Re: Management Points not working after domain controler demontion on

Demoting will kill all the sms groups and their memberships.
You might want to run aclreset, which if I recall correctly would recreate the groups.

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

"Bruce Taylor" <BruceTaylor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F6998882-CEC2-4E46-BC72-7885668FDC82@xxxxxxxxxxxxxxxx

Seems on gotcha is that the SMS server is not added to the local
administrators group after the demotion (makes sense). This allows me not to
send apps to the DP. The HTTP errors are still there though. I can see
client machines filling the IIS logs with "401 ccmhttp" errors. Poor lost
little services...

"Bruce Taylor" wrote:


Recently a client demoted a number of Windows 2000 DC's. These where
secondary SMS servers running IIS 5.0. Applications cannot be deployed to
these servers now. It seems that IIS lost its ability to allow guest access.
When looking at the MP through IE (from another computer) to for example

http://SERVER/sms_mp/.sms_aut?mplist we get
You are not authorized to view this page

Looking at the the MPCONTROL.LOG file on these servers we see a lot of

Http verification .sms_aut (port 80) failed with status code 401, Access
Denied $$<SMS_MP_CONTROL_MANAGER><Sun Apr 22 12:33:52.437 2007 New Zealand
Standard Time><thread=3660 (0xE4C)>

This was not happening before the demotion. The servers that where not
demoted are fine. As I understand it when a DC uses IIS it has no local
accounts so it created domain account for things like ISUR_SERVER type
accounts. Now the servers are member servers it does seem to have created
these accounts locally.

I cant find anything on demoting a secondary server running as a DC (not
recommended I know but common enough).

Any ideas out there? I am not a SMS or IIS expert but I have an
understanding of the basics. Do we need to re-install IIS and SMS on these
servers? I am hoping there is a way to avoid re-distributing all that data
over our thin links.

Thanks in advance.

Bruce



.

Relevant Pages

  • Re: Management Points not working after domain controler demontion on
    ... I have a procedure that works for me; some steps might not be required on all servers but generally I find it better to just follow it and be sure that it comes up again without any issues :-) ... This causes IIS accounts to be recreated in local SAM. ... Use dcomcnfg and check if there are any DCOM objects related to SMS IIS ... This causes SMS accounts to be recreated in local SAM. ...
    (microsoft.public.sms.admin)
  • SMS 2003: MP authentication problems on domain controllers
    ... SMS and IIS on domain controllers? ... servers at remote locations. ...
    (microsoft.public.sms.admin)
  • Re: Management Points not working after domain controler demontion on
    ... Windows Server System MVP - SMS ... trying to access the site and after adding some permissions for the local IIS ... accounts managed to get some progress, still issues though so I'll be trying ... secondary SMS servers running IIS 5.0. ...
    (microsoft.public.sms.admin)
  • RE: Secondary Site MP to SQL problem
    ... I guess my problem really started when I had to rename the 4 servers I ... currently have running SMS. ... But I didn't understand that I should also have reinstalled both IIS and SQL ... Before that all my clients got HTTP errors, ...
    (microsoft.public.sms.setup)
  • Re: subnet inclusion in the AD site boundary is not being seen by
    ... Are you sure the other 50 servers weren't manually assigned? ... Windows Server System MVP - SMS ... subnet to the SMS site boundaries - even though their subnet is already part ... the sms client is in the correct ad site ...
    (microsoft.public.sms.setup)