How to troubleshoot SMS Administrator console connectivity
Last week I mentioned that many of the calls we get in customer support involve advanced client push installations and this week I want to mention another common call, that being SMS Administrator Console connectivity.
As is the case with advanced client push installs, we already have a troubleshooting doc that covers it so if you haven't seen it I posted it below. This is published in our Knowledge Base as article 317872 but I wanted to bring your attention to it in case you haven't seen it before.
The full URL to the article is https://support.microsoft.com/?kbid=317872 and any changes or updates going forward will be made in the KB article itself.
The complete existing troubleshooter is listed below:
===================
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 - Description of the Microsoft Windows registry
INTRODUCTION
If you are using SMS and you try to connect to the site server, you may receive a "Connection Failed" message. Or, the nodes may not be displayed after you are connected. Additionally, errors that are similar to the following may be logged in the AdminUI.log file on the server:
Error: Possible UI connection error code is -2147023174 [0x800706ba]
Error: Possible UI connection error code is -2146959355 [0x80080005]
Error: Possible UI connection error code is -2147217394
Error: Possible UI connection error code is -2147217389[0x80041013] Failed to execute method GetProviderVersion! Function GetProviderVersion returns empty string of ProviderVersion. Wbem call failed: T_WbemSyncEnumToContainer_Core, return code: -2147217389 We fail to get the ProviderVersion. SiteCode - SiteServerName , Provider Version : Failed to set the connection. error code: -2147217389
Error(ConnectServer): Possible UI connection error code is -2147024891
Error: Possible UI connection error code is -2147024891 [0x80070005]
[994][<date> <time>]:Error(CheckForDisconnect2): Invalid service pointer. WMI connection has been dropped. : -2147024891 [0x80070005]
This article describes how to troubleshoot a new or an existing SMS Administrator console to determine why it cannot connect to the site server.
MORE INFORMATION
How to grant access to the SMS Administrator console
In order to access a local or remote SMS Administrator console, users must be members of the SMS Admins local group. The SMS Admins group is explicitly granted Enable Account and Remote Enable on the Root\SMS namespace. The SMS Admins group provides its members with access to the SMS Provider, through WMI. Add Users to the SMS Admins group when they need to access the SMS Administrator console, but do not have to be Local Administrators. If you want to use a different local group to grant access to the SMS Administrator console, you must also grant that local or domain local group the same WMI permission as the SMS Admins group. To grant access to the SMS Administrator console, follow these steps:
1. Create a global group for the domain that contains users who require specific access to the SMS Administrator console.
2. Add this global group or the explicit domain user account to the local SMS Admins group.
3. Configure the SMS permissions for the global group that you created.
Notes
• To complete this step, you must be an administrator and have full permissions on the site.
• If you can connect to the database but if the nodes are not enumerated, examine the SMS permissions that are granted to the global group or to a specific user in the Security node of the SMS Administrator console. For example, determine whether the collections node, the packages node, or other nodes display any content.
The permissions that you grant depend on the functionality that you want the members of this global group to perform. To grant permissions, right-click the Security rights node in the SMS Administrator console, point to All tasks, and then click Manage SMS Users to start the Security Wizard.
4. Use the wizard to add, remove, or modify the security settings of users and of groups.
Note For SMS 2.0 Service Pack 3 (SP3) hierarchies in Microsoft Windows 2000 domains, you may have to obtain the hotfix that is described in the following Microsoft Knowledge Base article:
266712 - SMS: Security based on global groups fails in Windows 2000 domains
For more information about how to grant additional users access to the SMS Administrator console, click the following article number to view the article in the Microsoft Knowledge Base:
252674 - SMS: How to set up a Help Desk administrator
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
201126 - SMS: Troubleshooting connectivity to the SMS site database
200670 - SMS: Customizing the Systems Management Server Administrator console
How to troubleshoot SMS Administrator console connectivity
If you are testing a remote SMS Administrator console, make sure that the latest SMS service pack has been applied to this console. If the service pack has not been applied, an error that is similar to the following may be logged in the AdminUI.log file:
CLASS_SMS_ContextMethods,METHOD_GetContextHandle! Failed to set the connection. error code: -2147217407 Run the Setup program from the service pack source to determine whether the SMS Administrator console is the only component that must be upgraded.
To troubleshoot SMS Administrator console connectivity, consider the following issues:
• Is the SMS site server running Microsoft Windows Server 2003 with Service Pack 1 (SP1)?
In Windows Server 2003 with SP1, a new local group is created that is named Distributed COM Users. To resolve the connectivity issue in Windows Server 2003 Service Pack 1, add the users who are trying to make remote connections to the SMS Administrator console to the Distributed COM Users local group. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
913000 - After you install Windows Server 2003 Service Pack 1, you can no longer connect to the SMS site server by using a remote SMS Administrator console
895952 - You receive a "You do not have the appropriate privilege" error message when you try to open the Microsoft Operations Manager (MOM) 2005 Administrator console
• Is the user a member of a global group that is a member in the SMS Admins group, or is the user explicitly defined in the SMS Admins Group?
The SMS Admins group is created during the SMS site installation. If a site was installed on a member server, the SMS Admins group is a local group in the local Security Accounts Manager (SAM). If a site server is a domain controller, the SMS Admins group is a local group in the domain. The user must belong to the SMS Admins group because this group is granted the necessary permissions to the SMS and SMS_site code namespace in the Windows Management Instrumentation (WMI) repository when the SMS site is built.
• Has this server had a previous installation of SMS?
If the server has had a previous installation of SMS, there may be multiple site codes in the SMS_ProviderLocation class that is located in the site server's SMS namespace. Delete any site code that no longer exists on the site server. You can use the WBEMtest tool to view the SMS_ProverLocation class. For more information about WBEMtest, click the following article number to view the article in the Microsoft Knowledge Base:
239899 - Administrator console cannot connect after reinstallation
• On the site server, confirm property settings that are defined in the Dcomcnfg.exe utility.
To view the properties that are defined in the Dcomcnfg.exe utility, click the Default properties tab, and then confirm the following settings:
1. The Enable Distributed COM on this computer check box is selected.
2. The Default Authentication level is set to Connect.
3. The Default Impersonation level is set to Identify.
• If you are testing a remote SMS Administrator console, make sure that the latest SMS service pack has been applied to this console.
Run the Setup program from the service pack source to determine whether the SMS Administrator console is the only component that must be upgraded.
After you consider these issues, complete the troubleshooting procedures that are described in the following sections.
Troubleshooting SMS namespace connectivity
Make sure that the user can connect to the SMS namespace and the SMS_'sitecode' namespaces. To do this, follow these steps:
1. Click Start, click Run, and then type wbemtest.
2. Click Connect, type \\siteserver\root\sms, and then click Login.
3. Click Enum Classes, click Recursive, and then click OK.
4. In the Query Result list, double-click SMS_ProviderLocation.
5. Click Instances, and then double-click the line that contains the target site code. For example, SMS_ProviderLocation.SiteCode="xxx."
6. In the Properties section, locate the NamespacePath line. You may have to double-click this line to see the whole line.
7. Copy the NamespacePath value to the clipboard. For example, copy the following value:
\\server_name\root\sms\site_xxx
If you successfully complete this procedure, you can connect to the site server and enumerate the SMS namespace.
How to troubleshoot server connectivity
Determine whether you can connect to the server that the provider is located on. The server is defined in the NamespacePath value that you determined in the "How to troubleshoot SMS namespace connectivity" section. Typically, this server is the same server.
1. Close all WBEMtest windows that may be open.
2. Click Connect, paste the NamespacePath that you copied in step 7, and then click Login.
3. Click Enum Classes, click Recursive, and then click OK
4. In the Query Result list, double-click SMS_Site.
If you receive an "access denied" error message when you perform this procedure, this may be because of one of the following causes:
1. The Security Configuration Wizard has been run on the server that hosts the SMS Provider. However, the Security Configuration Wizard is unable to recognize the SMS Provider. If you run the wizard on the server that has the SMS Provider installed, you must enable the Remote WMI service in the wizard. Unless you enable Remote WMI, the SMS Administrator console on the site server and any other remote consoles cannot connect to the SMS namespace in WMI. To enable Remote WMI in the wizard, do the following:
a. Select Remote WMI on the Select Administration and Other Options page of the Security Configuration Wizard.
Note For more information about how to secure SMS site systems, visit the following Microsoft Web site:
2. The account that is used does not have the appropriate permissions to the namespace of the provider. To modify or to verify the permissions, follow these steps:
a. On the server on which you enumerated the SMS site, click Start, click Run, type wmimgmt.msc, and then click OK.
b. Right-click WMI Control, and then click Properties.
c. On the Security tab, expand Root, and then click SMS.
d. Click Security in the results pane to see the permissions.
e. Click Advanced, click SMS Admins, and then click View-edit.
For the SMS namespace, the SMS Admins group must have the following permissions:
• Enable account
• Remote enable
f. Repeat steps a through e to examine the SMS Admins group for the SMS_xxx namespace. (xxx is a placeholder for the site code.) Then, grant Remote Enable permission to the user or to the group. If the user or the group does not have appropriate WMI permissions in Security for the SMS namespace, the following event may be logged in the AdminUI.log file:
Error(ConnectServer): Possible UI connection error code is -2147217405 [0x80041003]
Other security issues
Use the troubleshooting procedures that are described in this section if any one of the following conditions is true:
• Users are still denied access when they try to connect to the console after you have granted the appropriate accounts the “Remote Enable” right in WMI security.
• The console is only partially available.
Verify the Windows Firewall configuration
Windows XP SP2 and Windows Server 2003 SP1 include the Windows Firewall feature. If you run the SMS Administrator Console on a Windows XP SP2-based or a Windows Server 2003 SP1-based computer that has the firewall enabled, you must enable the Unsecapp.exe program and TCP port 135 to pass through the Windows Firewall. To do this, follow these steps:
1. Click Start, click Run, type firewall.cpl, and then click OK.
2. On the General tab, click On to turn the firewall on. Click to clear the Don't allow exceptions check box.
3. On the Exceptions tab, click Add Program.
4. Click Browse, type %windir%\System32\Wbem\Unsecapp.exe in the File namebox, and then click Open. If you have to define the scope, click Change scope, and then click OK. Click OK to close the Add a Program dialog box.
5. In the Programs and Services list, click to select the Unsecapp.exe check box.
6. Click Add Port.
7. In the Port number box, type 135. Select TCP, and then type a name for the exception in the Name box. If you have to define the scope, click Change scope, and then click OK. Click OK to close the Add Port dialog box.
8. In the Programs and Services list, click to select the check box for the exception that you added in step 7.
9. Click OK.
Check DCOM security settings
Warning Do not make these changes unless you cannot resolve this issue by adding the Unsecapp.exe program and TCP port 135 to the exceptions list.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
You may not resolve this issue by adding these exceptions to Windows Firewall. You may have to set anonymous remote permissions in DCOM for the client computer. To do this on the Windows XP SP2-based computer that is running the SMS Administrator console, follow these steps:
1. Click Start, click Run, type dcomcnfg.exe, and then click OK.
2. Locate the Console root node, expand Component Services, expand Computers, and then click My Computer.
3. Right-click My Computer, and then click Properties.
4. In My Computer Properties, click the COM Security tab.
5. In Access Permissions, click Edit Limits.
6. Click ANONYMOUS LOGON.
7. In Permissions for ANONYMOUS LOGON, click Allow setting for Remote Access.
8. Click OK two times.
9. Restart your computer.
Verify whether the default DCOM permissions have been changed
Check for the DefaultAccessPermission value under the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
This indicates the default DCOM permissions have been changed. If this value does not exist, the default DCOM permissions are in effect. To resolve this problem, delete the DefaultAccessPermission value. This will reset all default DCOM permissions. This is a measure of last resort and is not guaranteed to correct the problem.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Important Before you delete this value, make sure that you have tried to resolve the issue by following the DCOM troubleshooting steps in in this article. Also, back up the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry subkey.
To delete the DefaultAccessPermission value, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
3. In the right pane, right-click DefaultAccessPermission, and then click Delete.
4. In the Confirm Value Delete dialog box, click Yes.
5. Exit Registry Editor.
6. Log off the computer, and then log back on to the computer.
For more information about DCOM issues and their symptoms, click the following article number to view the article in the Microsoft Knowledge Base:
900960 - You cannot perform actions such as search and drag when you use a Windows Server 2003-based computer
Include the Anonymous Logon security group in the Everyone security group
If the procedures that are previously described do not resolve the permissions issue for the SMS Administrator console, it may be difficult to do the following:
• Determine which resource requires anonymous access on the computer that is running Windows XP
• Modify the permissions on all the necessary resources
In these situations, you may have to force the computer that is running Windows XP to include the Anonymous Logon security group in the Everyone security group. To support this functionality, Windows XP includes the EveryoneIncludesAnonymous registry entry.
If the EveryoneIncludesAnonymous registry entry is set to REG_DWORD 0x1, the Local Security Authority (LSA) includes the security identifier (SID) of the Everyone security group in the anonymous user's access token. To set the value of the EveryoneIncludesAnonymous registry entry, use either of the following methods.
Method 1: Set the EveryoneIncludesAnonymous registry entry by using local security settings
1. Click Start, click Run, type Control admintools, and then click OK.
2. Double-click either Local Security Policy or Domain Security Policy (on domain controllers only) .
3. Double-click Local Policies, and then click Security Options.
4. Right-click Network access: Let Everyone permissions apply to anonymous users, and then click Properties.
5. To enable anonymous users to be members of the Everyone security group, click Enabled. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token, click Disabled. This is the default setting in Windows XP.
Method 2: Set the EveryoneIncludesAnonymous registry value by using Registry Editor
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click EveryoneIncludesAnonymous, and then click Modify.
4. To enable anonymous users to be members of the Everyone security group, type 1 in the Value data box. To prevent the inclusion of the Everyone security group SID in the anonymous user's access token, type 0 in the Value data box. By default, the EveryoneIncludesAnonymous value is set to 0 in Windows XP.
5. Exit Registry Editor.
6. Restart the computer.
Note This change can affect the following Windows-based technologies:
• Com
• Dcom
• IIS
• Message Queuing
• Any other technology where anonymous authentication is frequently employed.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
278259 - Everyone group does not include anonymous security identifier
Additional connectivity tests
Start the WMI Control on the site server. Do not start the WMI control on the provider server if this server is different. Click the Logging tab, and then set the logging level to Verbose to increase the logging to the Windows_folder\System32\Wbem\Logs\Wbemcore.log file.
Analyze this log on the site server. You see all the WMI traffic that is generated. Look for the query for SMS_Providerlocation that occurred when an SMS Administrator console tried to connect. If this query is present, you can confirm that there is communication between the console and the site server. Test connectivity from the site server back to the requesting SMS Administrator console. Connectivity may not exist in the following scenarios:
• The remote procedure call (RPC) server is unavailable.
If WBEMtest connectivity testing determines that the remote procedure call (RPC) server is unavailable, see the following Microsoft Knowledge Base article:
229091 - SMS: Remote administrator gets a "Connection failed" error when connecting to Site Server
• There is a DNS name resolution issue.
The “Connection Failed "error message may also occur if name resolution is not completed correctly. To determine whether you are experiencing a name resolution issue, use the WBEMtest tool and try to connect to the site server by using the IP address. For example, use \\111.222.333.444\root\default as the address. If you can connect when you use the IP address, but you cannot connect when you use the netBIOS name of the site server, you are experiencing a name resolution issue. To resolve this issue, confirm either the WINS or the DNS configurations.
To make sure that no incorrect entries persist in the DNS resolver cache on the SMS 2003 site server, run the following command at a command prompt:
ipconfig /flushdns
If you cannot resolve the fully qualified domain name of the Windows XP SP2-based computer by using DNS, create an entry in the hosts file on the SMS 2003 site server to map the Windows XP SP2-based computer's fully qualified domain name to its IP address.
Known Issues with Microsoft ISA server or Checkpoint VPN software
If you cannot expand some nodes on a remote console over a remote connection from a Windows 2003 SP1 computer: Remote Procedure Call-based operations may fail if certain firewall and VPN products deny network requests. These network requests may fail on computers where you apply Windows Server 2003 Service Pack 1 (SP1) to a Windows Server 2003-based computer or your OEM or retail installation media includes SP1 updates. The following products may deny these network requests:
• Firewall or virtual private network (VPN) products from Checkpoint Software Technologies
• Microsoft Internet Security and Acceleration (ISA) Server
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
899148 - Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computers
REFERENCES
For more information about how to set WMI Namespace security in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
295292 - How to set WMI Namespace security in Windows XP
For more information about Systems Management Server WMI terms and concepts, click the following article number to view the article in the Microsoft Knowledge Base:
216738 - SMS: WMI terms and concepts
For more information about SMS Administrator connection problems, click the following article numbers to view the articles in the Microsoft Knowledge Base:
314169 - SMS: "Connection failed" error message when you run Administrator console on Windows 2000
272937 - SMS: Administrator console does not connect to Windows NT 4.0 Site Server
913000 - After you install Windows Server 2003 Service Pack 1, you can no longer connect to the SMS site server by using a remote SMS Administrator console
908478 - One or more site objects may be missing after you expand a site hierarchy node in a remote System Management Server 2003 Administrator Console
For more information about how to help secure remote WMI connections, visit the following Microsoft Web site: https://msdn2.microsoft.com/en-us/library/aa392291.aspx
For more information about granular COM permissions, visit the following Microsoft Web site: https://technet2.microsoft.com/WindowsServer/en/library/4c9a2873-2010-4dbb-b9dd-6a7d1e275f0f1033.mspx?mfr=true
For a list of frequently asked questions about site systems, visit the following Microsoft Web site: https://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq02.mspx
- J.C. Hornbeck