Access Denied (part 3…conclusion)
[Note: This is part 3 of a three part series. You might want to check out Part 1 and Part 2 as well. This post is verbatim what I posted in a thread on myITforum.com.]
Access is Denied doesn’t always mean you don’t have permission
Over the last couple of weeks I have been experiencing an odd “Access is Denied” issue in SMS. I posted here once and no one was able to help me fix it. I finally broke down and called Microsoft. I got the issue fixed (after 21 hours on the phone over a three day period), and wanted to post it here in case anyone else experiences this down the road.
Description of the problem/symptoms:
While attempting to update distribution points on a package, it fails to update. When adding a new package, I was unable to add a DP to the package. When I checked the SMS_DISTRIBUTION_MANAGER messages and I have a message that looks like:
>>>>>>>>>>>>>>>
SMS Distribution Manager failed to access the source directory “\\server\share\app” for package “XYZ00099”. The operating system reported error 5: Access is denied.
>>>>>>>>>>>>>>
My site is running Advanced Security, so I have already confirmed that the site system (server name) account has permission both on the share and the NTFS permissions. I even have looked on the “effective permissions” tab and confirmed that the server account has permission. It has Full Control rights to the share/folder.
As part of my troubleshooting, I opened a command prompt as system (“at <1 minute into the future> /interactive cmd.exe” at a command prompt), and then tried to map a drive as system using the pushd command. It got “access is denied”. Again…I had already confirmed that permissions was not an issue…at least in this instance “Access is Denied” did NOT mean “your account doesn’t have rights on the file system”.
As part of the troubleshooting that took place while on the phone with Microsoft, we discovered that if we attempted the command “pushd \\server\share\folder”, we got the “Access is Denied” message. However if we used the FQDN for the same server (i.e. pushd \\server.domain.com\share\folder), it succeeded. So…confirmation that it is not permissions…it is name resolution.
After many more hours on the phone, we were looking at the IP properties on the problem SMS server. On a whim, one of the Microsoft guys asked if we could change the DNS Suffix Search order. After changing the search order and forcing that change to take effect, everything suddenly started working correctly. If I switch the search order back…it breaks. Very easily reproducible.
So…the root cause of the “Access is Denied” messages was a name resolution issue…NOT a permissions issue.
3 Comments »
Leave a Reply
-
Recent Visitors
Subscribe
Recent Comments
-
The Realm of the Verbal Processor 
Hallo Jarvis
I’m having exactly the same problem and will try this solution of yours later on today – Thank you for the posting
ps – are u Guys (Campus Crusade for Christ) situated just in the US I assume or are u over the rest of the world
I am from South Africa
Micheal
Hi Michael –
Hope the info in the post helps.
As for CCC, yes we are all over the world. We employ over 25,000 staff in 191 countries. That makes us one of the largest (if not the largest) missionary organizations in the world. I’ve been meaning to put up more info on my personal ministry for a while…but haven’t gotten around to it yet. To read more about our ministries and locations, you can read here.
We’ve had the same problem where I work, and we’d noticed that name resolution was the issue. What frustrates me about your post is that Microsoft didn’t fix it. They just gave you a workaround for what is obviously a nasty, hard to troubleshoot bug.
Thanks for the post.