FIX SCCM Packages are not Getting Updated on New Site System Domain Controller. I’m trying to document the issue which we had faced during one of my assignments.
We’d already installed Remote DP on a domain controller; however, the packages were not getting replicated. Through the following troubleshooting steps, we were able to identify the issue and resolved it. I hope it will be helpful to others in the community.
FIX SCCM Packages are not Getting Updated on New Site System Domain Controller
One of my clients had a special requirement to put a Remote DP server on a domain controller.
After some days, we noticed that the DP was not updated, and new packages were not replicated. FIX SCCM Packages are not Getting Updated on New Site System Domain Controller.
Noticed errors in DistMgr.log
Cannot establish connection to [“Display=\\SiteServerName\”]MSWNET:[“SMS_SITE=999”]\\DPServerName\ SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0x0804) Error occurred. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0x0804) ()
Domain controllers do not have a local Security Accounts Management (SAM) database other than the domain database. So we can’t add the site server’s machine account to the local administrator’s group of the domain controllers.
To get more details about the access denied error, we have enabled NAL logging.
How to enable NAL logging – It’s enabled in the registry on the site server. For more information about NAL logging, check http://support.microsoft.com/kb/243385/
- Browse to HKLM\Software\Microsoft\NAL
- Create a new Key called Logging
- Create two new DWORD values log To with a value of 3 (decimal) and Verbosity with a value of 7 (decimal). The value 7 will give you warnings, errors and information messages.
Now, check the DistMgr.log for more details…..
NAL – WARNING: failed to obtain an admin level authentication to the server. Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0x0804)
NAL – Leaving CServer::_Authenticate() Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0x0804)
NAL – The server is inaccessible. Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0x0804)
NAL – Leaving CServer::IsAccessible() Access is denied. SMS_DISTRIBUTION_MANAGER 5/18/2011 9:09:29 PM 2052 (0x0804)
Now, it’s pretty clear that the error is due to a permission issue on the DP server. The site server doesn’t have admin access to DP (Domain Controller).
Somehow, the site system’s system account cannot get admin access on the DP server (DC). We have used a domain service account as a Site System Installation Account to resolve this issue instead of a system account.
More details about Site System Installation Account. http://technet.microsoft.com/en-us/library/bb680552.aspx
Add service account as as Site System Installation Account.
Refreshed the package and while reading DistMgr.log, I can see that the packages are started getting copied to DP server (DC).
copying D:\_S Mei4v.TMP\x86\uninstallwizard.xml to \\DPSiteSystem\\SMSPKGX$\packageID\x86\uninstallwizard.xml~ $$<sms_distribution_manager><5/18/2011 11:09:29 PM ><thread=7872 (<span=”” class=”hiddenSpellError” pre=””>0x1EC0)>
copying D:\_S Mei4v.TMP\x86\upgradewizard.xml to \\DPSiteSystem\SMSPKGX$\packageID\x86\upgradewizard.xml~ $$<sms_distribution_manager><5/18/2011 11:09:29 PM ><thread=7872 (<span=”” class=”hiddenSpellError” pre=””>0x1EC0)>
UnRegisterSignatureUsage() called for Package packageID, Version 1 with TargetPath as \\DPSiteSystem\\SMSPKGX$\packageID\~ $$<sms_distribution_manager><5/18/2011 11:09:30 PM ><thread=7872 (<span=”” class=”hiddenSpellError” pre=””>0x1EC0)>
Unpacked folder for package version packageID.1 is not being used by any user. It will be deleted now.~ $$<5/18/2011 11:09:30 PM ><thread=7872 class=”hiddenSpellError” data-mce-bogus=”1″ pre=”” (<span=””>0x1ec0)=””>
Also, I have seen similar errors “MicrosoftIISv2 . error = Access is denied” in DistMgr.log for DP site system. However, below solution didn’t work for me. Just for documentation pupose I thought of adding in this article.
CWmi::Connect() failed to connect to \\ServerName\root\MicrosoftIISv2 . error = Access is denied. SMS_DISTRIBUTION_MANAGER 4/1/2010 8:44:01 PM 22504 (0x57E8)
ERROR DPConnection::ConnectWMI() – Failed to connect to ServerName. error = 0x80070005 SMS_DISTRIBUTION_MANAGER 4/1/2010 8:44:01 PM 22504 (0x57E8)
WBEMTEST to remotely connect to the ServerName server’s namespace root\MicrosoftIISv2.
a. On the site server, run WBEMTEST.
b. Click Connect.
c. Input <\\Servername\root\MicrosoftIISv2> and click Connect.
d. Does it generate the 0x80070005 or Access Denied error?
e. On the DP server itself, if you use WBEMTEST and try to connect to “root\MicrosoftIISv2”, what happens?
Basically, for the DP server, if MicrosoftIISv2 is the only namespace that the site server cannot access, we can check this namespace’s security setting. We can try the steps below:
The steps are as follows.
1. On the DP server, run WMIMGMT.MSC.
2. Right-click WMI Control, and click Properties.
3. Click on the Security tab.
4. Expand Root. Then find the MicrosoftIISv2 namespace. Select it and click the Security button.
5. For each account listed there, what are the permissions granted?
6. As a test, you can grant the “Everyone” user “Allow” permission for all actions and test to see if this resolves the error. If this works, then it is missing certain security permission regarding this Namespace.
Reference -> TechNet Thread and Distribution Manager NAL error
Note – (Another option) You may add a domain controller system account to the local group “SMS_SiteSystemToSiteServerConnection_sitecode” on the secondary server.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…