The Realm of the Verbal Processor

Jarvis's Ramblings

Access Denied

[Note: This is part 1 of a three part series. You might want to check out Part 2 and Part 3 as well.]

Okay…warning to the non-technical…this will be the most technical post I have made to date.

I am an SMS Architect for Campus Crusade for Christ. Our SMS 2003 environment is in Advanced Security mode. The way that Advanced Security operates is that to get access to other SMS servers or access to network shares and resources, it uses the computer account of the SMS Site Server. (i.e. if the SMS server is named Server1, it uses the computer account named “Server1” for accessing resources…not a user account which is the normal way.) Note: this is all in layman’s terms…

So recently we had an issue in our site where the SMS server (I’ll call SMS1) suddenly was no longer able to get to the source files of the Microsoft patches. These source files exist on a separate server that I will call File1. File1 has a folder that is shared (Share1). SMS1 (the computer account) has permission on this share/folder. This has been working fine for nearly two years.

So…the problem comes last week. Suddenly SMS1 is getting “Access Denied” when it tries to connect to the share. After checking the permissions, I have determined that the perms are correct…SMS1 does have permission, but it is still getting access denied. So, I set up other shares on other servers to test with. I got the same result on all of them…well, all but one. On one mysterious server the permissions worked as they should. After a couple of days of trekking down the wrong trails, I finally realized the difference. All of the servers that failed were running 32 bit versions of Windows Server 2003. The one that worked is running the x64 edition. I found another x64 server with the same result.

So…today I was on the phone with Microsoft support…for nine and a half hours. I had at least two and up to four Microsoft engineers on the phone with me all day today. Tomorrow morning, we are picking up where we left off. The next step is to reset the secure channel on the SMS1 computer account. Honestly, I’m not sure exactly what that means. I will say this…I was glad for the Microsoft PSS guy that was the lead on the issue today. All I know about him is that he is from Dallas and his name is Ed Walters. Ed…you are professional, friendly, and you do a great job of explaining the process that you are going through in troubleshooting. It also was very nice to have a PSS who listened to the process that I had already been through and didn’t make me go back through the same troubleshooting that I had already done. Good job, and thank you.

Advertisements

May 17, 2007 - Posted by | tech

2 Comments »

  1. Hello,
    I know this SMS blog is a few years old but I am experiencing same issue as you describe in your blog. Could you give me a few more details on what needs to be change on the DNS search order thing. I cant seem to figure it out.

    Thanks,
    Dave

    Comment by Dave Shanahan | September 9, 2009

  2. Hi Dave,
    I’m glad that a post from over two years ago is still helping someone!

    One thing to note…in this instance, “Access is denied” was a name resolution problem, but most of the time that error means that there is a permissions issue. Make for certain…and then make for certain again that the permissions are correct before going down this path. I know from experience that it is WAY too easy to overlook permissions!

    As for the DNS search order issue…we had three items in the search order:
    1. company.com
    2. sub.company.com
    3. somethingelse.com (I can’t remember what it was…I just remember there being three things there.)

    Basically we just switched a couple of them around experimenting, and it worked. It seems like (and this is almost a guess because it has been so long) that we had the order as:
    1. somethingelse.com
    2. sub.company.com
    3. company.com

    and we had to switch it to:
    1. company.com
    2. sub.company.com
    3. somethingelse.com

    But again…don’t quote me on that. It has been a long time.

    Now…what it really boils down to is that there was an issue with name resolution that was combining with the DNS suffix search order thing to cause the problem. To really fix it, you might want to take a look at your DNS/WINS servers to make sure everything is solid there.

    Hope that helps,
    Jarvis

    Comment by Jarvis | September 9, 2009


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s