New clients do not install and existing clients do not run advertisements after you install a new Management Point (832109)


The information in this article applies to:

  • Microsoft Systems Management Server 2003

SYMPTOMS

After you install and configure a new Management Point (MP) for Microsoft Systems Management Server (SMS) 2003, you may experience one or more of the following issues:
  • Computers are discovered and appear in the SMS Administrator Console as advanced clients, but the SMS client software is not installed on the client computers.
  • Computers are discovered and appear in the SMS Administrator Console as advanced clients, but the standard SMS client software is installed on the computer that is discovered.
  • Existing clients do not report a status for advertisements.
  • The following message is logged in the CAS.log on the SMS Advanced Client computer and in the SQLERROR log on SQL server: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection
  • The IIS log on the management point may contain Error 401.
The following entries may appear on the Management Point in the MP_GetAuth.log file. Depending on whether the SMS client is also installed, this log file is located either in the \%windir%\system32\CCM\Logs\ folder or in the \SMS_CCM\Logs\ folder. (%windir% is the folder where the operating system is installed.)
<![LOG[CMPDBConnection::Init(): IDBInitialize::Initialize() failed with 0x80004005]LOG]!>
<![LOG[Raising event: [SMS_CodePage(437), SMS_LocaleID(1033)] instance of
MpEvent_ConnectDatabaseFailed {
      ClientID = "GUID:F4AB9DD6-362A-44B4-BAFA-6797AD71C79F";
      DatabaseName = "SMSDBname";
      DateTime = "20030919053031.203000+000";
      ErrorCode = "0x80004005";
      MachineName = "MPcomputername";
      ProcessID = 5124;
      ServerName = "SMSservername";
      SiteCode = "sitecode";
      ThreadID = 3512;
      Win32ErrorCode = 0;
};
]LOG]><time="00:30:31.219+000" date="09-19-2003" component="MP_GetAuth_ISAPI" context="Auth" 
type="1" thread="3512" file="event.cpp:522">
CMPDBConnection::Init(): IDBInitialize::Initialize() failed with 0x80040e4d $$<MP_GetAuth_ISAPI><Wed Feb 4 17:19:29.240 2004 Eastern Standard Time><thread=2664 (0xA68)>

CAUSE

The Management Point may be prevented from connecting to the server that is running Microsoft SQL Server. These issues may occur for any one of the following reasons:
  • The Management Point does not have correct permissions on the SQL server.
  • Problems exist with SQL Service Principal Name (SPN) registration.
  • Problems exist with Kerberos or the Domain Name System (DNS) protocol.

WORKAROUND

To work around this problem, switch from a TCP connection to a Named Pipes connection between the Management Point and the SQL server. This can also be used to test whether the issue is with Kerberos authentication, which TCP uses. Named Pipes uses NTLM authentication. If switching from TCP to Named Pipes does not resolve the issue, run a Network Monitor trace to investigate possible network connectivity issues. If enabling Named Pipes on the Management Point resolves the issue, it indicates that Kerberos authentication is failing and the troubleshooting steps in this article will be helpful in diagnosing the cause. To enable Named Pipes, do the following on the Management Point server. Click Start, click Run, type cliconfg, and then click OK. This starts the Client Network Utility. Add the SQL server NetBIOS name on the Alias tab with Named Pipes selected. This is the default setting. On the SQL server, run the Server Network Utility and make sure Named Pipes is at the top of the protocol stack. The Management Point queries SQL every 10 minutes. A log entry will appear that indicates the number of Management Points in the site. This indicates a successful connection.

MORE INFORMATION

To troubleshoot these symptoms, follow the steps in the order in which they are presented.

Verify permissions

To start troubleshooting these symptoms, verify that the Management Point has the correct permissions to connect to the SQL database. To do this, follow these steps:
  1. At the Management Point server, log on with the SMS Service account credentials, click Start, click Run, type cmd, and then click OK. If your SMS site is running under the Standard security mode, go to step 4. If your SMS site is running in the Advanced security mode, go to step 3.
  2. If your SMS site is running Advanced security, start a new Command Prompt window that is running under the local system account. To do this, type the following at a command prompt, and then press ENTER:

    ATFutureTime /interactive cmd

    At the time that you specify, a new Command Prompt window opens that is running under Svchost.exe.

    Note FutureTime can be any time that is later than the current time, in 24-hour form.
  3. At a command prompt, type the following, and then press ENTER:

    osql -S SQLServer -d SMSdbname -E

    Note SQLServer is the name of the server that is running SQL Server, and SMSdbname is the name of the SQL database for your SMS site.

    If this command succeeds, your Management Point has the correct permissions to the SQL database. The command is successful if a 1> prompt is returned. Type exit, and then press ENTER to return to the command prompt. If you receive the following error message, go to step 4:
    Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
  4. If you receive the "Login failed" error message that is described in step 3, repeat the command, but use the Fully Qualified Domain Name (FQDN). For example, type:

    osql -S SQLServer.europe.corp.microsoft.com -d SMSdbname -E

    If the command does not succeed, view the DNS settings for the domain where the Management Point computer is located.
  5. If the command still fails check to see whether the MSSQLServer Service is using a user account to log on with, change the service to use the Local System account on the Log On tab in the service properties and run the commands again. If you must run the service by using a user account, make sure that the user account is added to the Domain Administrator group. You will also have to follow the steps in the following article in the Microsoft Knowledge Base:

    829868 Systems Management Server 2003 Advanced Security site with Remote SQL does not connect to SQL Server

Additional troubleshooting

  1. The appropriate Service Principal Name (SPN) attributes may not be generated for the account that started the SQL services. To resolve this issue, you must manually create the fully qualified domain name (FQDN) and NetBIOS SPN entries. To do this, you can use the SetSPN utility from the Windows 2000 Server Resource Kit. To download the SetSPN utility, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en

    You must run the SetSPN utility on a computer that resides in the SQL server's domain. You must use Domain Administrator credentials. Determine if the SQL services run as a domain account or as the local computer account. To use the SetSPN utility to manually create the appropriate SPNs, follow these steps:

    When the SQL service is started with a user account
    • To create the FQDN SPN at a Command Prompt window, type the following command:

      setspn -A MSSQLSvc/SqlHostname.mydomain.com:1433 SqlServiceAccount

    • To create the NetBIOS SPN at the command window, type the following command:

      setspn -A MSSQLSvc/SqlHostname:1433 SqlServiceAccount


    When the SQL service is started with the SQL server's System account
    • To create the FQDN SPN, type the following command at a command prompt:

      setspn -A MSSQLSvc/SqlHostname.mydomain.com:1433 SqlHostname

    • To create the NetBIOS SPN at the command window, type the following command:

      setspn -A MSSQLSvc/SqlHostname:1433 SqlHostname

  2. On each primary site, make sure that the SMS_SiteSystemToSQLConnection security group contains the computer accounts or SMS service accounts for all the child servers that report to the primary site. Typically, these accounts are added to the SMS_SiteSystemToSQLConnection security group when a site is installed. If the Setup program cannot add the account, the following site status message is logged in the SMS Administrator Console:4908 - Site Component Manager could not add machine account "%1" to the SQL Access Group "%2"on the SQL Server machine "%3".
  3. The Kerberos ticket cache may have to be reset. Use the Kerbtray tool from the Windows 2000 Server Resource Kit to clear the existing Kerberos ticket cache. To download the Kerbtray tool, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en

    For more information about how to use the Kerbtray tool, click the following article number to view the article in the Microsoft Knowledge Base:

    232179 Kerberos administration in Windows 2000

  4. Make sure that the DNS server for the domain is listed first in the TCP/IP properties of the Management Point server.
  5. The FQDN for the target domain must be listed at the top of the suffix search list on the Management Point server. To change the suffix search list, follow these steps:
    1. Click Start, click Run, type ncpa.cpl, and then click OK.
    2. Right-click the connection that you want to change, and then click Properties.
    3. In the Connection Name Properties dialog box, select Internet Protocol (TCP/IP) under This connection uses the following items, and then click Properties.
    4. On the General tab, click Advanced, and then click the DNS tab.
    5. Click Append these DNS suffixes (in order), click the target domain, and then move the target domain to the top of the list by clicking the scroll arrow.
    6. Click OK two times, and then click Close.

REFERENCES

For more information about running in SMS Advanced security with a remote SQL server, click the following article number to view the article in the Microsoft Knowledge Base:

829868 Systems Management Server 2003 Advanced Security site with Remote SQL does not connect to SQL Server

For more information about retrieving SPNs from Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:

298718 How to retrieve SPNs from the directory

For more information about Kerberos, click the following article numbers to view the articles in the Microsoft Knowledge Base:

266080 Answers to frequently asked Kerberos questions

326985 How to troubleshoot Kerberos-related issues in IIS

Modification Type:MinorLast Reviewed:8/22/2006
Keywords:kbSoftwareDist kbClient kbSecurity kbinfo KB832109 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.