You receive status message "ID=5436" when you reset the passwords for Systems Management Server connection accounts during a site reset in Systems Management Server 2003 (886092)


The information in this article applies to:

  • Microsoft Systems Management Server 2003

SYMPTOMS

When you reset the passwords for Microsoft Systems Management Server (SMS) connection accounts during a site reset in SMS 2003, the following symptoms occur:
  • SMS 2003 client computers do not receive new advertisements.
  • SMS 2003 client computer inventory information is not updated in the site database.
  • You receive a status message that is similar to the following:
    MessageID=5436
    Severity=ERROR

    MP Control Manager detected MP is not responding to HTTP requests.
    The http error is HttpErrorCode.

    Possible cause: MP service is not started or not responding.
    Solution: Manually restart the SMS Agent Host service on the MP.

    Possible cause: IIS service is not responding.
    Solution: Manually restart the W3SVC service on the MP.

    Possible cause: MP encountered an error when connecting to SQL Server.
    Solution: Verify MP can connect to the SQL server and has sufficient access rights to the SQL server site system.
  • The following error message may be logged in the MP_GetAuth.log on the management point:
    CMPDBConnection::Init(): IDBInitialize::Initialize() failed with 0x80004005

Note If you have applied a service pack to your site, you receive a status message is similar to the following:

MessageID=5436
Severity=ERROR

MP Control Manager detected MP is not responding to HTTP requests.
The http error is HttpErrorCode

Possible cause: MP service is not started or not responding.
Solution: Manually restart the SMS Agent Host service on the MP.

Possible cause: IIS service is not responding.
Solution: Manually restart the W3SVC service on the MP.

Possible cause: MP encountered an error when connecting to SQL Server.
Solution: Verify that the SQL server is properly configured to allow Management Point access. If using a standard SQL security account, verify that the SQL Server is configured to allow standard SQL Security; or configure the Management Point to use an NT integrated security account, with appropriate access. If using integrated security, verify the account used by the MP to connect to the SQL server is a member of the SMS_SiteSystemToSQLConnection_SiteCode group on the SQL server, that the account is not locked out, and that the account password is not expired. (In standard security, the default account is SMS_SQL_RX_SiteCode.)

Possible cause: The SQL server Service Principal Names (SPNs) are not registered correctly in Active Directory
Solution: Ensure SQL server SPNs are correctly registered. Review Q829868

Possible cause: The Default Web site is disabled in IIS.
Solution: Verify that the Default Web site is enabled, and functioning properly.

CAUSE

This issue occurs when the connection account that a management point (MP) uses to log on to the site database has been locked out in the Active Directory directory service. The connection account may be locked out when all the following conditions are true:
  • The sites are in Standard security mode.
  • The management points use integrated security when they access the site database.
  • The management points are installed with the default settings. For example, the management points use the SMS_SQL_RX_SiteCode account to connect to the site database.
  • The account that is used by the Management Point to connect to the SQL server is a member of the SMS_SiteSystemToSQLConnection_SiteCode group on the SQL server.
  • The account password is not expired.
  • Group Policy enables account lockout for the SMS_SQL_RX_SiteCode account.
  • You reset the connection account password.
  • A management point site whose site control file has not been updated with the new connection account password tries to connect to the site database.

WORKAROUND

To work around this issue, create a new connection account for the management points. Next, configure the management points to use the new connection account. To do this, follow these steps:
  1. To create a new connection account, follow these steps:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
    2. Right-click the Users folder, point to New, and then click User.
    3. Type the new user information, make a note of what you type in the User logon name box, and then click Next.
    4. Type a password for the new connection account.
    5. Click to clear the User must change password at next logon check box.
    6. Click to select the Password never expires check box, click Next, and then click Finish.
    7. In the Users folder of the Active Directory Users and Computers snap-in, right-click the connection account that you created, and then click Properties.
    8. Click the Member Of tab, and then click Add.
    9. Type SMS_SiteSystemToSQLConnection_SiteCode in the Enter the object names to select (examples) box, and then click OK two times.
  2. To configure the management points to use the new connection account, follow these steps:
    1. Click Start, point to Programs, point to Systems Management Server, and then click SMS Administrator Console.
    2. Expand Site Database (SiteCode - SiteName), expand Site Hierarchy, expand the site that you want to modify, expand Site Settings, and then click Site Systems.
    3. Right-click a system that is a management point for the site, and then click Properties.
    4. Click the Management Point tab, and then click Use a different database in the Database box.
    5. Type the name of your site database server, and then type the name of your site database.
    6. Click Windows Authentication, and then click Set.
    7. Type the account information for the connection account that you created, and then click OK two times.
Note When you create connection accounts as described in this section, you must manually maintain the connection account. A site reset will not change the password for connection accounts that you create.

MORE INFORMATION

When you reset connection account passwords during a site reset, SMS 2003 may not update all the management points with this new configuration information before a management point connects to the site database. If you have enabled account lockout for the SMS 2003 connection accounts and you plan to reset connection account passwords, consider disabling account lockout for SMS 2003 connection accounts before you perform a site reset. When SMS 2003 has updated all the management points to use the new connection account password, you can enable account lockout again for the SMS 2003 connection accounts.

If the account continues to be locked out after the site has been reset and all site control changes have been updated, you can determine which site that contains a management point is still using the old password. You can determine this by the Netlogon.log file. If this log in a site shows that the account continues to be locked out, the site is still using the old password. To do this, follow these steps:
  1. Enable Net Logon logging on the domain controller. For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:

    109626 Enabling debug logging for the Net Logon service

  2. Unlock the account, and then wait for it to lock again.
  3. When a Netlogon.log file has been produced, examine the file for the following line: 
    03/15 13:19:33 [LOGON] SamLogon: Network logon of MEREDITH\SMSServer_S1M from PBCKUP1M Returns 0xC0000234
    Notes
    • The 0xC0000234 code stands for the following status message: STATUS_ACCOUNT_LOCKED_OUT.
    • The Netlogon.log file is located in the %windir%\debug\ folder.
To troubleshoot the cause of the site control file not updating on the secondary site, generate a site control change on the primary site. Then, track the flow in the appropriate logs to the secondary site. You can track the following logs on the parent site:
  • Sitectrl.log
  • Sitectrl.log
  • Hman.log
  • Replmgr.log
  • Sched.log
  • Sender.log
You can track the following logs on the child site:
  • despool.log
  • hman.log
  • sitectrl.log

REFERENCES

For more information about a similar issue, click the following article number to view the article in the Microsoft Knowledge Base:

829868 Systems Management Server 2003 advanced security site with remote SQL does not connect to SQL Server

For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:

109626 Enabling debug logging for the Net Logon service

For more information about scenarios and procedures for SMS 2003, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/sms/sms2003/security/spsecsms03/spsec_8.mspx

For more information about account lockout, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/en-us/gp/507.asp?frame=true

For more information about how to manage Active Directory, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/admng.mspx

Modification Type:MinorLast Reviewed:9/13/2006
Keywords:kbtshoot kbwinservperf kbMgmtServices kbprb KB886092 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.