Logon points are not created in a trusted domain in Systems Management Server 2.0 (840677)

SYMPTOMS

After you turn on the following features in Microsoft Systems Management Server (SMS) version 2.0, logon points are not created in a trusted domain that is managed by the SMS site:

Windows Networking Logon Discovery
Windows Networking Logon Client Installation

Symptom example

You want to create logon points that are in the accounts domain, and the SMS site is in a resource domain. The following error message entry may appear in the Nt_logon.log file:

NetGetDCName domain: accounts domain server PDC return: 0
NetServerGetInfo server: PDC type: 4102b platform id: 500 version 4.0
Constructing NT server PDC
Connection to \\PDC\Admin$ FAILED; NAL Error = 0
CreateThread Success for object accounts domain threadID 1DB, ret=0
Begin server enumeration on domain accounts domain
CreateThread Success for object PDC threadID 63, ret=0
CreateThread Success for object PDC threadID 19C, ret=0
Begin enum of NTLM volumes on server PDC
Begin service enum on server PDC
NetShareEnum failure Unable to Enumerate NTLM volumes on server PDC, error=5
.
Completed service enum on server PDC
.
Thread 19C has terminated exit code=5

Note Error 5 is defined as an "Access Denied" error.

CAUSE

This issue occurs when the SMS Service account does not have sufficient permissions to create the SMS 2.0 logon point in the domain. For example, this might occur when you want to create logon points in an accounts domain when SMS is installed in a resource domain. If the resource domain name\SMS service account does not have sufficient permissions to connect to the admin$ share of the primary domain controller (PDC) in the accounts domain, the logon point is not created.

RESOLUTION

To resolve this issue, specify a domain administrator level site system connection account from the domain that you are trying to connect to. If you use the example from the Symptoms section, you would specify a site system connection account from the accounts domain that is a member of the accounts domain name\Domain Admins group. Alternatively, you can add the SMS service account to the Domain Administrators group of the domain that you are trying to connect to. If you use the example from the Symptoms section, you would add the resource domain\SMSService account to the Domain Administrators group of the accounts domain.

Note The previous example uses the default SMSService account for demonstration purposes. Your SMS site may use a different account.

Important If you are running SMS 2.0 Service Pack 5 (SP5) and later, you can maintain logon points by using an account that is not a domain administrator.

To change the SMS service account, perform a site reset. To do this, follow these steps:

Click Start, point to Programs, point to Systems Management Server, and then click SMS Setup.
Click Next, and then click Next.
Click Modify or reset the current instalation, and then click Next.
Type the account and password that you want to use for the SMS services, and then click Next.
Click Next, click Next, click Next, and then click Finish.
Click Yes to continue and reset the site.

MORE INFORMATION

For additional information about how to create a trusted domain account, see the "Create a Trusted Domain SMS Service Account in a Windows NT Domain" topic in SMS Administrator Help.

For additional information about the SMS site system account, see the following topics in the SMS Administrator's Guide:

Chapter 4, Understanding SMS System Accounts, SMS Site Server Service Accounts.
Chapter 4, Understanding SMS System Accounts, SMS Remote Site System Service Accounts.

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

816290 List of security changes in Systems Management Server 2.0 Service Pack 5

816292 Windows Networking Logon Client Installation requires domain administrator permissions to create logon points

834308 Logon points are not updated in Systems Management Server 2.0