Re: Question about Pushing the advanced client
- From: "Garth" <Spam@xxxxxxx>
- Date: Thu, 26 Jul 2007 22:07:40 -0400
FYI,
In between "real" work I resetting one of my test labs so that I can get a
network trace on this. I will try to get this done over the weekend and I
will even blog about it even if I'm wrong.
"Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com"> wrote in
message news:Oi4sFz7zHHA.1212@xxxxxxxxxxxxxxxxxxxxxxx
Ok,
I am now intrigued by this. 80% of these systems rolled out using client
push, without specifying a client push installation account, and by using
the computer account only?
After doing my homework (verifying with Wally), this should not be
possible, so I want to get to the bottom of this.
Could you verify the following for me?
In the properties of your site on the general tab what does it say for the
security mode you are in?
What is the sms executive service using as the login account?
Kim Oppalfens [MVP] > wrote:
Garth wrote:
I think that I have to disagree with Kim and agree with Nate. if notHum, Anthony seems to agree with me since he deems this option as new for
account is specified then it will use the Site server machine account.
When you connected to the Adimn$, can you create a text file? i.e. Could
it be file permissions?
"Nate" <ngau@xxxxxxxxxxxx> wrote in message
news:1185370705.773998.79040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jul 24, 3:10 pm, "Kim Oppalfens [MVP]" <""Kim dot Oppalfens
\"@google mail.com"> wrote:
Nate wrote:
I'm an SMS newbie and I've been attempting to troubleshoot my wayTo my knowledge, client push has never used the computer account.
through an SMS client push problem, and to date I've had no luck.
First, with the basics:
I'm running SMS 2k3 SP2 at 3 different sites (all of which are primary
sites, with one central site). I'm using advanced security and I'm
pushing the advanced client. We have had SMS running in our
environment for a while, but a small percentage of our clients
(between 10 and 20%) for whatever reason are discovered but the client
never installs. One of these compters happens to be next door, so
I've been using him as a test case.
His firewall is off. His remote registry services is enabled. For
whatever reason, SMS still does not want to isntall. I've checked the
CCM log and this is what is stated below:
______________________________________________________________________________________________
Found CCR "FTW-LAP0018.DIGIMARC.CCR" in queue "Retry".
SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:36 PM 1748 (0x06D4)
Received request: "FTW-LAP0018.DIGIMARC" for machine name: "FTW-
LAP0018" on queue: "Retry". SMS_CLIENT_CONFIG_MANAGER 7/23/2007
3:39:36 PM 1748 (0x06D4)
Stored request "FTW-LAP0018.DIGIMARC", machine name "FTW-LAP0018", in
queue "Processing". SMS_CLIENT_CONFIG_MANAGER 7/23/2007
3:39:36 PM
1748 (0x06D4)
----- Started a new CCR processing thread. Thread ID is 0x2584. There
are now 10 processing threads SMS_CLIENT_CONFIG_MANAGER 7/23/2007
3:39:38 PM 1748 (0x06D4)
Submitted request successfully SMS_CLIENT_CONFIG_MANAGER 7/23/2007
3:39:38 PM 1748 (0x06D4)
======>Begin Processing request: "FTW-LAP0018.DIGIMARC", machine name:
"FTW-LAP0018" SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM
9604
(0x2584)
---> Trying each entry in the SMS Client Remote Installation account
list SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM
9604 (0x2584)
---> Warning: no remote client installation or SMS service account
found SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM
9604 (0x2584)
---> ERROR: Connected to FTW-LAP0018 registry, but couldn't connect to
the \\FTW-LAP0018\admin$ share using account ''
SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM 9604 (0x2584)
Stored request "FTW-LAP0018.DIGIMARC", machine name "FTW-LAP0018", in
queue "Retry". SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM
9604
(0x2584)
<======End request: "FTW-LAP0018.DIGIMARC", machine name: "FTW-
LAP0018". SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM
9604 (0x2584)
______________________________________________________________________________________________
Not being an expert, I'd like to clarify a couple things. It is my
understanding that pushing the advanced client running advanced
security uses user accounts and not the client push account.
Consequently, no client push account has been specified (also of note,
all our clients are all running XP, so the advanced client is
supported). That should explain the warning found in the above log,
in that the service account is not needed to be specified.
However, the very next line shows an error. To troubleshoot this, I
did the following:
1) Attempted to connect to the admin$ using my logon. It worked.
2) Using the AT.exe command, I scheduled cmd.exe to run an interactive
prompt under the local system account and attempted to map a drive to
the admin$ share on the computer in question. This failed with a
logon error.
3) I added the SMS server directly into the local admin group and
repeated step 2. This time, it worked and I was able to map a drive
to the admin$ share.
However, when the client install kicks off again, I'm getting the same
error. This makes no sense as the computer account is a full admin on
the system. I should also note that I'm seeing this at each of my
sites. Both of my primary children sites have the SQL databse on teh
SMS system, while the central site uses a different computer for the
SMS database (in this case, this computer is sitting at one of the
child sites).
I'd like to avoid using a client push account if at all possible.
That being said, I'm completely miffed. Your thoughts are greatly
appreciated.
The computer account is used to install site systems, not clients
afaik.
Just define a client push account that is an admin on the targetted
clients. Check my blog for a post on how to add a client push account
to
the administrators group of your clients using an gpo.
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP -
SMShttp://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_manage...-
Hide quoted text -
- Show quoted text -
I tried that once before and the account locks out immediately (and
yes, I redid the password and all of that). I've also found a number
of documents stating that advanced security witht he advanced client
uses a machine account. Even my SMS trainer said as much. Keep in
mind that this has deployed just fine to 80% of the environment,
without a client push account... It's the other 20% that this has
been difficult to work with.
SCCM 2007
http://myitforum.com/cs2/blogs/socal/archive/2007/03/09/sccm-2007-client-push-installation-account.aspx
Will look into this further, but to the best of my knowledge, client push
does fall back to using the sms service account in standard security mode
but not to the computer account in advanced security mode. I could be
wrong though.
.
- Follow-Ups:
- Re: Question about Pushing the advanced client
- From: Kim Oppalfens [MVP]
- Re: Question about Pushing the advanced client
- References:
- Question about Pushing the advanced client
- From: Nate
- Re: Question about Pushing the advanced client
- From: Kim Oppalfens [MVP]
- Re: Question about Pushing the advanced client
- From: Nate
- Re: Question about Pushing the advanced client
- From: Garth
- Re: Question about Pushing the advanced client
- From: Kim Oppalfens [MVP]
- Re: Question about Pushing the advanced client
- From: Kim Oppalfens [MVP]
- Question about Pushing the advanced client
- Prev by Date: RE: Cannot open SMS console
- Next by Date: HCL hiring IT professionals -- Noida/Gurgaon/ Chennai - India
- Previous by thread: Re: Question about Pushing the advanced client
- Next by thread: Re: Question about Pushing the advanced client
- Index(es):
Relevant Pages
|
