The Realm of the Verbal Processor

Jarvis's Ramblings

Access Denied (part 3…conclusion)

[Note: This is part 3 of a three part series. You might want to check out Part 1 and Part 2 as well. This post is verbatim what I posted in a thread on myITforum.com.]

Access is Denied doesn’t always mean you don’t have permission

Over the last couple of weeks I have been experiencing an odd “Access is Denied” issue in SMS. I posted here once and no one was able to help me fix it. I finally broke down and called Microsoft. I got the issue fixed (after 21 hours on the phone over a three day period), and wanted to post it here in case anyone else experiences this down the road.

Description of the problem/symptoms:
While attempting to update distribution points on a package, it fails to update. When adding a new package, I was unable to add a DP to the package. When I checked the SMS_DISTRIBUTION_MANAGER messages and I have a message that looks like:
>>>>>>>>>>>>>>> 
SMS Distribution Manager failed to access the source directory “\\server\share\app” for package “XYZ00099”. The operating system reported error 5: Access is denied.
>>>>>>>>>>>>>> 
 
My site is running Advanced Security, so I have already confirmed that the site system (server name) account has permission both on the share and the NTFS permissions. I even have looked on the “effective permissions” tab and confirmed that the server account has permission. It has Full Control rights to the share/folder.

As part of my troubleshooting, I opened a command prompt as system (“at <1 minute into the future> /interactive cmd.exe” at a command prompt), and then tried to map a drive as system using the pushd command. It got “access is denied”. Again…I had already confirmed that permissions was not an issue…at least in this instance “Access is Denied” did NOT mean “your account doesn’t have rights on the file system”.

As part of the troubleshooting that took place while on the phone with Microsoft, we discovered that if we attempted the command “pushd \\server\share\folder”, we got the “Access is Denied” message. However if we used the FQDN for the same server (i.e. pushd \\server.domain.com\share\folder), it succeeded. So…confirmation that it is not permissions…it is name resolution.

After many more hours on the phone, we were looking at the IP properties on the problem SMS server. On a whim, one of the Microsoft guys asked if we could change the DNS Suffix Search order. After changing the search order and forcing that change to take effect, everything suddenly started working correctly. If I switch the search order back…it breaks. Very easily reproducible.

So…the root cause of the “Access is Denied” messages was a name resolution issue…NOT a permissions issue.

May 24, 2007 Posted by | tech | 3 Comments

   

%d bloggers like this: