RE: Remote Machine account could not be added to server connection gro

Hello

A little precision: when you add a computer account to a group, yu need to
reboot the computer for the change to be effective (kerberos).

Hope it helps
Best regards,

MV
--
Michel-Vincent Leriche
http://mvleriche.spaces.live.com


"Skinftz" wrote:

Hello googlers with this problem.

System: Active Directory on Windows Server 2003 R2 domain controllers.
SMS2003SP2 site server running on Windows 2000 Server SP4 (all systems
patched / latest)

For a while now I've been driven mad by the fact my management points
would not install - I would repeatedly get the error:

Remote Machine account could not be added to server connection group

in the sitecomp.log along with errors about problems adding the
relevant machine accounts into

DOMAIN\SMS_SiteSystemToSiteServerConnection_<site code>

and

DOMAIN\SMS_SiteSystemToSiteServerConnection_<site code>

Obviously I tried simply manually adding the accounts into the groups,
but still I got the errors and nothing would work. The groups were in
Active Directory for our domain. I would also get the errors:

SMS Site Component Manager did not copy file
"D:\SMS\bin\i386\system32\smsmsgs\climsgs.dll" to
"\\SERVER\ADMIN$\system32\smsmsgs\climsgs.dll", because the source file
is not a newer version than the destination file.

Basically the problem was caused by the fact the primary site server
machine used to be a Domain Controller, meaning that the groups were
created in the domain. After upgrading to SMS2003 the site server was
demoted from a DC (as it didn't need to be one) but this caused the
problem with the security groups as they need to be local to the site
server. This is confused by the fact that the errors specifically
state that there is a problem adding machines to the domain groups,
rather than the local machine groups.

Simply creating the groups locally on the site server has resolved the
issue. Have also manually added the group into the SQL server and
copied the permissions from the domain group.

Hope this is useful.


.

Relevant Pages

  • Re: having problems creating packages - access denied..
    ... I've given a global group (which contains all of the site server computer ... full share permission and also full local security permission. ... SMS uses the site server computer account to connect to ...
    (microsoft.public.sms.admin)
  • Re: Reinstall of SMS 2003 has no Status Messages
    ... > from the site server to the admin$ share on the SQL server under the machine ... I do this by opening a cmd prompt under the machine account ... If still fails test connectivity by the site server machine ... > Then also test other machine account access to the SQL server in question. ...
    (microsoft.public.sms.setup)
  • RE: Using W2K as Distribution Point w/SMS 2003 R2
    ... main server. ... Distribution Point locally for software distribution to be practical. ... One of the first steps required is to add the Service Account of the main ... as "Computer Account" in some places and written as ...
    (microsoft.public.sms.admin)
  • Re: Did I migrate from NT domain properly?
    ... If you have migrated your user account and computer account to the AD domain ... Do you have a WINS server in the new domain? ... ensure that the client is now pointing to that server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: What is a machine account?
    ... or a server running Windows Server 2003 that joins a domain has a computer account. ... If you are referring to the recommendation to add the computer account to the security properties of a GPO mentioned in article 260360, it is not necessary because by default the Authenticated Users group already has the Apply Group Policy permission. ...
    (microsoft.public.windows.terminal_services)