When using System Center Configuration Manager 2007 and restoring from a backup created via the "Backup ConfigMgr Site Server" maintenance task, OSD and Task Sequences may no longer function if the restore was performed after a Windows OS reinstall on the server or restoration to new server hardware. Obtaining the SMSTS.log from a failing client PC reveals the following errors:
Parsing Policy Body. TSMBootstrap (!sNetworkAccessAccount.empty()) && (!sNetworkAccessPassword.empty()), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1518) TSMBootstrap Found empty NetworkAccessUsername/NetworkAccessPassword from NAAConfig CCM_NetworkAccessAccount TSMBootstrap GetEncodedNetworkAccessAccount (sEncodedAccount, sEncodedPassword), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1544) TSMBootstrap Network Access Account is not set TSMBootstrap GetNetworkAccessAccount( sNetworkAccessAccount, sNetworkAccessPassword ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1597) TSMBootstrap pTSPolicyManager->GetContentLocations( m_sPackageID, m_lSourceVersion, m_dwContentSourceFlags, slistContentLocations, slistHttpContentLocations, slistMulticastContentLocations, m_dwContentPackageFlags ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,2330) TSMBootstrap (*iTSReference)->Resolve( pTSPolicyManager, dwResolveFlags ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,2862) TSMBootstrap m_pSelectedTaskSequence->Resolve( m_pPolicyManager, TS::Policy::TaskSequence::ResolvePolicy | TS::Policy::TaskSequence::ResolveSource, fpCallbackProc, pv, hCancelEvent), HRESULT=80040101 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,1208) TSMBootstrap Failed to resolve selected task sequence dependencies. Code(0x80040101) TSMBootstrap hrReturn, HRESULT=80040101 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediaresolveprogresspage.cpp,408) TSMBootstrap ThreadToResolveAndExecuteTaskSequence failed. Code(0x80040101) TSMBootstrap ThreadToResolveAndExecuteTaskSequence returned code 0x80040101 TSMBootstrap Setting wizard error: Failed to read network access account from machine policy. For more information, please contact your system administrator or helpdesk operator. TSMBootstrap
Reviewing the above SMSTS.log seems to reveal that the Network Access Account (NAA) is not set. The Network Access Account is needed by the Task Sequence while in WinPE to access network resources since the client PC while in WinPE is the equivalent of a non-domain joined workgroup PC.
Note: For additional information see the following TechNet article:
About the Network Access Account http://technet.microsoft.com/en-us/library/bb680398.aspx
Reviewing the properties of the Computer Client Agent in the ConfigMgr 2007 admin console under Site Settings --> Client Agents reveals that the Network Access Account is set. Resetting the Network Access Account in the properties of the Computer Client Agent by reentering the Network Access Account's username and password seems to resolve the error, but then causes a new error in the SMSTS.log.
Note: For information on resetting the Network Access Account see the following TechNet article:
How to Configure the Network Access Account http://technet.microsoft.com/en-us/library/bb632397.aspx
Reviewing the SMSTS.log on the failed client PC reveals the following error:
Decompressing reply body. TSMBootstrap ::DecompressBuffer(65536) TSMBootstrap Decompression (zlib) succeeded: original size 476, uncompressed size 2568. TSMBootstrap CryptMsgControl (hMsg, 0, CMSG_CTRL_VERIFY_SIGNATURE, pCert->pCertInfo), HRESULT=8009100e (e:\nts_sms_fre\sms\framework\osdmessaging\libcrypt.cpp,351) TSMBootstrap signature varification failed TSMBootstrap ipCertContext != listpServerCertContext.end(), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\osdmessaging\libsmsmessaging.cpp,2476) TSMBootstrap signature check failed: <signature> TSMBootstrap DoRequest (sReply, true), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\osdmessaging\libsmsmessaging.cpp,5010) TSMBootstrap Failed to get client identity (80004005) TSMBootstrap ClientIdentity.RequestClientIdentity (), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,815) TSMBootstrap failed to request for client TSMBootstrap Exiting TSMediaWizardControl::GetPolicy. TSMBootstrap pWelcomePage->m_pTSMediaWizardControl->GetPolicy(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawelcomepage.cpp,280) TSMBootstrap Setting wizard error: An error occurred while retrieving policy for this computer (0x80004005). For more information, please contact your system administrator or helpdesk operator. TSMBootstrap
This issue is caused by the backup restoring the srvacct folder from the original ConfigMgr 2007 installation instead of keeping the srvacct folder from the new ConfigMgr 2007 installation. The srvacct folder can be found at the root level of the directory where ConfigMgr 2007 is installed. Normally this folder has a text file in it with the name srvacct.<site_code>. The text file has the public keys that along with private keys stored in the Windows OS allow it to decrypt service account information (username/password) which includes the Network Access Account.
When a Windows OS is freshly installed, either via a reinstall of the OS or install on new hardware, new private keys are generated in the Windows OS when ConfigMgr 2007 is installed. The applicable public keys that match up with the private keys are then generated and stored in the srvacct folder in the file srvacct.<site_code>. If a backup restores the srvacct folder from another instance of the Windows OS, the public keys in the srvacct.<site_code> folder will no longer match up with the private keys in the Windows OS. This will cause the information for any service account used by ConfigMgr 2007, including the Network Access Account, to not be able to be decrypted and used.
This issue can also cause problems in other areas of ConfigMgr 2007 other than Task Sequences and OSD. Service accounts are not normally used in ConfigMgr 2007 since most operations use the SYSTEM/site server's computer account. The only exception to this rule is the Network Access Account which is needed by Task Sequences when running in WinPE and is the reason why this issue most prominently affects OSD.
Service accounts can be used instead of the SYSTEM/site server's computer account in other areas of ConfigMgr 2007 other than Task Sequences and OSD. For a list of the different areas in ConfigMgr 2007 that can be optionally configured to use service accounts and may be affected by this issue, please see the following TechNet articles:
Accounts Configured in the Configuration Manager Console http://technet.microsoft.com/en-us/library/bb693849.aspx
How to Configure Configuration Manager 2007 Accounts http://technet.microsoft.com/en-us/library/bb680323.aspx
The two other areas that would most likely be affected by this problem other than OSD would be the use of Site Address Accounts (leading to sites not being able to communicate with one another) and database access accounts (leading to site roles not being able to access the database). The issue is mostly seen with OSD since a service account (the Network Access Account) is always needed and used.
To resolve the issue, the ConfigMgr 2007 site will need to be reinstalled from scratch. The current restored ConfigMgr 2007 site cannot be used since the original srvacct folder no longer exists.
Note: If the above solution is being used to resolve the issue for a component other than OSD (i.e., site address accounts or database connection accounts), in Steps 8-9, navigate to the appropriate section in the ConfigMgr 2007 Admin Console (i.e., Addresses or properties of the Site Systems roles) and reset the appropriate service accounts using the same same instructions listed in Steps 10-12.
The information above was published today in the following Microsoft Knowledge Base article written by Frank Rojas:
KB2509330 - OSD and Task Sequences fail after restoring a Configuration Manager 2007 Central site from backup
J.C. Hornbeck | System Center Knowledge Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials
I simply redefined my Network Access account per the article below and it worked. I cringed at the idea of starting over after the restore process. Please try that before you jump through these crazy hoops as it only takes a few mins. In my situation, i think that Microsoft better completely rethink this whole article even being posted. This process they are speaking about above would have taken literally hours upon hours to get back to the point I’m at after the restore. Thanks!!
Hey Ferrell thank you so much for that advise, that saved me a lot of time. I works great !!!