Cannot read status of new DP in trusting domain

Cannot read status of new DP in trusting domain (Full Version)

All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003

Message

slee -> Cannot read status of new DP in trusting domain (8/8/2006 9:58:51 AM)
Found some similar threads, but not quite the same situation... I've been trying to recreate a distribution point in a trusting domain, without success. We had a DP in this domain previously, but took it out some time ago. Now, trying to recreate the role on another box, the site server cannot push package source to the intended DP, nor can it see the status of the DP. In the admin console's Site System Status list, the Total, Free, and % Free disk space all appear as "Unknown", with a "Down Since" value equal to the time I tried to copy a package to it. The givens: -Our DMZ domain trusts the Corp domain. -DMZ01 is in the DMZ domain, SMS01 site server is in Corp domain. -SMS Advanced Clients in the DMZ domain install successfully and report inventory, status, etc. back to the site server in Corp domain. -Site server computer account SMS01$ is a local admin on file server DMZ01; SMS site is Advanced Security, so no service account. Site server account is currently also a member of Corp domain's Domain Admins, which is a member of the DMZ domain's Administrators group. -I can connect to and map a drive to the DMZ01 DP share \\DMZ01\SMSPACKAGE$ from the site server using a Corp domain administrator account, and create/delete files and folders. -Firewall is open between DMZ devices and SMS01 (ANY<->ANY) until we get things set up and running. -DNS resolution of each server name from the other works fine. Here's the relevant part of distmgr.log (NAL logging is enabled): ----------------------- Start adding package to server ["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\... SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 6336 (0x18C0) Attempting to add or update a package on a distribution point. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) STATMSG: ID=2342 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SMS01 SITE=NA1 PID=3340 TID=12756 GMTDATE=Tue Aug 08 13:29:43.728 2006 ISTR0="Microsoft Updates Tool" ISTR1="["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=2 AID0=400 AVAL0="NA1000B7" AID1=404 AVAL1="["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\" SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) NAL[1] - ERROR: failed to get connection status. This network connection does not exist. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) NAL[1] - ERROR: failed to make the network connection. Access is denied. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) NAL[1] - ERROR: failed to obtain access. Access is denied. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) NAL[1] - The server is inaccessible. Access is denied. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) Cannot establish connection to ["Display=\\DMZ01\SMSPKG$\"]MSWNET:["SMS_SITE=NA1"]\\DMZ01\SMSPKG$\ SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) Error occurred, performing error cleanup prior to returning. SMS_DISTRIBUTION_MANAGER 8/8/2006 08:29:43 12756 (0x31D4) ------------------------ Is there any way to draw more information out of those NAL errors beyond "Access is denied"? I've tried turning up security logging on DMZ01, but only see Anonymous logons from SMS01 to DMZ01 that appear out of the ordinary.

mreavis -> RE: Cannot read status of new DP in trusting domain (8/8/2006 10:51:26 AM)
I am guessing that you are up to SP2 on SMS. Have you tried adding the fully qualified name of the server for the DP? It sounds like the site server is having problems locating the box.

slee -> RE: Cannot read status of new DP in trusting domain (8/8/2006 11:35:26 AM)
Thanks; FQDN of the DP is in place. Have even added an entry in the site server's HOSTS file for the DP to help things along. It's something about the way the Distribution Manager thread is accessing the DP, but I can't see what credentials it's trying to use. I think it would use the site server computer account, but how to be certain?

mreavis -> RE: Cannot read status of new DP in trusting domain (8/8/2006 4:37:00 PM)
Everything I have read states it will use the system account of the site server. So long as the site server is listed in the local admin group on the server you are wanting to use as a DP, should work. IIS does not enter into the picture until you enable it as BITs, just for setting up the DP is a matter of permissions on the target server. Are there any errors in the system log on the target DP? You may want to check for errors on SMS_Site_Component_Manager

slee -> RE: Cannot read status of new DP in trusting domain (8/9/2006 5:34:22 PM)
May have narrowed it down a bit; looked at WBEM logs on the intended DP, and found "Impersonation failed" events, a la: FRAMEWORK.LOG Unable to locate Shell Process, Impersonation failed. 08/09/2006 13:55:17.881 thread:736 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.175] Shell Name Explorer.exe in Registry not found in process list. 08/09/2006 13:55:17.928 thread:1324 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163] Unable to locate Shell Process, Impersonation failed. 08/09/2006 13:55:17.959 thread:1324 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.175] Failed to open device \\.\PHYSICALDRIVE0 (0) for read 08/09/2006 13:55:20.209 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040] Failed to open device \\.\PHYSICALDRIVE1 (0) for read 08/09/2006 13:55:20.224 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040] Failed to open device \\.\PHYSICALDRIVE2 (0) for read 08/09/2006 13:55:20.240 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040] Failed to open device \\.\PHYSICALDRIVE3 (0) for read 08/09/2006 13:55:20.256 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040] Failed to open device \\.\PHYSICALDRIVE4 (0) for read 08/09/2006 13:55:20.256 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040] Failed to open device \\.\PHYSICALDRIVE5 (0) for read 08/09/2006 13:55:20.271 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040] Failed to open device \\.\PHYSICALDRIVE6 (0) for read 08/09/2006 13:55:20.287 thread:3160 [d:\srvrtm\admin\wmi\wbem\providers\win32provider\providers\diskpartition.cpp.1040] and WMIPROV.LOG (Wed Aug 09 16:14:00 2006.1270107828) : Impersonation failed - Access denied (Wed Aug 09 16:14:03 2006.1270111015) : WDM call returned error: 4200 (Wed Aug 09 16:18:01 2006.1270349187) : WDM call returned error: 4200 I've checked WMI privs on the server, and though localserver\administrators (which includes Domain Admins and the site server computer account) has full control, I've added the SMS01$ account explicitly with full rights, and restarted the WMI service. At least it feels closer to a fix.

mbartosh -> RE: Cannot read status of new DP in trusting domain (8/18/2008 1:02:08 AM)
Did you ever get a resolution? I am having exactly the same problem.

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.3125