Cannot push clients - Failed to connect using machine account
After restoring SCCM from old x86 server to new x64 server I cannot install clients. Current version is SCCM 2007 SP2 without R2. SCCM is in mixed mode, SCCM was installed to SAME path, was successfully restored from backup using "ConfigMgr Site Repair Wizard". But new clients cannot be installed now. The following is in ccm.log: "---> Warning: no remote client installation account found $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=3936 (0xF60)> ---> Attempting to connect to administrative share '\\computername\admin$' using machine account.~ $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=3936 (0xF60)> ---> Failed to connect to \\computername\admin$ using machine account (1203) $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=2900 (0xB54)>" Account used for push install presents in "Domain Admins" group and can reach this share from SCCM server using explorer or file manager. Firewall service is stopped and disabled on target computers. Searching through logs I was confused by this: "Warning: no remote client installation account found". It's impossible because account is present and set coreectly both in "client push installation" and "computer client agent". Account was cleared and set again but warning is the same. At last I found the problem. In the beginning of SMS_CLIENT_CONFIG_MANAGER initialization there is a string in the ccm.log: "~WARNING: failed to encrypt account domain\account $$<SMS_CLIENT_CONFIG_MANAGER><Date Time Russian Standard Time><thread=2656 (0xA60)>" I think that's the source of trouble. But I can't find the reason. By the way, the same message is in policypv.log: "~failed to encrypt network access accountdomain\account $$<SMS_POLICY_PROVIDER><Date Time Russian Standard Time><thread=3720 (0xE88)>" It's exactly so in log, without space between "account" word and "domain\account"! Any domain account I try to add for push installation appears in these logs with the same encrypt error! Can anyone help please? Thanks a lot!
November 13th, 2009 10:04pm
Thanks for reply, Eric. You're right, adding SCCM computer account to the Domain Admins group solves the problem. But I'm afraid this method removes consequences of problem but the cause of problem still remains. The problem is in "failed to encrypt account domain\account" message in ccm.log. As a result SMS_CLIENT_CONFIG_MANAGER component cannot use specified account for client push installation and forced to use machine account. As I said before, we have restored config from old SCCM installation to new x64 OS. But old SCCM server worked perfectly with user domain account and without membership in the Domain Admins group. So question is - what does "failed to encrypt account domain\account" message mean? Can it be effect of restoring SCCM config to new OS installation?
November 18th, 2009 4:39pm
I agree with John: there is no reason to use the Domain Admins group for anything at all when designing your ConfigMgr infrastructure. That's not to say you can't do so and function perfectly fine. It's just that at most companies that requirement might be labeled a security risk--so it's not necessary to allow for successful functioning of ConfigMgr.If that's working for you (domain admins), and your Security team doesn't have a problem with that, fine. But you can use a different group (as John Marcum mentioned) to nest in the configmgr servers into clients' local Administrators groups as well. (assuming, of course, that you even need to use client push, this is going way off topic, but client push doesn't have to be used either... many companies function just fine without that as well)Standardize. Simplify. Automate.
November 18th, 2009 5:46pm
We're not using the SCCM system account to push clients. We're using a separate domain account that has admin privs on all client workstation. The problem persists this morning - WARNING: failed to encrypt account domain\account We're going to try 32bit 2008 instead of R2 later today.
November 20th, 2009 7:01pm
Did anyone ever figure this out? I'm going through the same thing.
February 23rd, 2010 7:28pm