ConfigMgr (SCCM) Packages are not getting updated on new site system Distribution point (Domain Controller)
I’m trying document the issue which we had faced during one of my assignments. We’d already installed Remote DP on a domain controller, however, the packages were not getting replicated. Through the following troubleshooting steps we were able to identify the issue and resolved it. Hope, it would be helpful to others in the community.
One of my client had a special requirement to put Remote DP server on a domain controller.
After some days, we have noticed that the DP is not getting updated and new packages are not getting replicated.
Noticed errors in DistMgr.log
Cannot establish connection to ["Display=\\SiteServerName\"]MSWNET:["SMS_SITE=999"]\\DPServerName\ SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0×0804) Error occurred. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0×0804) ()
Domain controllers do not have a local Security Accounts Management (SAM) database other than the domain database. So we can’t add site server’s machine account to local administrators group of domain controller.
To get more details about the access denied error, we have enaled NAL logging.
How to enable NAL logging – It’s enabled in registry on the site server. For more information about NAL logging check http://support.microsoft.com/kb/243385/
- Browse to HKLM\Software\Microsoft\NAL
- Create a new Key called Logging
- Create two new DWORD values log To with a value of 3 (decimal) and Verbosity with a value of 7 (decimal). The value 7 will give you warnings, errors and information messages.
Now, check the DistMgr.log for more details…..
NAL – WARNING: failed to obtain an admin level authentication to the server. Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0×0804)
NAL – Leaving CServer::_Authenticate() Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0×0804)
NAL – The server is inaccessible. Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0×0804)
NAL – Leaving CServer::IsAccessible() Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0×0804)
Now, it’s pretty clear that the error is due to permission issue on DP server. The site server don’t have admin access to DP (Domain Controller).
Some how, site system’s system account is not able to get admin access on DP server (DC). To resolve this issue, we have used domain service account as Site System Installation Account instead of system account.
More details about Site System Installation Account. http://technet.microsoft.com/en-us/library/bb680552.aspx
Add service account as as Site System Installation Account.
Refreshed the package and while reading DistMgr.log, I can see that the packages are started getting copied to DP server (DC).
copying D:\_S Mei4v.TMP\x86\uninstallwizard.xml to \\DPSiteSystem\\SMSPKGX$\packageID\x86\uninstallwizard.xml~ $$<SMS_DISTRIBUTION_MANAGER><5/18/2011 11:09:29 PM ><thread=7872 (0x1EC0)>
copying D:\_S Mei4v.TMP\x86\upgradewizard.xml to \\DPSiteSystem\SMSPKGX$\packageID\x86\upgradewizard.xml~ $$<SMS_DISTRIBUTION_MANAGER><5/18/2011 11:09:29 PM ><thread=7872 (0x1EC0)>
UnRegisterSignatureUsage() called for Package packageID, Version 1 with TargetPath as \\DPSiteSystem\\SMSPKGX$\packageID\~ $$<SMS_DISTRIBUTION_MANAGER><5/18/2011 11:09:30 PM ><thread=7872 (0x1EC0)>
Unpacked folder for package version packageID.1 is not being used by any user. It will be deleted now.~ $$<SMS_DISTRIBUTION_MANAGER><5/18/2011 11:09:30 PM ><thread=7872 (0x1EC0)>
Also, I have seen similar errors “MicrosoftIISv2 . error = Access is denied” in DistMgr.log for DP site system. However, below solution didn’t work for me. Just for documentation pupose I thought of adding in this article.
CWmi::Connect() failed to connect to \\ServerName\root\MicrosoftIISv2 . error = Access is denied. SMS_DISTRIBUTION_MANAGER 4/1/2010 8:44:01 PM 22504 (0x57E8)
ERROR DPConnection::ConnectWMI() – Failed to connect to ServerName. error = 0×80070005 SMS_DISTRIBUTION_MANAGER 4/1/2010 8:44:01 PM 22504 (0x57E8)
WBEMTEST to remotely connect to the ServerName server’s namespace root\MicrosoftIISv2.
a. On the site server, run WBEMTEST.
b. Click Connect.
c. Input <\\Servername\root\MicrosoftIISv2> and click Connect.
d. Does it generate the 0×80070005 or Access Denied error?
e. On the DP server itself, if you use WBEMTEST and try to connect to “root\MicrosoftIISv2”, what happens?
Basically, for the DP server, if MicrosoftIISv2 is the only namespace that the site server cannot access, then we can check the security setting of this name space.We can try the steps below:
The steps are as follows.
1. On the DP server, run WMIMGMT.MSC.
2. Right click WMI Control, and click Properties.
3. Click on the Security tab.
4. Expand Root. Then find the MicrosoftIISv2 namespace. Select it and click the Security button.
5. For each account listed there, what are the permissions granted?
6. As a test, you can grant the “Everyone” user “Allow” permission for all actions, and then test to see if this resolves the error. If this works, then it is missingcertain security permission regarding this Namespace.
Note – (Another option) You may add domain controller system account to the local group ”SMS_SiteSystemToSiteServerConnection_sitecode” on secondary server.