Microsoft KB Archive/832109

= New clients do not install and existing clients do not run advertisements after you install a new management point =

Article ID: 832109

Article Last Modified on 11/7/2007

-

APPLIES TO


 * Microsoft Systems Management Server 2003

-



SYMPTOMS
After you install and configure a new management point for Microsoft Systems Management Server (SMS) 2003, you may experience one or more of the following issues:  Computers are discovered and appear in the SMS Administrator console as advanced clients, but the SMS client software is not installed on the client computers. Computers are discovered and appear in the SMS Administrator console as advanced clients, but the standard SMS client software is installed on the computer that is discovered. Existing clients do not report a status for advertisements. The following message is logged in the CAS.log on the SMS Advanced Client computer and in the SQLERROR log on SQL server:

Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection

 The IIS log on the management point may contain Error 401.

The following entries may appear on the management point in the MP_GetAuth.log file. Depending on whether the SMS client is also installed, this log file is located either in the \ \system32\CCM\Logs\ folder or in the \SMS_CCM\Logs\ folder. ( is the folder where the operating system is installed.) <![LOG[CMPDBConnection::Init: IDBInitialize::Initialize failed with 0x80004005]LOG]!> <![LOG[Raising event: [SMS_CodePage(437), SMS_LocaleID(1033)] instance of MpEvent_ConnectDatabaseFailed { ClientID = &quot;GUID:F4AB9DD6-362A-44B4-BAFA-6797AD71C79F&quot;; DatabaseName = &quot;SMSDBname&quot;; DateTime = &quot;20030919053031.203000+000&quot;; ErrorCode = &quot;0x80004005&quot;; MachineName = &quot;MPcomputername&quot;; ProcessID = 5124; ServerName = &quot;SMSservername&quot;; SiteCode = &quot;sitecode&quot;; ThreadID = 3512; Win32ErrorCode = 0; }; ]LOG]> CMPDBConnection::Init: IDBInitialize::Initialize failed with 0x80040e4d $$<MP_GetAuth_ISAPI><Wed Feb 4 17:19:29.240 2004 Eastern Standard Time><thread=2664 (0xA68)>

<div class="cause_section">

CAUSE
The management point may be prevented from connecting to the server that is running Microsoft SQL Server. These issues may occur for any one of the following reasons:
 * The management point does not have correct permissions on the SQL server.
 * Problems exist with SQL Service Principal Name (SPN) registration.
 * Problems exist with Kerberos or the Domain Name System (DNS) protocol.

<div class="workaround_section">

WORKAROUND
To work around this problem, switch from a TCP connection to a Named Pipes connection between the management point and the SQL server. This can also be used to test whether the issue is with Kerberos authentication, which TCP uses.

Named Pipes uses NTLM authentication. If switching from TCP to Named Pipes does not resolve the issue, run a Network Monitor trace to investigate possible network connectivity issues. If enabling Named Pipes on the management point resolves the issue, it indicates that Kerberos authentication is failing and the troubleshooting steps in this article will be helpful in diagnosing the cause.

To enable Named Pipes, do the following on the management point server. Click Start, click Run, type cliconfg, and then click OK. This starts the Client Network Utility. Add the SQL server NetBIOS name on the Alias tab with Named Pipes selected. This is the default setting.

On the SQL server, run the Server Network Utility and make sure Named Pipes is at the top of the protocol stack. The management point queries SQL every 10 minutes. A log entry will appear that indicates the number of management points in the site. This indicates a successful connection.

<div class="moreinformation_section">

MORE INFORMATION
To troubleshoot these symptoms, follow the steps in the order in which they are presented.

Verify permissions
To start troubleshooting these symptoms, verify that the management point has the correct permissions to connect to the SQL database. To do this, follow these steps: <ol> At the management point server, click Start, click Run, type cmd, and then click OK. If your SMS site is running under the Standard security mode, go to step 4. If your SMS site is running in the Advanced security mode, go to step 2.</li> If your SMS site is running Advanced security, start a new Command Prompt window that is running under the local system account. To do this, type the following at a command prompt, and then press ENTER:

AT /interactive cmd

At the time that you specify, a new Command Prompt window opens that is running under Svchost.exe.

Note  can be any time that is later than the current time, in 24-hour form.</li> At a command prompt, type the following, and then press ENTER:

osql -S  -d   -E

Note is the name of the server that is running SQL Server, and   is the name of the SQL database for your SMS site.

If this command succeeds, your management point has the correct permissions to the SQL database. The command is successful if a 1> prompt is returned. Type exit, and then press ENTER to return to the command prompt. If you receive the following error message, go to step 4:

Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.

</li> If you receive the &quot;Login failed&quot; error message that is described in step 3, repeat the command, but use the Fully Qualified Domain Name (FQDN). For example, type:

osql -S  -d   -E

If the command does not succeed, view the DNS settings for the domain where the management point computer is located.</li> If the command still fails check to see whether the MSSQLServer Service is using a user account to log on with, change the service to use the Local System account on the Log On tab in the service properties and run the commands again. If you must run the service by using a user account, make sure that the user account is added to the Domain Administrator group. You will also have to follow the steps in the following article in the Microsoft Knowledge Base:

829868 Systems Management Server 2003 Advanced Security site with Remote SQL does not connect to SQL Server

</li></ol>

Additional troubleshooting
<ol>  The appropriate Service Principal Name (SPN) attributes may not be generated for the account that started the SQL services. To resolve this issue, you must manually create the fully qualified domain name (FQDN) and NetBIOS SPN entries. To do this, you can use the SetSPN utility from the Windows 2000 Server Resource Kit. To download the SetSPN utility, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en

You must run the SetSPN utility on a computer that resides in the SQL Server's domain. You must use Domain Administrator credentials. Determine if the SQL services run as a domain account or as the local computer account. To use the SetSPN utility to manually create the appropriate SPNs, follow these steps:

When the SQL service is started with a user account  To create the FQDN SPN at a Command Prompt window, type the following command:

setspn -A MSSQLSvc/ :1433

</li> To create the NetBIOS SPN at the command window, type the following command:

setspn -A MSSQLSvc/SqlHostname:1433 SqlServiceAccount

</li></ul>

When the SQL service is started under the Local System account

If SQL Server runs under the local system account, you do not have to manually configure an SPN for SQL Server. The SPN is created automatically when SQL Server starts and is removed when the SQL service is stopped. If SQL Server runs under a domain user account, you must manually configure an SPN.

SPN removal
A duplicate SPN for the computer that is running SQL Server may cause connectivity problems. The following procedure will remove any existing SPNs from SQL Server and add a new SPN: <ol style="list-style-type: lower-alpha;"> Stop the MSSQL service.</li>  Run the SETSPN -L  command to list all SPNs. The output typically resembles the following: <pre class="fixed_text">MSSQLSvc/MySQLServer dasaccount1 MSSQLSvc/MySQLServer:1433 MSSQLSvc/MySQLServer.MyDomain.com dasaccount1 MSSQLSvc/MySQLServer.MyDomain.com:1433 For more information, click the following article number to view the article in the Microsoft Knowledge Base:

319723 How to use Kerberos authentication in SQL Server

If the MSSQL service runs under the Local System account, the SPN is removed when the MSSQL service is stopped. Therefore, if an SPN is listed in the output of the SETSPN -L command, it is a duplicate SPN. If the MSSQL service runs under a domain user account, the SPN is still listed when you run the SETSPN -L command. Therefore, you cannot determine whether the SPN is a duplicate. In both cases, to make sure that the SPN is not a duplicate, remove and replace the SPN as described in steps 1c through 1i. </li> If any entries that contain MSSQLSvc are listed, use the SETSPN -D command to remove those entries. For example, type the following:

SETSPN –D MSSQLSvc/MySQLServer  SETSPN -D MSSQLSvc/ .com < >

</li> Run the SETSPN -L  command again to make sure that no listings for MSSQLSvc appear.</li> If the MSSQL service runs under the Local System account, make sure that the SQL Server startup account is the Local System account. You can configure this setting on the Security tab in the Properties dialog box of the server in SQL Server Enterprise Manager.</li> If the MSSQL service runs under a domain user account, register the SPN by using the SETSPN -A command as mentioned earlier.</li> Restart the MSSQL service.</li> <li>After the replication updates the servicePrincipalName attribute on any domain accounts, verify that the SPNs are registered correctly. To do this, run the following command:

SETSPN -L 

</li> <li>If the SPNs are registered correctly, test the SMS connection by using the methods in the &quot;Verify permissions&quot; section.</li></ol> </li> <li>On each primary site, make sure that the SMS_SitetoSQLConnection security group contains the computer accounts or SMS service accounts for all the child servers that report to the primary site. Typically, these accounts are added to the SMS_SitetoSQLConnection security group when a site is installed. If the Setup program cannot add the account, the following site status message is logged in the SMS Administrator console:

4908 - Site Component Manager could not add machine account &quot;%1&quot; to the SQL Access Group &quot;%2&quot;on the SQL Server machine &quot;%3&quot;.

</li> <li>The Kerberos ticket cache may have to be reset. Use the Kerbtray tool from the Windows 2000 Server Resource Kit to clear the existing Kerberos ticket cache. To download the Kerbtray tool, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en

For more information about how to use the Kerbtray tool, click the following article number to view the article in the Microsoft Knowledge Base:

232179 Kerberos administration in Windows 2000

</li> <li>Make sure that the DNS server for the domain is listed first in the TCP/IP properties of the management point server.</li> <li>The FQDN for the target domain must be listed at the top of the suffix search list on the management point server. To change the suffix search list, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type ncpa.cpl, and then click OK.</li> <li>Right-click the connection that you want to change, and then click Properties.</li> <li>In the Connection Name Properties dialog box, select Internet Protocol (TCP/IP) under This connection uses the following items, and then click Properties.</li> <li>On the General tab, click Advanced, and then click the DNS tab.</li> <li>Click Append these DNS suffixes (in order), click the target domain, and then move the target domain to the top of the list by clicking the scroll arrow.</li> <li>Click OK two times, and then click Close.</li></ol> </li></ol>

<div class="references_section">