Suddenly no site servers can connect to their remote sccm database
I have a central site and 4 child primary sites.
the sms executive runs under a domain account: smsservices
the sql service runs under a domain account: sqlservices
the databases are all on a remote SQL server: sql01
the installation has been working for several months until 2 days ago.
Now I cannot get a console to open AND connect to a site database, not a single site server can connect from anywhere in the heirarchy.
It appears to be a SPN issue as the sql server logs are filled with the following:
error 18456
NT Authority\AnonymousEvent Type:Failure AuditEvent Source:MSSQLSERVEREvent Category:(4)Event ID:18456Date:5/23/2008Time:11:33:48 AMUser:NT AUTHORITY\ANONYMOUS LOGONComputer:SQL01Description:Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: 10.3.2.40] <-this is a child site server
error 18452
Event Type:Failure AuditEvent Source:MSSQLSERVEREvent Category:(4)Event ID:18452Date:5/23/2008Time:11:33:47 AMUser:N/AComputer:SQL01Description:Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: 10.4.2.8] <-diff child site server
error 17806
Event Type:ErrorEvent Source:MSSQLSERVEREvent Category:(4)Event ID:17806Date:5/23/2008Time:11:33:41 AMUser:N/AComputer:SQL01Description:SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 10.1.2.22] <- Central site server
Anyway, these errors are repeated constantly for each of the different site servers in the heirarchy.
SETSPN -L MPS\sqlservices returns
Registered ServicePrincipalNames for CN=SQL Server (Bellevue),CN=Users,DC=internal,DC=mulvannyg2,DC=com: MSSQLSvc/sql01.internal.mulvannyg2.com:1433 MSSQLSvc/sql01.internal.mulvannyg2.com MSSQLSvc/sql01 MSSQLSvc/sql01:1433
Lastly the sms executive account (smsservices)that the site servers run under is getting locked out repeatedly.
Sorry for the long post, but it is just so strange that this happened for no known reason and as far as I can tell, the SPN is correct.
If a console on the central does open, when I try to connect it pops up the message to configure dcom for remote access.
Should I just try to restore froma backup prior to the 21st when this allstarted.
..
..
May 23rd, 2008 2:48pm
Is this Configuration Manager? We don't support the Configuration Manager services running under any account other than the Local System context, which is what we install them under by default.
The same goes for SMS 2003 when running in advanced security. We have not supported service accounts for SMS since we supported standard security, long ago.
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2008 4:23pm
OK, I changed anything SCCM related to run as local system and still the event log is filling with the same error messages.
Any other ideas or suggestions?
May 23rd, 2008 4:25pm
Personally, I'd do a site reset on the site server, let it finish, and see if that helps.
I'd then verify the rights - admin rights for the site server to the SQL Servers
I'd also verify the SPN (though you said those were correct).
If not, then I'd check for GPO that may have been deployed to the systems - I've heard from others that other groups in their organizations implemented GPO that the ConfigMgr admins didn't know about, which caused issues.
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2008 4:56pm
Just for clarity, the SPN should be for the domain account running the sql service, in my case MPS\sqlservices
and the registered SPN should look like this:
Registered ServicePrincipalNames for CN=SQL Server (Bellevue),CN=Users,DC=internal,DC=mulvannyg2,DC=com: MSSQLSvc/sql01.internal.mulvannyg2.com:1433 MSSQLSvc/sql01.internal.mulvannyg2.com MSSQLSvc/sql01 MSSQLSvc/sql01:1433
May 23rd, 2008 5:15pm
Sounds right to me.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2008 9:13pm
After changing the SMS executive to run under local system, the Network Discovery does not work.
See error message below:
"Network Discovery failed to connect to a DHCP server due to insufficient access.This error message means that fewer clients and networks will be found than otherwise. Note that this message will not be generated again during this Network Discovery session, regardless of how often the error occurs.
Possible cause: the DHCP server is running in a domain in which the SMS Service account is not available. (Network Discovery runs under the SMS Service account as part of SMS Executive.)Solution: Create an account on the DHCP server's domain with the same name and password as the SMS Service account."
DHCP is running on a DC. If the sms executive is running as "local system" as you state to be the only support method, how will I get Network Discovery back to working order?
May 28th, 2008 5:05pm
That is correct. When you are running in Local System, which is all we support, we use computer accounts over the wire. So your site server computer account needs access to DHCP.
If you were to look at the product docs (which should always be done before posting a question here), you'd see:
http://technet.microsoft.com/en-us/library/bb680534(TechNet.10).aspx
That should help you out.
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2008 5:24pm
May 30th, 2008 6:44pm
Thanks for sharing valuable knowledge, this has helped me.
http://support.jesoba.com
Errors, Troubleshooting, Problem Cases, Performance Monitoring, Best Practices etc.
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 4:28pm