Microsoft KB Archive/886213

= Cannot install a Systems Management Server 2003 Management Point role on Windows Server 2003 domain controllers =

Article ID: 886213

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Systems Management Server 2003

-





SYMPTOMS
When you try to install a Microsoft Systems Management Server (SMS) 2003 Management Point role on a Microsoft Windows Server 2003-based domain controller, you may experience the following symptoms:  The SMS 2003 site system role is not installed. The Mpmsi.log that is located in the /SMS/Logs folder on the SMS 2003 site system computer may contain errors that are similar to the following:

2.00.3790.00

Calling process: D:\SMS\bin\i386\MPsetup.exe ===

MSI (c) (A0:18): Resetting cached policy values

MSI (c) (A0:18): Machine policy value 'Debug' is 0

MSI (c) (A0:18): ******* RunEngine:


 * Product: D:\SMS\bin\i386\mp.msi


 * Action:


 * CommandLine: **********

MSI (c) (A0:18): Client-side and UI is none or basic: Running entire install on the server.

MSI (c) (A0:18): Failed to grab execution mutex. System error 258.

MSI (c) (A0:18): Cloaking enabled.

MSI (c) (A0:18): Attempting to enable all disabled privileges before calling Install on Server MSI (c) (A0:18): Incrementing counter to disable shutdown. Counter after increment: 0

MSI (c) (A0:18): Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1

MSI (c) (A0:18): MainEngineThread is returning 1618



The Management Point role may appear to install correctly. However, when you run a diagnostic query, you may receive an IIS error.

For example, you try to use Microsoft Internet Explorer to access the following URL:

http:// /sms_mp/.sms_aut?mplist

In this case, you may receive the following error message:

401.3 Unauthorized due to ACL on resource

Additionally, the Mpcontrol.log file that is located in the \SMS\Logs folder on the SMS 2003 site server may contain the following error:

Http verification .sms_aut failed with status code 401, Unauthorized $$< >



CAUSE
This behavior occurs if the following two domain user accounts have Log on restrictions set on one of more computers that are members of the domain:
 * IWAM_ 
 * IUSER_ 

These accounts are typically created as local accounts on the computer where you have installed Microsoft Internet Information Services (IIS). However, when IIS is installed on a Windows Server 2003-based domain controller that does not have local user accounts, these accounts are created as domain accounts.

The IWAM_ and the IUSER_  domain accounts are copies the domain Guest account and are created during the IIS Setup process. Therefore, when you make changes to the domain Guest account before you install IIS on a domain controller, the changes are inherited by the IWAM_ domain account and the IUSER_  domain account during the IIS installation process. Additionally, you must make sure that the IWAM_ domain account is included as part of the domain's IIS_WPG group. If IIS is removed from the domain controller computer, the removal process also removes the IIS_WPG group from all domain controllers because they share the same account database.



WORKAROUND
To work around this problem, you must make sure that the domain Guest account has the correct attributes you need before you install IIS on any domain controller in your domain.

Make sure the IWAM_  account is part of the \IIS_WPG group. If you have removed IIS from the domain controller, you must manually add the account back to the \IIS_WPG group so the SMS 2003 Management Point can work correctly. To do this, follow these steps:
 * 1) Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the Active Directory Users and Computers snap-in, expand  , and then click Users.
 * 3) In the right pane of the Active Directory Users and Computers snap-in, double-click the IIS_WPG group.
 * 4) In the IIS_WPG Properties dialog box, click the Members tab, and then make sure that the IWAM_  account is listed. If the IWAM_  account is not listed, click Add. In the Users, Computers, or Groups dialog box, type IWAM_ in the Enter Object names to select box, click OK, and then click OK again.



STATUS
This behavior is by design.



MORE INFORMATION
On a Windows Server 2003-based computer, the IIS Setup process creates three accounts. Two of the accounts are directly affected by the properties and attributes of the existing Guest account:
 * IWAM_ 
 * IUSR_ 
 * IIS_WPG group

The IWAM_ account is used for out-of-process programs. If the IWAM_ account does not have the correct access, IIS works correctly because most programs are run out-of-process on IIS version 6.0.

The IUSR_ account is the Internet Guest User account for anonymous Internet users. If the IUSR_ account is disabled, anonymous access fails.

The IIS_WPG group is the Worker Process Group. If it is disabled, IIS does not work correctly. If this group account is created on a domain controller, this group is shared by multiple IIS servers. Typically, the IWAM_ account is located in this group. Every domain controller that is running IIS 6 has an account in this group. The IIS_WPG group is not a copy of the Guest account.

Additional query words: SMS 2003, IIS 6.0, Windows Server 2003, Domain Controller, DC, MP, Management Point, 2003 DC, 2003 Domain, 25006, 80020009, CCM_Incoming

Keywords: kbtshoot kbprb KB886213

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.