Re: Question about Pushing the advanced client
- From: "Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com">
- Date: Tue, 21 Aug 2007 13:29:09 +0200
Garth wrote:
FYI,
In between "real" work I resetting one of my test labs so that I can get a network trace on this. I will try to get this done over the weekend and I will even blog about it even if I'm wrong.
"Kim Oppalfens [MVP]" <""Kim dot Oppalfens\"@google mail.com"> wrote in message news:Oi4sFz7zHHA.1212@xxxxxxxxxxxxxxxxxxxxxxxOk,
I am now intrigued by this. 80% of these systems rolled out using client push, without specifying a client push installation account, and by using the computer account only?
After doing my homework (verifying with Wally), this should not be possible, so I want to get to the bottom of this.
Could you verify the following for me?
In the properties of your site on the general tab what does it say for the security mode you are in?
What is the sms executive service using as the login account?
Kim Oppalfens [MVP] > wrote:Garth wrote:I think that I have to disagree with Kim and agree with Nate. if not account is specified then it will use the Site server machine account.Hum, Anthony seems to agree with me since he deems this option as new for SCCM 2007 http://myitforum.com/cs2/blogs/socal/archive/2007/03/09/sccm-2007-client-push-installation-account.aspx Will look into this further, but to the best of my knowledge, client push does fall back to using the sms service account in standard security mode but not to the computer account in advanced security mode. I could be wrong though.
When you connected to the Adimn$, can you create a text file? i.e. Could it be file permissions?
"Nate" <ngau@xxxxxxxxxxxx> wrote in message news:1185370705.773998.79040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jul 24, 3:10 pm, "Kim Oppalfens [MVP]" <""Kim dot Oppalfens
\"@google mail.com"> wrote:Nate wrote:I tried that once before and the account locks out immediately (andI'm an SMS newbie and I've been attempting to troubleshoot my wayTo my knowledge, client push has never used the computer account.
through an SMS client push problem, and to date I've had no luck.
First, with the basics:
I'm running SMS 2k3 SP2 at 3 different sites (all of which are primary
sites, with one central site). I'm using advanced security and I'm
pushing the advanced client. We have had SMS running in our
environment for a while, but a small percentage of our clients
(between 10 and 20%) for whatever reason are discovered but the client
never installs. One of these compters happens to be next door, so
I've been using him as a test case.
His firewall is off. His remote registry services is enabled. For
whatever reason, SMS still does not want to isntall. I've checked the
CCM log and this is what is stated below:
______________________________________________________________________________________________
Found CCR "FTW-LAP0018.DIGIMARC.CCR" in queue "Retry".
SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:36 PM 1748 (0x06D4)
Received request: "FTW-LAP0018.DIGIMARC" for machine name: "FTW-
LAP0018" on queue: "Retry". SMS_CLIENT_CONFIG_MANAGER 7/23/2007
3:39:36 PM 1748 (0x06D4)
Stored request "FTW-LAP0018.DIGIMARC", machine name "FTW-LAP0018", in
queue "Processing". SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:36 PM
1748 (0x06D4)
----- Started a new CCR processing thread. Thread ID is 0x2584. There
are now 10 processing threads SMS_CLIENT_CONFIG_MANAGER 7/23/2007
3:39:38 PM 1748 (0x06D4)
Submitted request successfully SMS_CLIENT_CONFIG_MANAGER 7/23/2007
3:39:38 PM 1748 (0x06D4)
======>Begin Processing request: "FTW-LAP0018.DIGIMARC", machine name:
"FTW-LAP0018" SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM 9604
(0x2584)
---> Trying each entry in the SMS Client Remote Installation account
list SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM 9604 (0x2584)
---> Warning: no remote client installation or SMS service account
found SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM 9604 (0x2584)
---> ERROR: Connected to FTW-LAP0018 registry, but couldn't connect to
the \\FTW-LAP0018\admin$ share using account ''
SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM 9604 (0x2584)
Stored request "FTW-LAP0018.DIGIMARC", machine name "FTW-LAP0018", in
queue "Retry". SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM 9604
(0x2584)
<======End request: "FTW-LAP0018.DIGIMARC", machine name: "FTW-
LAP0018". SMS_CLIENT_CONFIG_MANAGER 7/23/2007 3:39:38 PM 9604 (0x2584)
______________________________________________________________________________________________
Not being an expert, I'd like to clarify a couple things. It is my
understanding that pushing the advanced client running advanced
security uses user accounts and not the client push account.
Consequently, no client push account has been specified (also of note,
all our clients are all running XP, so the advanced client is
supported). That should explain the warning found in the above log,
in that the service account is not needed to be specified.
However, the very next line shows an error. To troubleshoot this, I
did the following:
1) Attempted to connect to the admin$ using my logon. It worked.
2) Using the AT.exe command, I scheduled cmd.exe to run an interactive
prompt under the local system account and attempted to map a drive to
the admin$ share on the computer in question. This failed with a
logon error.
3) I added the SMS server directly into the local admin group and
repeated step 2. This time, it worked and I was able to map a drive
to the admin$ share.
However, when the client install kicks off again, I'm getting the same
error. This makes no sense as the computer account is a full admin on
the system. I should also note that I'm seeing this at each of my
sites. Both of my primary children sites have the SQL databse on teh
SMS system, while the central site uses a different computer for the
SMS database (in this case, this computer is sitting at one of the
child sites).
I'd like to avoid using a client push account if at all possible.
That being said, I'm completely miffed. Your thoughts are greatly
appreciated.
The computer account is used to install site systems, not clients afaik.
Just define a client push account that is an admin on the targetted
clients. Check my blog for a post on how to add a client push account to
the administrators group of your clients using an gpo.
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMShttp://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_manage...- Hide quoted text -
- Show quoted text -
yes, I redid the password and all of that). I've also found a number
of documents stating that advanced security witht he advanced client
uses a machine account. Even my SMS trainer said as much. Keep in
mind that this has deployed just fine to 80% of the environment,
without a client push account... It's the other 20% that this has
been difficult to work with.
I tried this in the lab today, and couldn't get a client to install. I added the computer account to the target machines administrators group, but it still doesn't seem to work.
Which is what I expected, I have no clue on how these clients got installed in your environment.
--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx
.
- Prev by Date: Re: Client isnt Discovering the site
- Next by Date: Re: Client isnt Discovering the site
- Previous by thread: Re: Creating a Query to search for multiple programs
- Next by thread: Re: Question about Pushing the advanced client
- Index(es):
Relevant Pages
|
