No admin$ and SMS clients not installing...~~~~~!

[PhilMarcum]

I've run the 1e SMS client health vbs script on a few systems with the email parameter and they all return the same errors:

"System" does not have an Admin$
and
ccmsetup failed to start on "System"

I search the registry of one of the client systems and don't see the AutoShareServer and AutoShareWks DWORD values in the LanmanServer\Parameters sub-key. From what I've read so far this is normal in that the shares are normally created during boot up. I'm checking to see if there's a group policy in place setting effecting this and wonder if there's anything else I should be checking?

Any responses are appreciated.

 

[ncotton]

Do you actually have any operational problem? Or just querying the results of the health script.

I can't see why CCMSetup failing on a system that already has the SMS client a problem.

If you have an operational problem, post the problem aswell, there may be another way to solve it that is resulting in the 1e script message, rather than that beeing the problem it'sself so to speak. (if that makes any sense).

Hope this helps

Neil J Cotton
njc Information Systems
Systems Consultant

 

[PhilMarcum]

Oh yes I have a problem and it's related to the Advanced client not installing on over 2600 systems. They're all Assigned but the client won't install. Here are some of the errors I've pulled from the logs which doesn't appear to be updating at ALL!

SMS Client Installation Issues:
Error(s): CcmExec.log
a. Failed to open to WMI namespace ‘\\.\root\ccm’ (80070005)
b. Failed to connect to CCM namespace
c. Failed to open to WMI namespace '\\.\root\CCM\Events' (80070005)
d. CCMDoCertificateMaintenance failed (0x80070005).
e. Failed to open to WMI namespace '\\.\root\CCM\Events' (80070005)
f. CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event.
g. Failed to open to WMI namespace '\\.\root\ccm\Policy\Machine' (80070005)
h. Error loading service settings. Code 0x80070005
i. Phase 0 initialization failed (0x80070005).
j. Service initialization failed (0x80070005).

Error(s): CCMSetup.log
a. Source \\SMSSITESRVR\SMSClient\I386 is inaccessible (1326)
b. Failed to find accessible source. Waiting for retry.

Error(s): Client.msi.log
a. Property(S): SmsDetectDowngrade_ErrorMessage = A newer version of the SMS Advanced Client is already installed
b. Property(S): SmsDetectColocationDowngrade_ErrorMessage = A newer version of the SMS Management Point is installed. Cannot continue installing this version of the client.
c. Property(S): WelcomeDialog_DesktopWarning = WARNING: The SMS Legacy Client or SMS 2.0 Client is already installed on this machine. Continuing will cause the SMS Legacy Client or SMS 2.0 Client to be removed.
d. Property(S): InstallDialog_Warning = WARNING: Installing the advanced client on this computer may cause the Windows Management Instrumentation (WMI) and Background Intelligent Transfer Service (BITS) services to stop and restart.
e. Property(S): InstallErrorDialog_Title = Setup Aborted
f. Property(S): InstallErrorDialog_SubTitle = Setup failed
g. Property(S): InstallErrorDialog_Info = Setup encountered an error and could not continue.

Error(s): LocationServices.log
a. Failed to refresh trusted key information while refreshing mp list.
b. HTTP ERROR: URL=http://USGALNX1SMS01/SMS_MP/.sms_aut?MPKEYINFORMATION, Port=80, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE

Error: Bits
a. Windows could not start the Background Intelligence Transfer Service on “computername”. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service specific error code -2147467243.
b. The Background Intelligence Transfer Service service terminated with service-specific error 2147500053.

Looking at the dates on some of these errors it looks as though this was a problem the previous SMS admins had long before I got here as they date back to 2005.

I've got a GPO with both the SMS Client Health script and the SMS client itself that I'm using to help with this issue. I also have another file that will re-move and re-install the client. I'm not having a lot of succes with this so as an alternate I tried using psexec and ez-execute to try and deploy the package. I get the following errors when doing it this way:

i. PSEXEC could not start the SMS advanced client repair.msi on “computername”. The system cannot find the file specified.
ii. The network path was not found. Make sure that the default admin$ share is enabled.
There appeara to be something with the admin$.

 

[tbrennans]

From the guy thayt wrote it (Richard Threlkeld)
Its designed as a startup and not logon script and to query this you need Admin rights which systems running startup scripts have but users running logon scripts normally do not.

Alsop make sure file and print sharing is turned on, you can do it via GP:

Computer Configuration, Administrative Templates, Network, Network Connections and then Windows Firewall

Choose either Domain or Standard profile and check the Allow file and printer sharing exception

If you have your firewall on the workstations look here:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apa.mspx#EJAA

 

[ncotton]

Sounds like you have the client Windows XP Firewall enabled. Make sure you switch on File and Print Sharing.

Hope this helps

Neil J Cotton
njc Information Systems
Systems Consultant

 

[PhilMarcum]

I've created a GP that includes the SMS Client Health startup script and there's another policy with File and Printer sharing enabled and the client still isn't installing. The majority of the emails I get state Admin$ is missing.
What if anything am I missing?

 

[ncotton]

Go to a client....can you navigate to \\SMSSiteServer\SMS

Neil J Cotton
njc Information Systems
Systems Consultant

 

[PhilMarcum]

From looking in the CCM.log file located on the site server the account I'm using to connect to the client returns the following:

---> Attempting to connect to administrative share '\\GLN-V107L\admin$' using account 'mydomain\_sms'

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account mydomain\sms (000004b3)

So either the SMS account I'm using doesn't have access to the client systems or the Admin$ is the crux of my problems. I'm able to connect to \\siteserver\sms from a client and wonder if there's a way to confirm if the Admin$ is available or disabled? I checked the registry on a few clients and didn't see the AutoShareServer and AutoShareWks keys but I know these can be created if necessary.

 

[PhilMarcum]

<Edit>
So I'm guessing the error mention above:

---> Attempting to connect to administrative share '\\GLN-V107L\admin$' using account 'mydomain\_sms'

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account mydomain\sms (000004b3)

has something to do with the following error that appears:

SMS Client Configuration Manager cannot connect to the machine "ComputerName". The operating system reported error 5: Access is denied.

Possible cause: The client is not accessible.
Solution: Verify that the client is connected to the network and that the SMS Service account or (if specified) the SMS Client Remote Installation account have the required privileges, as specified in the SMS documentation.

 

[ncotton]

As far as I am aware, there is no need for Admin$, not that I have come across, but I may be wrong. The Account that you are using in the Client Installation Agent should be of the Domain Admin elevated persuasion. The Agent invokes a connection from the client to \\Server\SMS\Client\ccmsetup.msi (i think is the path, not on an SMS machine atm), so no other file access should be necessary, even though you may be able to access \sms share with a normal account the process needs to run under Domain Admin for the return dataset.
However, if you are using a domain admin user for the install, and you are still getting errors, the Admin$ may not be the reason, but it may be a symptom. At this moment, I can not say.

I advise against using Domain\Administrator as your SMS Client Installation account. You are best creating a new user SMSDistributionUser for example, and setting him to Domain User, Domain Admin, Enterprise Admin. Also, check to see if Domain\SMSServerMachineAccount is a member of the local client Administrators group.

To do this, go to a client, open cmd, type

net localgroup Administrators

if not add it

net localgroup Administrators DomainName\SMSServerMachineAccount /add

Hope this helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[ncotton]

and pointing out, yes, those Net Localgroup commands are with Administrators as it is a group, not a user.

You need local admin rights to start off with on the client to add a user to LocalGroup Administrators.

Use the first command i posted AFTER adding to check that it has been added correctly.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[PhilMarcum]

Can this be done to ALL clients via psexec?

Thanks

 

[ncotton]

PSExec is just a remote stater, so you have no real control. If you need to add machine acocunts to the local machine, you have to either do it manually, script it, or do it manually via remote desktop. Thats the problem with local permissions, they aren't network related. So it needs to be set on the client, how you automate it is upto you. But it has to run as Local Administrator to do the add. You could create a little batchfile with the command in "net localgroup Administrators domain\smsmachineaccount /add", stick this on a share, and run a GP startup script to execute the batch from the share, or copy it down to the user, and run it.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[tbrennans]

Take a look at this ...

http://support.microsoft.com/?kbid=840634

 

[PhilMarcum]

Anyone have a script or batch file that I can modify and use to add the local accounts to the systems? None of the scripts I have are working and this is becoming critical so any responses are appreciated.

 

[PhilMarcum]

Never mind as I was able to run across one from one of the other lists.

Thanks for all the responses.