myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


Cannot read status of new DP in trusting domain

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> Cannot read status of new DP in trusting domain Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cannot read status of new DP in trusting domain - 8/8/2006 9:58:51 AM   
slee

 

Posts: 55
Score: 3
Joined: 10/12/2001
Status: offline 		Found some similar threads, but not quite the same situation...

I've been trying to recreate a distribution point in a trusting domain, without success.  We had a DP in this domain previously, but took it out some time ago.  Now, trying to recreate the role on another box, the site server cannot push package source to the intended DP, nor can it see the status of the DP.  In the admin console's Site System Status list, the Total, Free, and % Free disk space all appear as "Unknown", with a "Down Since" value equal to the time I tried to copy a package to it.

The givens:
-Our DMZ domain trusts the Corp domain.
-DMZ01 is in the DMZ domain, SMS01 site server is in Corp domain.
-SMS Advanced Clients in the DMZ domain install successfully and report inventory, status, etc. back to the site server in Corp domain.
-Site server computer account SMS01$ is a local admin on file server DMZ01; SMS site is Advanced Security, so no service account.  Site server account is currently also a member of Corp domain's Domain Admins, which is a member of the DMZ domain's Administrators group.
-I can connect to and map a drive to the DMZ01 DP share \\DMZ01\SMSPACKAGE$ from the site server using a Corp domain administrator account, and create/delete files and folders.
-Firewall is open between DMZ devices and SMS01 (ANY<->ANY) until we get things set up and running.
-DNS resolution of each server name from the other works fine.

Here's the relevant part of distmgr.log (NAL logging is enabled):

-----------------------
Start adding package to server ["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\... SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 6336 (0x18C0)
Attempting to add or update a package on a distribution point. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
STATMSG: ID=2342 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SMS01 SITE=NA1 PID=3340 TID=12756 GMTDATE=Tue Aug 08 13:29:43.728 2006 ISTR0="Microsoft Updates Tool" ISTR1="["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=2 AID0=400 AVAL0="NA1000B7" AID1=404 AVAL1="["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\" SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
NAL[1] - ERROR: failed to get connection status.  This network connection does not exist. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
NAL[1] - ERROR: failed to make the network connection.  Access is denied. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
NAL[1] - ERROR: failed to obtain access.  Access is denied. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
NAL[1] - The server is inaccessible.  Access is denied. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
Cannot establish connection to ["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\ SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
Error occurred, performing error cleanup prior to returning. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4)
------------------------

Is there any way to draw more information out of those NAL errors beyond "Access is denied"?  I've tried turning up security logging on DMZ01, but only see Anonymous logons from SMS01 to DMZ01 that appear out of the ordinary.

_____________________________

Steve Lee
SMS Flunkie
Post #: 1
RE: Cannot read status of new DP in trusting domain - 8/8/2006 10:51:26 AM   
mreavis


Posts: 780
Score: 77
Joined: 9/10/2002
From: Olathe, Kansas
Status: offline 		I am guessing that you are up to SP2 on SMS. Have you tried adding the fully qualified name of the server for the DP? It sounds like the site server is having problems locating the box.

_____________________________

Michael Reavis
SMS Admin
MCSE, MCDBA, MCDST
Johnson County Goverment

(in reply to slee)
Post #: 2
RE: Cannot read status of new DP in trusting domain - 8/8/2006 11:35:26 AM   
slee

 

Posts: 55
Score: 3
Joined: 10/12/2001
Status: offline 		Thanks; FQDN of the DP is in place.

Have even added an entry in the site server's HOSTS file for the DP to help things along.  It's something about the way the Distribution Manager thread is accessing the DP, but I can't see what credentials it's trying to use.  I think it would use the site server computer account, but how to be certain?

_____________________________

Steve Lee
SMS Flunkie

(in reply to mreavis)
Post #: 3
RE: Cannot read status of new DP in trusting domain - 8/8/2006 4:37:00 PM   
mreavis


Posts: 780
Score: 77
Joined: 9/10/2002
From: Olathe, Kansas
Status: offline 		Everything I have read states it will use the system account of the site server. So long as the site server is listed in the local admin group on the server you are wanting to use as a DP, should work. IIS does not enter into the picture until you enable it as BITs, just for setting up the DP is a matter of permissions on the target server. Are there any errors in the system log on the target DP? You may want to check for errors on SMS_Site_Component_Manager



_____________________________

Michael Reavis
SMS Admin
MCSE, MCDBA, MCDST
Johnson County Goverment

(in reply to slee)
Post #: 4
RE: Cannot read status of new DP in trusting domain - 8/9/2006 5:34:22 PM   
slee

 

Posts: 55
Score: 3
Joined: 10/12/2001
Status: offline 		May have narrowed it down a bit; looked at WBEM logs on the intended DP, and found "Impersonation failed" events, a la:

FRAMEWORK.LOG
Unable to locate Shell Process, Impersonation failed. 08/09/2006 13:55:17.881 thread:736 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.175]
Shell Name Explorer.exe in Registry not found in process list. 08/09/2006 13:55:17.928 thread:1324 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 08/09/2006 13:55:17.959 thread:1324 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.175]
Failed to open device \\.\PHYSICALDRIVE0 (0) for read 08/09/2006 13:55:20.209 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040]
Failed to open device \\.\PHYSICALDRIVE1 (0) for read 08/09/2006 13:55:20.224 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040]
Failed to open device \\.\PHYSICALDRIVE2 (0) for read 08/09/2006 13:55:20.240 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040]
Failed to open device \\.\PHYSICALDRIVE3 (0) for read 08/09/2006 13:55:20.256 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040]
Failed to open device \\.\PHYSICALDRIVE4 (0) for read 08/09/2006 13:55:20.256 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040]
Failed to open device \\.\PHYSICALDRIVE5 (0) for read 08/09/2006 13:55:20.271 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040]
Failed to open device \\.\PHYSICALDRIVE6 (0) for read 08/09/2006 13:55:20.287 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040]

and WMIPROV.LOG
(Wed Aug 09 16:14:00 2006.1270107828) : Impersonation failed - Access denied
(Wed Aug 09 16:14:03 2006.1270111015) : WDM call returned error: 4200
(Wed Aug 09 16:18:01 2006.1270349187) : WDM call returned error: 4200

I've checked WMI privs on the server, and though localserver\administrators (which includes Domain Admins and the site server computer account) has full control, I've added the SMS01$ account explicitly with full rights, and restarted the WMI service.

At least it feels closer to a fix.

_____________________________

Steve Lee
SMS Flunkie

(in reply to mreavis)
Post #: 5
RE: Cannot read status of new DP in trusting domain - 8/18/2008 1:02:08 AM   
mbartosh

 

Posts: 97
Score: 0
Joined: 7/7/2004
From: California
Status: offline 		Did you ever get a resolution?  I am having exactly the same problem.

(in reply to slee)
Post #: 6
Page:   [1]
All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> Cannot read status of new DP in trusting domain Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.391