Re: admin console not connecting

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Steve Thompson" <stevethompson@xxxxxxxxxxxxx>
• Date: Wed, 3 Jan 2007 15:00:49 -0500

---

Sounds like a DCOM issue...

Check out the bottom of this link

http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq02.mspx#EMHAC

Excerpt here:

Q. I permitted unsecapp.exe and TCP port 135 through my firewall, but
my SMS Administrator console running on Windows Server 2003 SP1 still cannot
connect to the SMS site database. What should I do next? (Added January 31,
2005)
A. Some customers have reported this issue, but at this time,
Microsoft has not been able to reproduce this condition. If you run the SMS
Administrator console only from computers that belong to the same domain as
the SMS Provider, permitting unsecapp.exe and port TCP 135 to pass through
the Windows Firewall should be sufficient. However, some customers have
reported that even after permitting these two exceptions, the SMS
Administrator console still cannot connect to an SMS site database from the
Windows Server 2003 SP1 client, even when both computers are in the same
domain. As a last resort, adding anonymous remote access rights in DCOM
resolves the issue but increases your security risk.

If you grant anonymous remote access rights, you disable a layer of
protection for the system. An attacker no longer needs to circumvent user
authentication to discover and exploit potential vulnerabilities in the
system. To avoid potential attacks related to granting anonymous remote
access rights, you can use Remote Desktop to connect to the computer running
the SMS Provider and run the SMS Administrator console remotely.

To allow anonymous remote access in DCOM:

1.
From the Start menu, Click Run and type Dcomcnfg.exe.

2.
In Component Services, Click Console Root, Click Component
Services, Click Computers, and then Click My Computer. On the Action menu,
Click Properties.

3.
In the My Computer Properties dialog box, on the COM Security
tab, in the Access Permissions section, Click Edit Limits.

4.
In the Access Permission dialog box, select the check box to
allow Remote Access for Anonymous Logon.

5.
Restart the computer.




"Ron" <Ron@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:81068050-30E1-41AA-B35C-5CC0449217D4@xxxxxxxxxxxxxxxx

My admin console will not connect with my regular account. Quick OS
setups
-- sms 2003 sp2 on win server 2003 sp1 R2, client computer win XP sp 2 w/
firewall disabled.

The console is failing to establish the connection, and the computer's
adminui.log is filled with:
****************************************
[7E8][Wed 01/03/2007 13:32:43]:Info(ConnectServer): Connecting to server :
namespace \\...\root\sms
[7E8][Wed 01/03/2007 13:32:43]:Info(ConnectServer): Connecting to server.
Network : \\...\root\sms
[7E8][Wed 01/03/2007 13:32:52]:Error(ConnectServer): Possible UI
connection
error code is -2147023174 [0x800706ba]
****************************************

The strange part is all permissions appear to be set correctly:
1) This account is a member of the local server sms admins group. Other
people I have setup with access exactly the same as this failing account
can
connect and use the admin console fine.
2) On the same computer the regular account fails to connect, if I do a
runas w/ my domain admin account the console then connects fine.
3) I briefly enabled my regular account to logon to the sms server
locally.
Once there I launched the admin console and it connected. If not on the
server locally then the admin console will not connect for regular
account.

After some looking around I also found this in the computer's
wbemcore.log:
**************************************
(Wed Jan 03 12:08:12 2007.77394046) : Could not SetStatus to remote
client,
hres =800706BF
**************************************

I've tried rebuilding and fully re-registering the WMI components on the
computer, no help. I tried a quick reboot of the server and this computer
to
restablish the correct connections but still no help.

Anyone have any further ideas or areas to look at?

Thanks,
Ron

.

---

• Prev by Date: Re: MP Publick Key
• Next by Date: Re: Site Hierarchy
• Previous by thread: Re: MP Publick Key
• Next by thread: Re: admin console not connecting
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: SMS Admin consoloe hangs on client? ... Administrator console running on Windows XP SP 2 still cannot connect to the ... If you run the SMS Administrator ... If you grant anonymous remote access rights, ... > install the same version of the admin console to connect to the site server. ... (microsoft.public.sms.admin) RE: event id 7034 from Service Control Manager ... Both of them are working localy on SMS server. ... I have read smsprov.log and find out that I need to update my SMS Console ... Had you tried the different user account on the remote computer? ... (microsoft.public.sms.admin) Re: SMS admin console emty ... Any chance you haven't added Sms security class or instance right to the ... If you want to have an account with all security priviliges on your sms ... > We have a problem with SMS admin console. ... (microsoft.public.sms.admin) Re: Unable to connect to SMS Site from Remote Console ... Have you added your new account to the sms admins group on the sms site ... This is required to get access the wmi namespace on the site server. ... The admin console needs this to be able to connect. ... (microsoft.public.sms.admin) Re: MMC Console fails to open ... I believe the below instructions for SMS 2003 admin console are the same for SMS 2.0. ... To allow anonymous remote access in DCOM: ... In Component Services, click Console root, click Component Services, click Computers, and then click My Computer. ... In the Access Permissions dialog box, grant Anonymous Logon allow Remote Access. ... (microsoft.public.sms.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > SMS  > microsoft.public.sms.admin  > 2007-01