INTRODUCTION
Consider the following scenario. You install a System Management Server (SMS) 2003 or SMS 2.0 distribution point. Then, you try to add or update a package on the distribution point share from the SMS console. However, in this scenario, the package may not be added or updated.
Additionally, the Distmgr.log file may show error messages that resemble the following messages:
Start adding package to server ["Display=\\DPServer\"]MSWNET:["SMS_SITE=SiteCode"]\\DPServer\... Attempting to add or update a package on a distribution point.
Cannot establish connection to ["Display=\\DPServer\"]MSWNET:["SMS_SITE=SiteCode"]\\DPServer\ Error occurred. Performing error cleanup prior to returning.
SMS Site System Status Summarizer still cannot access storage object
"\\server\share$ <file://\\server\share$>" on site system
"\\server\share$ <file://\\server\share$>". The operating system
reported error 2147942405: Access is denied.
MORE INFORMATION
The SMS computer account or service account does not have local administrative rights on the distribution point server
The account that the SMS Distribution Manager service uses must have local administrator rights on SMS site systems that host distribution points. Distribution Manager uses the SMS computer account or the SMS service account. The SMS computer account operates by using advanced security and the service account operates by using standard security. The account that the SMS Distribution Manager service uses must have
Full Control permissions to the package directory.
Standard security
The SMS service account be a domain account. The SMS service account may belong to the Domain Administrator group. However, to help improve security, we recommend that you add the SMS service account to the local Administrator group on all SMS site systems. If the issue began after you changed the SMS service account to a different account, make sure that it belongs to the Domain Administrator group or the local Administrator group on all SMS site systems. Then, perform a site reset by using the new account information.
Troubleshooting permissions issues
Network Abstraction Layer (NAL) loggingEnable NAL logging to find addtional information as to the cause of the issue.
For more information about how to enable NAL logging, click the following article number to view the article in the Microsoft Knowledge Base:
243385
SMS: Enabling network abstraction layer logging and setting logging levels
In following example, notice that the SMS service account is denied access to the share because it is a local administrator account and not a member of the Domain Administrator group.NAL[4] - Attempting to access with default user/password
NAL[4] - Checking if the current user logged on locally.
NAL[4] - The current user, 'SMSService', was logged into domain '
domainname' by
server '
servername'.
NAL[4] - This computer, '
computername', is in domain '
domainname'.
NAL[4] - The current user context is only locally known.
NAL[4] - Can not make a network connection using a local user context.
NAL[1] - ERROR: failed to obtain access. Access is denied.
NAL[2] - WARNING: Connect() failed. Access is denied.
NAL[2] - WARNING: _TryUser() failed. Access is denied.
Advanced security
Verify that the computer account for the site server is added to the local Administrators group for the distribution point server.
For a Microsoft Windows Server 2003-based computer, you can add computer accounts to groups by using the Windows graphic user interface. For a Microsoft Windows 2000 Server-based computer, you can only add a computer account to a local group or local domain group by using the command prompt. Add a computer account to a group by using the Windows graphic user interface To add a computer account to a group by using the Windows interface, follow these steps:
- Open Computer Management on a member server or Active Directory Users and Computers on a domain controller.
- In the resulting pane, right-click the group that you want to work with, and then click Properties.
- On the General tab or the Members tab if you are using Active Directory, click Add.
- In the Select Users, Computers, or Groups dialog box, click Object Types.
- In the Object Types dialog box, select Computers, and then click OK.
- In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type Computer_Name$, and then click OK.
Note Computer_Name represents the name of the computer that you want to add to the group.
- When the Select Users, Computers, or Groups dialog box closes, verify that the computer that you added appears in the list.
Note
When you set the computer as an object type to select, it does not persist the next time that you add an account. If you have to add another computer account, repeat these steps to select the correct object type.
Add a computer account to a group by using the command promptYou can add computer accounts to a domain group or local group of another computer by typing the following command at a command prompt:
Net localgroup GroupDomain_Name\Computer_Name$ /ADDADD
For example, you want to add a computer that is named "Dublin." Dublin is a member of the NWTRADERS domain to the Site System to Site Server Connection group in the ABC domain. Therefore, you type the following command at the command prompt:
Net localgroup SMS_SiteSystemToSiteServerConnection_ABC NWTRADERS\DUBLIN$ /ADD
If you do not specify a domain context for the computer account, it will use the current domain.
Network issues
You may have to troubleshoot the network connectivity and name resolution between the site server and the distribution point server.
You can use the network monitoring tool that is included with SMS to help you troubleshoot network issues. You can Install Network Monitor 2.1 by running the NetmonSetup.exe setup program from the \NETMON\I386 folder on the SMS 2003 product CD. If you are upgrading from SMS 2.0, you must first uninstall Network Monitor 2.0 by using the Add or Remove Programs item in Control Panel.
Distribution point share does not exist
The distribution point installation process creates the distribution point share. When the Windows administrative shares have been removed from the distribution point, the share may not be created during the installation process. Root partitions and volumes are shared as the drive letter name appended with the $ (dollar sign). For example, drives C and D are shared as
C$ and
D$.
The system root folder (%SYSTEMROOT%) is shared as
ADMIN$. This is the Windows folder. The administrative share provides administrators with easy access to the system root folder hierarchy over the network.
Do not remove the administrative shares if your organization uses SMS or Microsoft Operations Manager (MOM). Microsoft Exchange Server, SMS, and MOM rely on access to all default administrative shares on client and server computers to function correctly.
For more information about system-wide consequences of removing administrative shares, click the following article number to view the article in the Microsoft Knowledge Base:
842715
Overview of problems that may occur when administrative shares are missing
For more information about the security requirements for SMS and MOM, click the following article numbers to view the articles in the Microsoft Knowledge Base:
304685
Description of security rights for Microsoft Operations Manager 2000
122988 SMS installation incomplete with missing admin drive share
Other troubleshooting tools
Check the System event log for errors in the
W3SVC and
DCOM subkeys.