Microsoft KB Archive/840677

= Logon points are not created in a trusted domain in Systems Management Server 2.0 =

Article ID: 840677

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Systems Management Server 2.0 Standard Edition

-





SYMPTOMS
After you turn on the following features in Microsoft Systems Management Server (SMS) version 2.0, logon points are not created in a trusted domain that is managed by the SMS site:
 * Windows Networking Logon Discovery
 * Windows Networking Logon Client Installation

Symptom example
You want to create logon points that are in the accounts domain, and the SMS site is in a resource domain. The following error message entry may appear in the Nt_logon.log file:

NetGetDCName domain:  server   return: 0

NetServerGetInfo server:  type: 4102b platform id: 500 version 4.0

Constructing NT server

Connection to \\ \Admin$ FAILED; NAL Error = 0

CreateThread Success for object  threadID 1DB, ret=0

Begin server enumeration on domain

CreateThread Success for object  threadID 63, ret=0

CreateThread Success for object  threadID 19C, ret=0

Begin enum of NTLM volumes on server

Begin service enum on server

NetShareEnum failure Unable to Enumerate NTLM volumes on server, error=5

.

Completed service enum on server

.

Thread 19C has terminated exit code=5

Note Error 5 is defined as an &quot;Access Denied&quot; error.



CAUSE
This issue occurs when the SMS Service account does not have sufficient permissions to create the SMS 2.0 logon point in the domain. For example, this might occur when you want to create logon points in an accounts domain when SMS is installed in a resource domain. If the \SMS service account does not have sufficient permissions to connect to the admin$ share of the primary domain controller (PDC) in the accounts domain, the logon point is not created.



RESOLUTION
To resolve this issue, specify a domain administrator level site system connection account from the domain that you are trying to connect to. If you use the example from the Symptoms section, you would specify a site system connection account from the accounts domain that is a member of the \Domain Admins group. Alternatively, you can add the SMS service account to the Domain Administrators group of the domain that you are trying to connect to. If you use the example from the Symptoms section, you would add the \SMSService account to the Domain Administrators group of the accounts domain.

Note The previous example uses the default SMSService account for demonstration purposes. Your SMS site may use a different account.

Important If you are running SMS 2.0 Service Pack 5 (SP5) and later, you can maintain logon points by using an account that is not a domain administrator.

To change the SMS service account, perform a site reset. To do this, follow these steps:
 * 1) Click Start, point to Programs, point to Systems Management Server, and then click SMS Setup.
 * 2) Click Next, and then click Next.
 * 3) Click Modify or reset the current instalation, and then click Next.
 * 4) Type the account and password that you want to use for the SMS services, and then click Next.
 * 5) Click Next, click Next, click Next, and then click Finish.
 * 6) Click Yes to continue and reset the site.



MORE INFORMATION
For additional information about how to create a trusted domain account, see the &quot;Create a Trusted Domain SMS Service Account in a Windows NT Domain&quot; topic in SMS Administrator Help.

For additional information about the SMS site system account, see the following topics in the SMS Administrator's Guide:
 * Chapter 4, Understanding SMS System Accounts, SMS Site Server Service Accounts.
 * Chapter 4, Understanding SMS System Accounts, SMS Remote Site System Service Accounts.

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

816290 List of security changes in Systems Management Server 2.0 Service Pack 5

816292 Windows Networking Logon Client Installation requires domain administrator permissions to create logon points

834308 Logon points are not updated in Systems Management Server 2.0

Keywords: kbsmsslp kbsmsadmin kbuser kbsetup kbsecurity kbdiscovery kbprb KB840677

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.