I have a central site and 4 child primary sites. the sms executive runs under a domain account: smsservices the sql service runs under a domain account: sqlservices the databases are all on a remote SQL server: sql01 the installation has been working for several months until 2 days ago. Now I cannot get a console to open AND connect to a site database, not a single site server can connect from anywhere in the heirarchy. It appears to be a SPN issue as the sql server logs are filled with the following: error 18456 NT Authority\AnonymousEvent Type:Failure AuditEvent Source:MSSQLSERVEREvent Category:(4)Event ID:18456Date:5/23/2008Time:11:33:48 AMUser:NT AUTHORITY\ANONYMOUS LOGONComputer:SQL01Description:Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: 10.3.2.40] <-this is a child site server error 18452 Event Type:Failure AuditEvent Source:MSSQLSERVEREvent Category:(4)Event ID:18452Date:5/23/2008Time:11:33:47 AMUser:N/AComputer:SQL01Description:Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: 10.4.2.8] <-diff child site server error 17806 Event Type:ErrorEvent Source:MSSQLSERVEREvent Category:(4)Event ID:17806Date:5/23/2008Time:11:33:41 AMUser:N/AComputer:SQL01Description:SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 10.1.2.22] <- Central site server Anyway, these errors are repeated constantly for each of the different site servers in the heirarchy. SETSPN -L MPS\sqlservices returns Registered ServicePrincipalNames for CN=SQL Server (Bellevue),CN=Users,DC=internal,DC=mulvannyg2,DC=com: MSSQLSvc/sql01.internal.mulvannyg2.com:1433 MSSQLSvc/sql01.internal.mulvannyg2.com MSSQLSvc/sql01 MSSQLSvc/sql01:1433 Lastly the sms executive account (smsservices)that the site servers run under is getting locked out repeatedly. Sorry for the long post, but it is just so strange that this happened for no known reason and as far as I can tell, the SPN is correct. If a console on the central does open, when I try to connect it pops up the message to configure dcom for remote access. Should I just try to restore froma backup prior to the 21st when this allstarted. .. ..

Is this Configuration Manager? We don't support the Configuration Manager services running under any account other than the Local System context, which is what we install them under by default. The same goes for SMS 2003 when running in advanced security. We have not supported service accounts for SMS since we supported standard security, long ago.

OK, I changed anything SCCM related to run as local system and still the event log is filling with the same error messages. Any other ideas or suggestions?

Personally, I'd do a site reset on the site server, let it finish, and see if that helps. I'd then verify the rights - admin rights for the site server to the SQL Servers I'd also verify the SPN (though you said those were correct). If not, then I'd check for GPO that may have been deployed to the systems - I've heard from others that other groups in their organizations implemented GPO that the ConfigMgr admins didn't know about, which caused issues.

Just for clarity, the SPN should be for the domain account running the sql service, in my case MPS\sqlservices and the registered SPN should look like this: Registered ServicePrincipalNames for CN=SQL Server (Bellevue),CN=Users,DC=internal,DC=mulvannyg2,DC=com: MSSQLSvc/sql01.internal.mulvannyg2.com:1433 MSSQLSvc/sql01.internal.mulvannyg2.com MSSQLSvc/sql01 MSSQLSvc/sql01:1433

Sounds right to me.

After changing the SMS executive to run under local system, the Network Discovery does not work. See error message below: "Network Discovery failed to connect to a DHCP server due to insufficient access.This error message means that fewer clients and networks will be found than otherwise. Note that this message will not be generated again during this Network Discovery session, regardless of how often the error occurs. Possible cause: the DHCP server is running in a domain in which the SMS Service account is not available. (Network Discovery runs under the SMS Service account as part of SMS Executive.)Solution: Create an account on the DHCP server's domain with the same name and password as the SMS Service account." DHCP is running on a DC. If the sms executive is running as "local system" as you state to be the only support method, how will I get Network Discovery back to working order?

That is correct. When you are running in Local System, which is all we support, we use computer accounts over the wire. So your site server computer account needs access to DHCP. If you were to look at the product docs (which should always be done before posting a question here), you'd see: http://technet.microsoft.com/en-us/library/bb680534(TechNet.10).aspx That should help you out.

Thanks for sharing valuable knowledge, this has helped me. http://support.jesoba.com Errors, Troubleshooting, Problem Cases, Performance Monitoring, Best Practices etc.