Since few days ,i have been working on the SCCM console connectivity issues from remote box. This is completely new setup replacing the existing CAS with primaries and going with flat design (1 Primary site.There is blog post coming soon on the SCCM design considerations and notes from the field )
As part of setting up SCCM current branch ,was creating RBAC for the team and for testing ,I have installed the current branch console (1702) on citrix and remote boxes (server/workstation) to try with different user accounts.
When i try to launch the console ,it failed with generic error message with some default possible solutions to check.
Next is to look at admin UI log SmsAdminUI.log on the console installation folder (C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\AdminUILog) for further troubleshooting.
Insufficient privilege to connect, error: 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'\r\nSystem.UnauthorizedAccessException\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\r\n at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
As you can see above, the log doesn't say much about the issue except that, Insufficient privilege to connect, error: 'Access is denied .
The account which am trying to connect to the console is full administrator and is working on local SCCM server but not from any other remote box.
Since the console access is not working for anyone from any remote box ,i suspect the issue is almost on the SCCM server with DCOM permissions.
I have checked the DCOM permissions ,WMI security permissions (wmigmmt.msc) and wbemtest locally on the server ,all looks good.I could not able to find anything wrong with security permissions to SMS admin group .I have also compared the DCOM permissions from working SCCM site (another domain) with this newly setup current branch 1702 site but i could not able to find any permission issues.
Following are the permissions to re-validate on DCOM .
From run command, type dcomcnfg.msc (if it prompt for password ,type in for admin ).
Go to my computer and properties
Make sure following is checked under default properties .
Then looked at event viewer if i can any information pertaining to DCOM permissions ,all looks clean from event viewer .
what else could go wrong here except security permissions on the DCOM,WMI ? well , after spending sometime on the troubleshooting colleague of mine helped to look at MSDTC service and have decided to uninstall MSDTC (Distributed Transaction Coordinator service) ,install and reboot the SCCM server which fixed the issue of remote console connectivity.
What made colleague to look at MSDTC component ?As he explain,for any remote connections to happen it either go with DCOM/WMI/RPC .In this case ,i could not able connect to remote SCCM server using wmi (wbemtest) and console just failed. So ,there seems major issue on DCOM connection . For this ,we checked the permissions on DCOM (dcomcnfg) ,all looks good t,hen went to registry to look for DCOM enabled ,it also looks good. The next part of troubleshooting in DCOM is to reinstall MSDTC component .
How do you uninstall MSDTC component ?
Open the cmd as run as administrator ,perform net stop MSDTC
run MSDTC –uninstall
Review event log: In Application Event Log message confirms that MSTDC was successfully uninstalled
Run MSDTC –install
Review event log: In Application Event Log message confirms that MSTDC was successfully installed
start MSDTC services using net start MSDTC
Reboot the SCCM server ,launch the console ,you see the nodes there .
If the reinstall of MSDTC doesn't work ,then we may have to go little deeper into DCOM to troubleshoot.
See you in the next post!
3 Comments
Had same issue, all i did was to re-organize my groups and memberships. How, have a sql setup account and sccm setup account member of one group and add that group directly to sccm > security > and give it full administrator or whatever you want the use to have
Hi - That is very odd. How the hell one can know DTC is the issue. If you see the service running fine then you assume it is working fine. Good you had a partner who thought about DTC and finally were able to fix the issue.
Thanks for sharing. This note going to KB collection.
Ram
Well ,It is one of the DCOM troubleshooting method since the remote console access is not working which means ,there is serious issue with DCOM/WMI. as part of DCOM, checked the DCOM permissions ,registry ,all looks good .So next step is to reinstall MSDTC component .Even if this MSDTC component doesnt solve the issue, we may have to go little deeper into DCOM which is not required in this case.
Regards,
Eswar