When using System Center Configuration Manager 2007 and restoring from a backup created via the "Backup ConfigMgr Site Server" maintenance task, OSD and Task Sequences may no longer function if the restore was performed after a Windows OS reinstall on the server or restoration to new server hardware. Obtaining the SMSTS.log from a failing client PC reveals the following errors:
Parsing Policy Body. TSMBootstrap
(!sNetworkAccessAccount.empty()) && (!sNetworkAccessPassword.empty()), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1518) TSMBootstrap
Found empty NetworkAccessUsername/NetworkAccessPassword from NAAConfig CCM_NetworkAccessAccount TSMBootstrap
GetEncodedNetworkAccessAccount (sEncodedAccount, sEncodedPassword), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1544) TSMBootstrap
Network Access Account is not set TSMBootstrap
GetNetworkAccessAccount( sNetworkAccessAccount, sNetworkAccessPassword ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1597) TSMBootstrap
pTSPolicyManager->GetContentLocations( m_sPackageID, m_lSourceVersion, m_dwContentSourceFlags, slistContentLocations, slistHttpContentLocations, slistMulticastContentLocations, m_dwContentPackageFlags ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,2330) TSMBootstrap
(*iTSReference)->Resolve( pTSPolicyManager, dwResolveFlags ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,2862) TSMBootstrap
m_pSelectedTaskSequence->Resolve( m_pPolicyManager, TS::Policy::TaskSequence::ResolvePolicy | TS::Policy::TaskSequence::ResolveSource, fpCallbackProc, pv, hCancelEvent), HRESULT=80040101 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,1208) TSMBootstrap
Failed to resolve selected task sequence dependencies. Code(0x80040101) TSMBootstrap
hrReturn, HRESULT=80040101 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediaresolveprogresspage.cpp,408) TSMBootstrap
ThreadToResolveAndExecuteTaskSequence failed. Code(0x80040101) TSMBootstrap
ThreadToResolveAndExecuteTaskSequence returned code 0x80040101 TSMBootstrap
Setting wizard error: Failed to read network access account from machine policy. For more information, please contact your system administrator or helpdesk operator. TSMBootstrap
Reviewing the above SMSTS.log seems to reveal that the Network Access Account (NAA) is not set. The Network Access Account is needed by the Task Sequence while in WinPE to access network resources since the client PC while in WinPE is the equivalent of a non-domain joined workgroup PC.
Note: For additional information see the following TechNet article:
About the Network Access Account
Reviewing the properties of the Computer Client Agent in the ConfigMgr 2007 admin console under Site Settings --> Client Agents reveals that the Network Access Account is set. Resetting the Network Access Account in the properties of the Computer Client Agent by reentering the Network Access Account's username and password seems to resolve the error, but then causes a new error in the SMSTS.log.
Note: For information on resetting the Network Access Account see the following TechNet article:
How to Configure the Network Access Account
Reviewing the SMSTS.log on the failed client PC reveals the following error:
Decompressing reply body. TSMBootstrap
Decompression (zlib) succeeded: original size 476, uncompressed size 2568. TSMBootstrap
CryptMsgControl (hMsg, 0, CMSG_CTRL_VERIFY_SIGNATURE, pCert->pCertInfo), HRESULT=8009100e (e:\nts_sms_fre\sms\framework\osdmessaging\libcrypt.cpp,351) TSMBootstrap
signature varification failed TSMBootstrap
ipCertContext != listpServerCertContext.end(), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\osdmessaging\libsmsmessaging.cpp,2476) TSMBootstrap
signature check failed: <signature> TSMBootstrap
DoRequest (sReply, true), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\osdmessaging\libsmsmessaging.cpp,5010) TSMBootstrap
Failed to get client identity (80004005) TSMBootstrap
ClientIdentity.RequestClientIdentity (), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,815) TSMBootstrap
failed to request for client TSMBootstrap
Exiting TSMediaWizardControl::GetPolicy. TSMBootstrap
pWelcomePage->m_pTSMediaWizardControl->GetPolicy(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawelcomepage.cpp,280) TSMBootstrap
Setting wizard error: An error occurred while retrieving policy for this computer (0x80004005). For more information, please contact your system administrator or helpdesk operator. TSMBootstrap
This issue is caused by the backup restoring the srvacct folder from the original ConfigMgr 2007 installation instead of keeping the srvacct folder from the new ConfigMgr 2007 installation. The srvacct folder can be found at the root level of the directory where ConfigMgr 2007 is installed. Normally this folder has a text file in it with the name srvacct.<site_code>. The text file has the public keys that along with private keys stored in the Windows OS allow it to decrypt service account information (username/password) which includes the Network Access Account.
When a Windows OS is freshly installed, either via a reinstall of the OS or install on new hardware, new private keys are generated in the Windows OS when ConfigMgr 2007 is installed. The applicable public keys that match up with the private keys are then generated and stored in the srvacct folder in the file srvacct.<site_code>. If a backup restores the srvacct folder from another instance of the Windows OS, the public keys in the srvacct.<site_code> folder will no longer match up with the private keys in the Windows OS. This will cause the information for any service account used by ConfigMgr 2007, including the Network Access Account, to not be able to be decrypted and used.
This issue can also cause problems in other areas of ConfigMgr 2007 other than Task Sequences and OSD. Service accounts are not normally used in ConfigMgr 2007 since most operations use the SYSTEM/site server's computer account. The only exception to this rule is the Network Access Account which is needed by Task Sequences when running in WinPE and is the reason why this issue most prominently affects OSD.
Service accounts can be used instead of the SYSTEM/site server's computer account in other areas of ConfigMgr 2007 other than Task Sequences and OSD. For a list of the different areas in ConfigMgr 2007 that can be optionally configured to use service accounts and may be affected by this issue, please see the following TechNet articles:
Accounts Configured in the Configuration Manager Console
How to Configure Configuration Manager 2007 Accounts
The two other areas that would most likely be affected by this problem other than OSD would be the use of Site Address Accounts (leading to sites not being able to communicate with one another) and database access accounts (leading to site roles not being able to access the database). The issue is mostly seen with OSD since a service account (the Network Access Account) is always needed and used.
To resolve the issue, the ConfigMgr 2007 site will need to be reinstalled from scratch. The current restored ConfigMgr 2007 site cannot be used since the original srvacct folder no longer exists.
- Wipe the server and reinstall the Windows OS.
- Install ConfigMgr 2007 using normal procedures. Do NOT restore from backup.
- BEFORE restoring from the backup created via the "Backup ConfigMgr Site Server" maintenance task, manually copy and backup the srvacct folder located at the root level of the ConfigMgr 2007 install location to a location where it can be later restored.
- Using normal procedures restore from the backup created via the "Backup ConfigMgr Site Server" maintenance task. For more information, see the following TechNet article:
How to Repair a Central Site : http://technet.microsoft.com/en-us/library/bb680474.aspx
- Once the restore of the backup is complete, rename the restored srvacct folder located at the root level of where ConfigMgr 2007 is installed.
- Copy the srvacct folder backed up in Step 3 to the root level of where ConfigMgr 2007 is installed.
- Perform a site reset on the server using the following TechNet instructions:
How to Perform a Site Reset : http://technet.microsoft.com/en-us/library/bb694286.aspx
- Once the Site Reset is complete, in the ConfigMgr 2007 Admin console, navigate to "Site Management" --> <Site_Code> --> "Site Settings" --> "Client Agents". In the right hand pane, right click on "Computer Client Agent" and choose "Properties".
- In the "Computer Client Agent Properties" window, click on the "General" tab and examine the account being used under the "Network Access Account" section. Make sure that the account being used is noted and that the password for the account is known.
- Once the Network Access Account information has been confirmed, in the "Computer Client Agent Properties" window under the "General" tab, click on the "Clear" button in the "Network Access Account" section and then click on the "Apply" button. Once the information for the Network Access Account has been cleared, click on the "Set..." button under the "Network Access Account" section.
- In the "Windows User Account" window, enter the User name and Password for the Network Access Account as determined in Step 9, and then click on the "OK" button.
- In the "Computer Client Agent Properties" window, click on the "OK" button.
Note: If the above solution is being used to resolve the issue for a component other than OSD (i.e., site address accounts or database connection accounts), in Steps 8-9, navigate to the appropriate section in the ConfigMgr 2007 Admin Console (i.e., Addresses or properties of the Site Systems roles) and reset the appropriate service accounts using the same same instructions listed in Steps 10-12.
The information above was published today in the following Microsoft Knowledge Base article written by Frank Rojas:
J.C. Hornbeck | System Center Knowledge Engineer
The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials