Cannot install a Systems Management Server 2003 Management Point role on Windows Server 2003 domain controllers (886213)


The information in this article applies to:

  • Microsoft Systems Management Server 2003

SYMPTOMS

When you try to install a Microsoft Systems Management Server (SMS) 2003 Management Point role on a Microsoft Windows Server 2003-based domain controller, you may experience the following symptoms:
  • The SMS 2003 site system role is not installed.
  • The Mpmsi.log that is located in the /SMS/Logs folder on the SMS 2003 site system computer may contain errors that are similar to the following:
    2.00.3790.00
    Calling process: D:\SMS\bin\i386\MPsetup.exe ===
    MSI (c) (A0:18): Resetting cached policy values
    MSI (c) (A0:18): Machine policy value 'Debug' is 0
    MSI (c) (A0:18): ******* RunEngine:
    ******* Product: D:\SMS\bin\i386\mp.msi
    ******* Action:
    ******* CommandLine: **********
    MSI (c) (A0:18): Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (A0:18): Failed to grab execution mutex. System error 258.
    MSI (c) (A0:18): Cloaking enabled.
    MSI (c) (A0:18): Attempting to enable all disabled privileges before calling Install on Server MSI (c) (A0:18): Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (c) (A0:18): Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
    MSI (c) (A0:18): MainEngineThread is returning 1618
The Management Point role may appear to install correctly. However, when you run a diagnostic query, you may receive an IIS error.

For example, you try to use Microsoft Internet Explorer to access the following URL:

http://name of the SMS 2003 Management Point/sms_mp/.sms_aut?mplist

In this case, you may receive the following error message:
401.3 Unauthorized due to ACL on resource
Additionally, the Mpcontrol.log file that is located in the \SMS\Logs folder on the SMS 2003 site server may contain the following error:
Http verification .sms_aut failed with status code 401, Unauthorized $$<SMS_MP_CONTROL_MANAGER><date time year time zone><thread=2648 (0xA58)>

CAUSE

This behavior occurs if the following two domain user accounts have Log on restrictions set on one of more computers that are members of the domain:
  • IWAM_name of the domain controller
  • IUSER_name of the domain controller
These accounts are typically created as local accounts on the computer where you have installed Microsoft Internet Information Services (IIS). However, when IIS is installed on a Windows Server 2003-based domain controller that does not have local user accounts, these accounts are created as domain accounts.

The IWAM_name of the domain controller and the IUSER_name of the domain controller domain accounts are copies the domain Guest account and are created during the IIS Setup process. Therefore, when you make changes to the domain Guest account before you install IIS on a domain controller, the changes are inherited by the IWAM_name of the domain controller domain account and the IUSER_name of the domain controller domain account during the IIS installation process. Additionally, you must make sure that the IWAM_name of the domain controller domain account is included as part of the domain's IIS_WPG group. If IIS is removed from the domain controller computer, the removal process also removes the IIS_WPG group from all domain controllers because they share the same account database.

WORKAROUND

To work around this problem, you must make sure that the domain Guest account has the correct attributes you need before you install IIS on any domain controller in your domain.

Make sure the IWAM_name of the domain controller account is part of the name of your domain\IIS_WPG group. If you have removed IIS from the domain controller, you must manually add the account back to the name of your domain\IIS_WPG group so the SMS 2003 Management Point can work correctly. To do this, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the Active Directory Users and Computers snap-in, expand name of your domain, and then click Users.
  3. In the right pane of the Active Directory Users and Computers snap-in, double-click the IIS_WPG group.
  4. In the IIS_WPG Properties dialog box, click the Members tab, and then make sure that the IWAM_name of the domain controller account is listed. If the IWAM_name of the domain controller account is not listed, click Add. In the Users, Computers, or Groups dialog box, type IWAM_name of the domain controller in the Enter Object names to select box, click OK, and then click OK again.

STATUS

This behavior is by design.

MORE INFORMATION

On a Windows Server 2003-based computer, the IIS Setup process creates three accounts. Two of the accounts are directly affected by the properties and attributes of the existing Guest account:
  • IWAM_computer name
  • IUSR_computer name
  • IIS_WPG group
The IWAM_computer name account is used for out-of-process programs. If the IWAM_computer name account does not have the correct access, IIS works correctly because most programs are run out-of-process on IIS version 6.0.

The IUSR_computer name account is the Internet Guest User account for anonymous Internet users. If the IUSR_computer name account is disabled, anonymous access fails.

The IIS_WPG group is the Worker Process Group. If it is disabled, IIS does not work correctly. If this group account is created on a domain controller, this group is shared by multiple IIS servers. Typically, the IWAM_name of the domain controller account is located in this group. Every domain controller that is running IIS 6 has an account in this group. The IIS_WPG group is not a copy of the Guest account.
Modification Type:MinorLast Reviewed:6/13/2005
Keywords:kbtshoot kbprb KB886213 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.