DCMAgent.log - Access check failed aginst user 'id'
On Server 08, from the Control Panel applet, when I ask for a refresh, I get the following in the DCMAgent.log:
Access check failed against user 'domainaccount'
domain account is the user id with Admin rights to the server, and full rights to every component of the console. I don't get that message for all Baseline/CIs. I imported the System Center ConfigMgr Baselines & those are evaluating fine on this 08 box. But when I create my own General CI, it throws that error. I recreated the steps on a different lab environment, and it worked fine; so I don't think it's my process; it has to be something I missed or misconfigured in this other lab.
Any ideas on what that message means, and how to remediate?
Answers
- I've got a partial answer: The Access Check in the log is specifically when UAC is on in Vista or Server08. If you do a runas on the control panel applet, you don't get the error.
Brian found a fix for the replica DB on the MPs & DCM changes not working. I'll post that gotcha once I've run a couple more tests over a day or so.
Standardize. Simplify. Automate.- Marked As Answer bySherry KissingerMVPFriday, May 15, 2009 12:31 AM
- I said I'd get back to why replicated DBs don't like to offer DCM baselines changes: that solution was that you *have to* have CLR Enabled on your SQL08 instance on the MPs, when you use a a DB replica. Probably not too many companies out there are 1) offloading their MPs, and 2) after they offload, they use a db Replica. So likely not too many people will hit that particular issue. Just in case someone does need to know how to, from SQL 08 Mgmt Studio, connect to your MP server, and run this:
sp_configure 'show advanced options', 1; GO RECONFIGURE; GO sp_configure 'clr enabled', 1; GO RECONFIGURE;
Standardize. Simplify. Automate.- Marked As Answer bySherry KissingerMVPFriday, May 15, 2009 12:31 AM
All Replies
- Having the same issue, have you found a solution?
Hey Sherry,
Is the server joined to your lab/dev domain?
When you say it works in another lab is it Server '08 as well?
-Anthony
Any update on this Sherry? Any thoughts on Anthony's question?
I need to know if I should follow up or not on this one.
Ok, ok, it's been months. I know.
Back to testing this in the lab. I can recreate this in our lab. It must be something I've missed in configuring the MP Database replica. I think everyone on our team has recreated the replica several times following the online docs, and we've uninstalled/reinstalled SQL 08.
Here's the gist of the issue:
Primary Site Server, and the MP Server(s) are Server 2008 x64, and have SQL 2008 x64.
When the MP is using the replica (note, not NLB yet; haven't gotten past just using a replica yet), changes made to replicated objects like Advertisements, package versions, or agent policies can get picked up just fine during a policy refresh. When a change is made to a DCM baseline (and I suspect OSD Task Sequences, although I haven't thoroughly tested recreating that problem), the client will pick up the changed policy, and in the interactive Control panel Configuration manager applet, the Configurations tab, it will eventually get to saying the correct name and new version. But it will never Evaluate successfully.
As soon as I click onto the Configurations tab, I get
Code SnippetDCDMSDK::GetAssignedBaselines
CDCMAgent::EnumCIs
Access check failed against user 'the account I'm logged in with'
Picking the baseline & asking for an evaluation gets me
Code SnippetCDCMSDK::EvaluateBaseline
DCMAgentJob({the policy}): State - Downloading
And then nothing. Forever, I suspect, if I let it sit there; although I've only waited about 5 hours max.
If I exit out of the configMgr applet, I'll get
Code SnippetDCMAgentJob({the policy}): SetCallback failed (0x80070005).So to me it looks like an access denied issue to 'something' in the MP replicated database--but I just can't find it. Or maybe we're still missing something that needs to be replicated. I've checked the results of " Select ObjectName from ReplicatedObjects where SiteSystemType = 'MP' " several times.
------------
as soon as I in Site Settings change the MP from using a db replica to "Use the site database"; DCMAgent.log starts processing like there was never any problem.
About the only thing I haven't tried/confirmed is this, but based on how it's written it sounds like this is for the NLB, not an MP having a replica database, so I wasn't sure if it applied: http://technet.microsoft.com/en-us/library/bb633031.aspx ; the "Additional Requirements for Management Point Site Systems Configured as Part of NLB Clusters" section about creating an AD account and setting that as the Identity for the CCM Windows Auth Server Framework Pool in IIS
- I've got a partial answer: The Access Check in the log is specifically when UAC is on in Vista or Server08. If you do a runas on the control panel applet, you don't get the error.
Brian found a fix for the replica DB on the MPs & DCM changes not working. I'll post that gotcha once I've run a couple more tests over a day or so.
Standardize. Simplify. Automate.- Marked As Answer bySherry KissingerMVPFriday, May 15, 2009 12:31 AM
- I said I'd get back to why replicated DBs don't like to offer DCM baselines changes: that solution was that you *have to* have CLR Enabled on your SQL08 instance on the MPs, when you use a a DB replica. Probably not too many companies out there are 1) offloading their MPs, and 2) after they offload, they use a db Replica. So likely not too many people will hit that particular issue. Just in case someone does need to know how to, from SQL 08 Mgmt Studio, connect to your MP server, and run this:
sp_configure 'show advanced options', 1; GO RECONFIGURE; GO sp_configure 'clr enabled', 1; GO RECONFIGURE;
Standardize. Simplify. Automate.- Marked As Answer bySherry KissingerMVPFriday, May 15, 2009 12:31 AM
- Hi,
I have tried "RunAS", but I still have such errors. I check on the SQL08 server, 'show advanced options' & 'clr enabled' value is 1.
