Article ID: 886092
Article Last Modified on 2/7/2007
APPLIES TO
- Microsoft Systems Management Server 2003
SYMPTOMS
When you reset the passwords for Microsoft Systems Management Server (SMS) connection accounts during a site reset in SMS 2003, the following symptoms occur:
- SMS 2003 client computers do not receive new advertisements.
- SMS 2003 client computer inventory information is not updated in the site database.
- You receive a status message that is similar to the following:
- The following error message may be logged in the MP_GetAuth.log on the management point:
Note If you have applied a service pack to your site, you receive a status message is similar to the following:
CAUSE
This issue occurs when the connection account that a management point (MP) uses to log on to the site database has been locked out in the Active Directory directory service. The connection account may be locked out when all the following conditions are true:
- The sites are in Standard security mode.
- The management points use integrated security when they access the site database.
- The management points are installed with the default settings. For example, the management points use the SMS_SQL_RX_
SiteCode
account to connect to the site database. - The account that is used by the Management Point to connect to the SQL server is a member of the SMS_SiteSystemToSQLConnection_
SiteCode
group on the SQL server. - The account password is not expired.
- Group Policy enables account lockout for the SMS_SQL_RX_
SiteCode
account. - You reset the connection account password.
- A management point site whose site control file has not been updated with the new connection account password tries to connect to the site database.
WORKAROUND
To work around this issue, create a new connection account for the management points. Next, configure the management points to use the new connection account. To do this, follow these steps:
- To create a new connection account, follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the Users folder, point to New, and then click User.
- Type the new user information, make a note of what you type in the User logon name box, and then click Next.
- Type a password for the new connection account.
- Click to clear the User must change password at next logon check box.
- Click to select the Password never expires check box, click Next, and then click Finish.
- In the Users folder of the Active Directory Users and Computers snap-in, right-click the connection account that you created, and then click Properties.
- Click the Member Of tab, and then click Add.
- Type SMS_SiteSystemToSQLConnection_
SiteCode
in the Enter the object names to select (examples) box, and then click OK two times.
- To configure the management points to use the new connection account, follow these steps:
- Click Start, point to Programs, point to Systems Management Server, and then click SMS Administrator Console.
- Expand Site Database (
SiteCode
-SiteName
), expand Site Hierarchy, expand the site that you want to modify, expand Site Settings, and then click Site Systems. - Right-click a system that is a management point for the site, and then click Properties.
- Click the Management Point tab, and then click Use a different database in the Database box.
- Type the name of your site database server, and then type the name of your site database.
- Click Windows Authentication, and then click Set.
- Type the account information for the connection account that you created, and then click OK two times.
Note When you create connection accounts as described in this section, you must manually maintain the connection account. A site reset will not change the password for connection accounts that you create.
MORE INFORMATION
When you reset connection account passwords during a site reset, SMS 2003 may not update all the management points with this new configuration information before a management point connects to the site database. If you have enabled account lockout for the SMS 2003 connection accounts and you plan to reset connection account passwords, consider disabling account lockout for SMS 2003 connection accounts before you perform a site reset. When SMS 2003 has updated all the management points to use the new connection account password, you can enable account lockout again for the SMS 2003 connection accounts.
If the account continues to be locked out after the site has been reset and all site control changes have been updated, you can determine which site that contains a management point is still using the old password. You can determine this by the Netlogon.log file. If this log in a site shows that the account continues to be locked out, the site is still using the old password. To do this, follow these steps:
- Enable Net Logon logging on the domain controller. For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling debug logging for the Net Logon service
- Unlock the account, and then wait for it to lock again.
When a Netlogon.log file has been produced, examine the file for the following line:
03/15 13:19:33 [LOGON] SamLogon: Network logon of MEREDITH\SMSServer_S1M from PBCKUP1M Returns 0xC0000234
Notes
- The 0xC0000234 code stands for the following status message: STATUS_ACCOUNT_LOCKED_OUT.
- The Netlogon.log file is located in the
%windir%
\debug\ folder.
To troubleshoot the cause of the site control file not updating on the secondary site, generate a site control change on the primary site. Then, track the flow in the appropriate logs to the secondary site. You can track the following logs on the parent site:
- Sitectrl.log
- Sitectrl.log
- Hman.log
- Replmgr.log
- Sched.log
- Sender.log
You can track the following logs on the child site:
- despool.log
- hman.log
- sitectrl.log
REFERENCES
For more information about a similar issue, click the following article number to view the article in the Microsoft Knowledge Base:
829868 Systems Management Server 2003 advanced security site with remote SQL does not connect to SQL Server
For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling debug logging for the Net Logon service
For more information about scenarios and procedures for SMS 2003, visit the following Microsoft Web site:
For more information about account lockout, visit the following Microsoft Web site:
For more information about how to manage Active Directory, visit the following Microsoft Web site:
Additional query words: SMS_SQL_RX
Keywords: kbtshoot kbwinservperf kbmgmtservices kbprb KB886092