Last week I mentioned that many of the calls we get in customer support involve advanced client push installations and this week I want to mention another common call, that being SMS Administrator Console connectivity.
As is the case with advanced client push installs, we already have a troubleshooting doc that covers it so if you haven't seen it I posted it below. This is published in our Knowledge Base as article 317872 but I wanted to bring your attention to it in case you haven't seen it before.
The full URL to the article is http://support.microsoft.com/?kbid=317872 and any changes or updates going forward will be made in the KB article itself.
The complete existing troubleshooter is listed below:
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 - Description of the Microsoft Windows registry
If you are using SMS and you try to connect to the site server, you may receive a "Connection Failed" message. Or, the nodes may not be displayed after you are connected. Additionally, errors that are similar to the following may be logged in the AdminUI.log file on the server:
Error: Possible UI connection error code is -2147023174 [0x800706ba]
Error: Possible UI connection error code is -2146959355 [0x80080005]
Error: Possible UI connection error code is -2147217394
Error: Possible UI connection error code is -2147217389[0x80041013] Failed to execute method GetProviderVersion! Function GetProviderVersion returns empty string of ProviderVersion. Wbem call failed: T_WbemSyncEnumToContainer_Core, return code: -2147217389 We fail to get the ProviderVersion. SiteCode - SiteServerName , Provider Version : Failed to set the connection. error code: -2147217389
Error(ConnectServer): Possible UI connection error code is -2147024891
Error: Possible UI connection error code is -2147024891 [0x80070005]
[<date> <time>]:Error(CheckForDisconnect2): Invalid service pointer. WMI connection has been dropped. : -2147024891 [0x80070005]
This article describes how to troubleshoot a new or an existing SMS Administrator console to determine why it cannot connect to the site server.
1. Create a global group for the domain that contains users who require specific access to the SMS Administrator console.
2. Add this global group or the explicit domain user account to the local SMS Admins group.
3. Configure the SMS permissions for the global group that you created. Notes
• To complete this step, you must be an administrator and have full permissions on the site.
• If you can connect to the database but if the nodes are not enumerated, examine the SMS permissions that are granted to the global group or to a specific user in the Security node of the SMS Administrator console. For example, determine whether the collections node, the packages node, or other nodes display any content.
The permissions that you grant depend on the functionality that you want the members of this global group to perform. To grant permissions, right-click the Security rights node in the SMS Administrator console, point to All tasks, and then click Manage SMS Users to start the Security Wizard.
4. Use the wizard to add, remove, or modify the security settings of users and of groups.
Note For SMS 2.0 Service Pack 3 (SP3) hierarchies in Microsoft Windows 2000 domains, you may have to obtain the hotfix that is described in the following Microsoft Knowledge Base article:
266712 - SMS: Security based on global groups fails in Windows 2000 domains
For more information about how to grant additional users access to the SMS Administrator console, click the following article number to view the article in the Microsoft Knowledge Base:
252674 - SMS: How to set up a Help Desk administrator
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
201126 - SMS: Troubleshooting connectivity to the SMS site database
200670 - SMS: Customizing the Systems Management Server Administrator console
CLASS_SMS_ContextMethods,METHOD_GetContextHandle! Failed to set the connection. error code: -2147217407 Run the Setup program from the service pack source to determine whether the SMS Administrator console is the only component that must be upgraded.
To troubleshoot SMS Administrator console connectivity, consider the following issues:
• Is the SMS site server running Microsoft Windows Server 2003 with Service Pack 1 (SP1)? In Windows Server 2003 with SP1, a new local group is created that is named Distributed COM Users. To resolve the connectivity issue in Windows Server 2003 Service Pack 1, add the users who are trying to make remote connections to the SMS Administrator console to the Distributed COM Users local group. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
913000 - After you install Windows Server 2003 Service Pack 1, you can no longer connect to the SMS site server by using a remote SMS Administrator console
895952 - You receive a "You do not have the appropriate privilege" error message when you try to open the Microsoft Operations Manager (MOM) 2005 Administrator console
• Is the user a member of a global group that is a member in the SMS Admins group, or is the user explicitly defined in the SMS Admins Group?The SMS Admins group is created during the SMS site installation. If a site was installed on a member server, the SMS Admins group is a local group in the local Security Accounts Manager (SAM). If a site server is a domain controller, the SMS Admins group is a local group in the domain. The user must belong to the SMS Admins group because this group is granted the necessary permissions to the SMS and SMS_site code namespace in the Windows Management Instrumentation (WMI) repository when the SMS site is built.
• Has this server had a previous installation of SMS? If the server has had a previous installation of SMS, there may be multiple site codes in the SMS_ProviderLocation class that is located in the site server's SMS namespace. Delete any site code that no longer exists on the site server. You can use the WBEMtest tool to view the SMS_ProverLocation class. For more information about WBEMtest, click the following article number to view the article in the Microsoft Knowledge Base:
239899 - Administrator console cannot connect after reinstallation
• On the site server, confirm property settings that are defined in the Dcomcnfg.exe utility. To view the properties that are defined in the Dcomcnfg.exe utility, click the Default properties tab, and then confirm the following settings:
1. The Enable Distributed COM on this computer check box is selected.
2. The Default Authentication level is set to Connect.
3. The Default Impersonation level is set to Identify.
• If you are testing a remote SMS Administrator console, make sure that the latest SMS service pack has been applied to this console. Run the Setup program from the service pack source to determine whether the SMS Administrator console is the only component that must be upgraded.
After you consider these issues, complete the troubleshooting procedures that are described in the following sections.
1. Click Start, click Run, and then type wbemtest.
2. Click Connect, type \\siteserver\root\sms, and then click Login.
3. Click Enum Classes, click Recursive, and then click OK.
4. In the Query Result list, double-click SMS_ProviderLocation.
5. Click Instances, and then double-click the line that contains the target site code. For example, SMS_ProviderLocation.SiteCode="xxx."
6. In the Properties section, locate the NamespacePath line. You may have to double-click this line to see the whole line.
7. Copy the NamespacePath value to the clipboard. For example, copy the following value:
If you successfully complete this procedure, you can connect to the site server and enumerate the SMS namespace.
1. Close all WBEMtest windows that may be open.
2. Click Connect, paste the NamespacePath that you copied in step 7, and then click Login.
3. Click Enum Classes, click Recursive, and then click OK
4. In the Query Result list, double-click SMS_Site.
If you receive an "access denied" error message when you perform this procedure, this may be because of one of the following causes:
1. The Security Configuration Wizard has been run on the server that hosts the SMS Provider. However, the Security Configuration Wizard is unable to recognize the SMS Provider. If you run the wizard on the server that has the SMS Provider installed, you must enable the Remote WMI service in the wizard. Unless you enable Remote WMI, the SMS Administrator console on the site server and any other remote consoles cannot connect to the SMS namespace in WMI. To enable Remote WMI in the wizard, do the following:
a. Select Remote WMI on the Select Administration and Other Options page of the Security Configuration Wizard. Note For more information about how to secure SMS site systems, visit the following Microsoft Web site:
2. The account that is used does not have the appropriate permissions to the namespace of the provider. To modify or to verify the permissions, follow these steps:
a. On the server on which you enumerated the SMS site, click Start, click Run, type wmimgmt.msc, and then click OK.
b. Right-click WMI Control, and then click Properties.
c. On the Security tab, expand Root, and then click SMS.
d. Click Security in the results pane to see the permissions.
e. Click Advanced, click SMS Admins, and then click View-edit.For the SMS namespace, the SMS Admins group must have the following permissions:
• Enable account
• Remote enable
f. Repeat steps a through e to examine the SMS Admins group for the SMS_xxx namespace. (xxx is a placeholder for the site code.) Then, grant Remote Enable permission to the user or to the group. If the user or the group does not have appropriate WMI permissions in Security for the SMS namespace, the following event may be logged in the AdminUI.log file:
Error(ConnectServer): Possible UI connection error code is -2147217405 [0x80041003]
• Users are still denied access when they try to connect to the console after you have granted the appropriate accounts the “Remote Enable” right in WMI security.
• The console is only partially available.
1. Click Start, click Run, type firewall.cpl, and then click OK.
2. On the General tab, click On to turn the firewall on. Click to clear the Don't allow exceptions check box.
3. On the Exceptions tab, click Add Program.
4. Click Browse, type %windir%\System32\Wbem\Unsecapp.exe in the File namebox, and then click Open. If you have to define the scope, click Change scope, and then click OK. Click OK to close the Add a Program dialog box.
5. In the Programs and Services list, click to select the Unsecapp.exe check box.
6. Click Add Port.
7. In the Port number box, type 135. Select TCP, and then type a name for the exception in the Name box. If you have to define the scope, click Change scope, and then click OK. Click OK to close the Add Port dialog box.
8. In the Programs and Services list, click to select the check box for the exception that you added in step 7.
9. Click OK.
1. Click Start, click Run, type dcomcnfg.exe, and then click OK.
2. Locate the Console root node, expand Component Services, expand Computers, and then click My Computer.
3. Right-click My Computer, and then click Properties.
4. In My Computer Properties, click the COM Security tab.
5. In Access Permissions, click Edit Limits.
6. Click ANONYMOUS LOGON.
7. In Permissions for ANONYMOUS LOGON, click Allow setting for Remote Access.
8. Click OK two times.
9. Restart your computer.
This indicates the default DCOM permissions have been changed. If this value does not exist, the default DCOM permissions are in effect. To resolve this problem, delete the DefaultAccessPermission value. This will reset all default DCOM permissions. This is a measure of last resort and is not guaranteed to correct the problem. Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.Important Before you delete this value, make sure that you have tried to resolve the issue by following the DCOM troubleshooting steps in in this article. Also, back up the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry subkey. To delete the DefaultAccessPermission value, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
3. In the right pane, right-click DefaultAccessPermission, and then click Delete.
4. In the Confirm Value Delete dialog box, click Yes.
5. Exit Registry Editor.
6. Log off the computer, and then log back on to the computer.
For more information about DCOM issues and their symptoms, click the following article number to view the article in the Microsoft Knowledge Base:
900960 - You cannot perform actions such as search and drag when you use a Windows Server 2003-based computer
• Determine which resource requires anonymous access on the computer that is running Windows XP
• Modify the permissions on all the necessary resources
In these situations, you may have to force the computer that is running Windows XP to include the Anonymous Logon security group in the Everyone security group. To support this functionality, Windows XP includes the EveryoneIncludesAnonymous registry entry.If the EveryoneIncludesAnonymous registry entry is set to REG_DWORD 0x1, the Local Security Authority (LSA) includes the security identifier (SID) of the Everyone security group in the anonymous user's access token. To set the value of the EveryoneIncludesAnonymous registry entry, use either of the following methods.
1. Click Start, click Run, type Control admintools, and then click OK.
2. Double-click either Local Security Policy or Domain Security Policy (on domain controllers only).
3. Double-click Local Policies, and then click Security Options.
4. Right-click Network access: Let Everyone permissions apply to anonymous users, and then click Properties.
5. To enable anonymous users to be members of the Everyone security group, click Enabled. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token, click Disabled. This is the default setting in Windows XP.
2. Locate and then click the following registry key:
3. Right-click EveryoneIncludesAnonymous, and then click Modify.
4. To enable anonymous users to be members of the Everyone security group, type 1 in the Value data box. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token, type 0 in the Value data box. By default, the EveryoneIncludesAnonymous value is set to 0 in Windows XP.
6. Restart the computer.
Note This change can affect the following Windows-based technologies:
• Message Queuing
• Any other technology where anonymous authentication is frequently employed.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
278259 - Everyone group does not include anonymous security identifier
• The remote procedure call (RPC) server is unavailable.If WBEMtest connectivity testing determines that the remote procedure call (RPC) server is unavailable, see the following Microsoft Knowledge Base article:
229091 - SMS: Remote administrator gets a "Connection failed" error when connecting to Site Server
• There is a DNS name resolution issue.The “Connection Failed "error message may also occur if name resolution is not completed correctly. To determine whether you are experiencing a name resolution issue, use the WBEMtest tool and try to connect to the site server by using the IP address. For example, use \\111.222.333.444\root\default as the address. If you can connect when you use the IP address, but you cannot connect when you use the netBIOS name of the site server, you are experiencing a name resolution issue. To resolve this issue, confirm either the WINS or the DNS configurations.To make sure that no incorrect entries persist in the DNS resolver cache on the SMS 2003 site server, run the following command at a command prompt:
If you cannot resolve the fully qualified domain name of the Windows XP SP2-based computer by using DNS, create an entry in the hosts file on the SMS 2003 site server to map the Windows XP SP2-based computer's fully qualified domain name to its IP address.
• Firewall or virtual private network (VPN) products from Checkpoint Software Technologies
• Microsoft Internet Security and Acceleration (ISA) Server
899148 - Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computers
For more information about how to set WMI Namespace security in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
295292 - How to set WMI Namespace security in Windows XP
For more information about Systems Management Server WMI terms and concepts, click the following article number to view the article in the Microsoft Knowledge Base:
216738 - SMS: WMI terms and concepts
For more information about SMS Administrator connection problems, click the following article numbers to view the articles in the Microsoft Knowledge Base:
314169 - SMS: "Connection failed" error message when you run Administrator console on Windows 2000
272937 - SMS: Administrator console does not connect to Windows NT 4.0 Site Server
908478 - One or more site objects may be missing after you expand a site hierarchy node in a remote System Management Server 2003 Administrator Console
For more information about how to help secure remote WMI connections, visit the following Microsoft Web site: http://msdn2.microsoft.com/en-us/library/aa392291.aspx
For more information about granular COM permissions, visit the following Microsoft Web site: http://technet2.microsoft.com/WindowsServer/en/library/4c9a2873-2010-4dbb-b9dd-6a7d1e275f0f1033.mspx?mfr=true
For a list of frequently asked questions about site systems, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq02.mspx
- J.C. Hornbeck