activities.RunDeploymentTask.ExecuteDeploymentTask.RunCommand(AsyncState state)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
   at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
   at System.Action`1.EndInvoke(IAsyncResult result)
   at Microsoft.TeamFoundation.Lab.Workflow.Activities.RunDeploymentTask.ExecuteDeploymentTask.EndExecute(AsyncCodeActivityContext context, IAsyncResult result)
   at System.Activities.AsyncCodeActivity.CompleteAsyncCodeActivityData.CompleteAsyncCodeActivityWorkItem.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
Final Property Values
BuildLocation = \\2008_SERVER\DropFolder\Dev MVC4\Dev MVC4_20130510.11
DeploymentScriptDetails = Web Server | $(BuildLocation)\_PublishedWebsites\UI.Web.Mvc4_Package\start.bat
LabEnvironmentUri = vstfs:///LabManagement/LabEnvironment/3
MaxWaitTime = 00:30:00
ThrowOnError = True
UseRoleForDeployment = True
Final Property Values
Values = Web Server | $(BuildLocation)\_PublishedWebsites\UI.Web.Mvc4_Package\start.bat

The BAT file that is started contains the following command:

START UI.Web.Mvc4.deploy.cmd /y /m:2012_SERVER

If you start build definition which is using DefaultLabTemplate you should see following in your build log:

...

If deployment needed
 Do deployment
  Reserve Environment For Deployment
  Deploy Build on Environment
    Deploying Build
      Run Deployment scripts
        Run Deployment Task
          Deployment Task Logs for Machine: <your machine> 
            Accessing the following location using the lab service account: <your service account>, <your drop location>.

...

Do you see that the Lab Service account is using?

Check this answer: https://stackoverflow.com/a/16566204/648297

This was the solution in my case.

This could be useful for you, too: What is Lab Service Account?

Using Visual Studio 2012 Update 4, and Team Foundation Server, on a one-way trust or isolated/workgroup network configuration, we have found an additional step is required. When running automated unit tests via the Build-Deploy-Test workflow (but not Web Deploy), we have found that setting the lab service account is only part of the solution. In order to avoid Access is denied errors in the build, we also had to set the user for the Visual Studio Lab Agent Service.

This is what the services in the Services applet look like after setting the lab service account (in this example, ".\LabAdmin"):

Visual Studio Lab Agent Service         | Configures, monitors... | Running | Automatic | Local System  
Visual Studio Lab Network Agent Service | Sets network propert... | Running | Automatic | Local System  
Visual Studio Test Agent                | Provides distributed... | Running | Automatic | .\LabAdmin  

In order to fix the Access is denied error, we also had to run the Visual Studio Lab Agent Service under the lab service account:

Visual Studio Lab Agent Service         | Configures, monitors... | Running | Automatic | .\LabAdmin  
Visual Studio Lab Network Agent Service | Sets network propert... | Running | Automatic | Local System  
Visual Studio Test Agent                | Provides distributed... | Running | Automatic | .\LabAdmin  

After making this change, and restarting the services, the Access is denied error went away. This was repeated on two different target computers, at least with our configuration it appears to be a necessary step.