Failed to set security on SQL Server registry key. Error: 2
Hi, I have a Primary site (mixed mode) running SCCM 2007 SP1 for many months now with no issues. This site is made up of two Win 2008 sp2 servers sharing the SCCM roles:- · SCCM01 - Site server, DP, RP, PXE and SQL2005 hosting the SCCM database · SCCM02 – SUP, MP, FSP, SLP The SQL2005 on SCCM01 is running under a domain service account called domain\service_sccm which is also a sysadmin in SQL as is the SCCM02 server. In an effort to resolve the isse I have made this account a Domain Admin. I have also used this account to log onto SEC01 to run the Secondary Site installation and to be the SQL Service account. I'm now trying to add a Secondary Site on a Domain Controller called SEC01 (also Win2008 sp2) and on the same LAN as the SCCM01/02. This is where I get problems. I run the installation locally on the Sec Site server (DC) as a Domain Admin and the installation completes OK (all green ticks), the ComponentSetup.log and Pre-Reqs are all good as well however when I check the ConfigMgrSetup.log I see the below - Failed to set security on SQL Server registry key. Error: 2. ........ <11-09-2010 22:46:59> SMS Setup full version is 4.00.6221.1000 <11-09-2010 22:46:59> Successfully set security on Setup registry key. <11-09-2010 22:46:59> Failed to set security on SQL Server registry key. Error: 2 <11-09-2010 22:46:59> Successfully set security on Identification registry key. <11-09-2010 22:46:59> Creating SMS Inbox Source registry key ... <11-09-2010 22:46:59> Installing SMS Site Component Manager ... <11-09-2010 22:46:59> Installing Site Component Manager under acct <NT AUTHORITY\SYSTEM> path <C:\Program Files (x86)\Microsoft Configuration Manager\bin\i386\sitecomp.exe> <11-09-2010 22:47:01> Started Site Component Manager service <11-09-2010 22:47:01> SMS Site Component Manager installation completed. <11-09-2010 22:47:01> Done with service installation ......... Adding the PMP role to SEC01 also fails to install and no MPSetup or MPControl logs are created. WebDav and win2008 roles, features all added and server fully patched. Despooler.log on SCCM01 seems good and passing keys. Tried installing to default path and to shortened path such as C:\SCCM The new secondary site is listed in the console and an address can be added for the Secondary Site BITS Server Extensions and Remote Differential Compression Features are enabled. The Group memberships all appear ok:- SCCM01 Local Admins - contains the sec site server SEC01, SCCM01, installation accounts SMS_SiteToSiteConnection_001 - SEC01 (the sec site server) SMS_SiteSystemToSiteServerConnection_001 - SCCM02 SEC01 No Local Admins as a DC SMS_SiteToSiteConnection_002 - SCCM01 SMS_SiteSystemToSiteServerConnection_002 - empty SQL 2005 This has the account logged in during installation as a sysadmin SCCM02 is also sysadmin The fundamental issue appears to be that the SEC01$ server account is not being added to SQL Logins (and therefore SCCM database Roles) therefore the installation cannot complete. I have tried to manually add the SEC01 account to SQL Logins before installation of Sec Site but this did not work. Not sure if the fact that SEC01 is a DC may be a factor. Appreciate any help if anyone has seen this before or can suggest a resolution. Thanks
November 9th, 2010 7:20pm

Hi, First, personaly I don't recommend installing ConfigMgr on DCs, it is not a best practice. Otherwise, add the primary site computer account in the domain "administrators" group in the DC "SEC01" then try again.
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2010 2:58am

First, personaly I don't recommend installing ConfigMgr on DCs, it is not a best practice. I'll second that. I add computer accounts to SQL logins manually all the time. This is how I do it. I am no SQL expert, I just sorta fumbled my way through this and it works so that this for what it's worth... Go to Security>Logins>New Login and enter DOMAIN\ComputerName$ as the login name, go to user mapping and place a check mark next to SMS_xxx then click the little box under default schema, click browse, select dbo and click OK twice, check smsdbrole_MP under database role membership and click OK. John Marcum | http://myitforum.com/cs2/blogs/jmarcum |
November 10th, 2010 8:49am

Hi, Although a suppoted configuration I'd agree that it is not recommended but no choice as limited hardware available at remote site. Looking back at my notes I have already tried adding the account used during the Sec Site installation and the SCCM01 + SCCM02 (Primary Site Servers) to the Domain Admins group for the entire domain but same error reports. I have also added these same accounts to the domain BUILTIN "Administrators" group but still getting the same error and incomplete setup? Just to clarify: SCCM01 has roles: ConfigMgr component server ConfigMgr distribution point ConfigMgr multicast service point ConfigMgr reporting point ConfigMgr site server ConfigMgr site system ConfigMgr site database server SCCM02 has roles: ConfigMgr component server ConfigMgr fallback status point ConfigMgr management point ConfigMgr server locator point ConfigMgr site system ConfigMgr software update point ConfigMgr state migration point During installation for the Sec Site I enter 001 as its SiteID and SECONDARY as its Site Name. On the next screen for the parent site I enter 000 as the parent SiteID and SCCM1 as the primary site server. Presumably this is all correct? At what time should the machine accounts be created in SQL Logins? Thanks
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2010 9:05am

Hi, Have you seen the John's answer ?Bechir Gharbi | http://myitforum.com/cs2/blogs/bgharbi/default.aspx
November 10th, 2010 9:37am

You are correct, it is supported to use a DC as a site server. It should work so maybe we are missing something. This may sound trivial but did you reboot the server after adding it to the groups? John Marcum | http://myitforum.com/cs2/blogs/jmarcum |
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2010 6:42pm

This may sound trivial but did you reboot the server after adding it to the groups? I like this John. I forgot to say it ...Bechir Gharbi | http://myitforum.com/cs2/blogs/bgharbi/default.aspx
November 11th, 2010 2:09am

Thanks for the prompt responses guys - much appreciated. In reply - Yes SEC01 was rebooted after adding the server accounts to the SMS_Site groups but no difference. I had also previously manually added the SEC01 server account to SQL logins with but this did not fix the problem in that I was able to add the MP role OK but the MPControl and MPSetup did not create and the MP was not functional. I will try and manually add it to the smsdbrole_MP DB role next week as the server is now shipping to the remote site. Qus: When you manually added the Server account to the SQL Login and the smsdbrole_MP database role did you also add the Login to the sysadmin role? Presumably you added these prior to installing the Sec Site? What is really frustrating is that I have done this another other site with no issue at all and without any manual intervention .... Don't you just love I.T. Cheers
Free Windows Admin Tool Kit Click here and download it now
November 12th, 2010 10:04am

After a lot of digging around and head scratching I eventually found the resolution. The original thread title Error turned out to be a bit of a red herring in that my failure to deploy Sec Sites came down to two separate issues seemingly unrelated to the error message of the thread title. The first part of the resolution was to manually create the SQL Server accounts for the Sec Site Servers and assign them to the smsdbrole_MP DB role to let the SQL side of the SCCM install complete a s these were not being created automatically. This then left the fact that that the installation of the Sec Site completed successfully according to the install logs in C:\ however the DP and MP would never install. The big clue was eventually contained in the mpfdm.log errors relating to **ERROR: Cannot find path for destination inbox SMS_AMT_PROXY_COMPONENT on server REGISTRY SMS_MP_FILE_DISPATCH_MANAGER and **ERROR: Cannot find path for destination inbox Asset Intelligence KB Manager on server REGISTRY SMS_MP_FILE_DISPATCH_MANAGER Thankfully the errors led me to these two blogs: http://myitforum.com/cs2/blogs/scassells/archive/2009/07/20/error-cannot-find-path-for-destination-inbox-sms-amt-proxy-component-on-server-registry.aspx and http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/5fcc53d4-8629-4b34-9eaa-6cb020eedc13/ As it turned out the SCCM installation registry and folder creation does not complete and I had to manually enter the reg settings as detailed in the links above to complete the installation. Once I did as described everything worked a treat – all my MPs and DPs are 100% now. Solutions Add the following reg keys to each of your effected secondary sites. Inbox Fix Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\MPFDM\Inboxes] "Asset Intelligence KB Manager"="E:\\Program Files\\Microsoft Configuration Manager\\inboxes\\AIKbMgr.box" "SMS_AMT_PROXY_COMPONENT"="E:\\Program Files\\Microsoft Configuration Manager\\inboxes\\amtproxy.box" Asset Intelligence fix: Note: you will need to identify the next largest key value. In my example it was key 49 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Inbox Source\Inbox Definitions\49] "Inbox Name"="Asset Intelligence KB Manager" "Relative Path"="inboxes\\AIKbMgr.box" "NAL Path"="" "User Rights"=dword:00000000 "Service Rights"=dword:00000004 "Monitoring Enabled"=dword:00000001 "Location Type"=dword:00000001 "Guest Rights"=dword:00000001 AMT registry Fix. Note: you will need to identify the next largest key value. In my example it was key 50 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Inbox Source\Inbox Definitions\50] "Inbox Name"="SMS_AMT_PROXY_COMPONENT" "Relative Path"="inboxes\\amtproxy.box" "NAL Path"="" "User Rights"=dword:00000000 "Service Rights"=dword:00000004 "Monitoring Enabled"=dword:00000001 "Location Type"=dword:00000001 "Guest Rights"=dword:00000001 Big thanks to Shaun Cassells and John Marcum for these blogs
November 30th, 2010 2:13pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics