2012 R2 OSD refresh WinPE Network Access Account issue?

Similar Messages

• Network Access Account issues..

  Help!!!!,
   I have been trying for 2 days to get this working again and having no luck... So to give all the steps Ive taken thus far.
  Upgraded to SCCM 2012 R2
  Uninstalled ADK 8.0 and installed 8.1
  Installed MDT 13
  Patched Primary and Clients hotfix (KB2905002)
  After hoping the hotfix would correct my issues with the upgrade Im still dealing with what seems to be related to NAA. I have seen this issue in the forums and tried to resolve using the create new, delete and select old naa account with no luck.
  DownloadFile() failed for
  http:\\site server /SMS_DP_SMSPKG$/NTE000F3/sccm?/Scripts/DeployWiz_ProductKeyVista.vbs, C:\_SMSTaskSequence\Packages\NTE000F3\Scripts/DeployWiz_ProductKeyVista.vbs.
  80072ee2.
  Does anyone have any ideas??? Thank you in advance!

  Sorry Jason,
   You are correct, I copied in the wrong code... Error: 80070002
  Failed to run the action: Use Toolkit Package. 
  The system cannot find the file specified. (Error: 80070002; Source: Windows)
  Im running the TS again it looks like the SMSPKG was missing the toolkit package.
  Not sure why that would happen as it was working fine but I decided to select the copy content to DP option and issue is resolved. Thank you for the follow up!

• SCCM 2012 Network Access Account password problem

  Hello Everyone,
  I got a problem with the Network Access Account on SCCM 2012. I didn't have any problem previously and can deploy OS successfully. The problem started last week when I tried to deploy an OS. It gave me a error on Task Sequence then I searched for the error
  and found that its related with the Network Access Account. On SCCM Config Manager I checked the Network Access Account and found that I had the wrong password. But the bigger problem starts here: on configManager Administration/Security/accounts window
  I open my NAS properties and on the verify window tried to reach a simple network share and it says the password is wrong, then I change the password and tried to verify one more time and it successfully reaches the share, I simply click apply and
  OK as usual but when I open the properties window I always see the old password stays there. I tried to change the password maybe 100 time but I didn't work. My NAS is a normal domain account with Domain Users permissions, I ve already
  checked the password, account and password never expires options, they are all rightly configured. I also tried to make a new account to use as a NAS, then I set it on SCCM as a NAS but the result is always the same. Accounts
  have wrong password and I cant change and save it. Actually I can change till I close the properties window then its all gone , reset to old wrong password. Please help me with that, I am googling it like 2 days and found that the same thing happened
  to 2 other people, but there is no solution... 

  That workaround seems to work.  Only verify when you first type the password and get the success/confirmation message.  Once you hit OK to save the password, something happens to it (probably encrypts the password entered). If you open the account
  settings again, I assume SCCM takes the password from the database or task sequence in it's encrypted form and presents that in the text boxes.  Clicking OK will save the password again, but because it is presented in it's encrypted form, will re-encrypt
  this as a new password and effectively change what you originally entered as the password.  Again, I'm just assuming this based on what I observed. If it's true, then definately a bug.
  I think this is pretty correct. This whole (non?)-issue was a massive red-herring for me. I spent a week trying to understand what was wrong, but eventually discovered the issue was a couple of steps down the line. SCCM errors on the surface level are pretty
  consistently confusing. 9 times out of ten, I have been lead astray by them. Crack open your log files, your real problems will be in there.

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Network Access Account tab is unavailable

  Hello and Happy new year,
  I just finished to install SCCM 2012 R2 and the installation was successful.
  I now want to configure the Network Access Account but when I go to Administration -> Site Configuration -> Sites -> Configure Site Components -> Software Distribution, I just see the general tab but not the network access account tab.
  Could you please tell me if I forgot to do something which prevent me to see this tab ?
  Best Regards.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Hello Peter,
  Thanks for your help.
  As I begin with SCCM I don't really know what you want to mean with CAS.
  I Imagine it's for central administration site.
  I followed a MOAC lesson which told me to choose "Install a configuration manager central administration site" which was apparently not the good option.
  I uninstalled SCCM and choose install a configuration manager primary site.
  This time it's seems to be ok.
  Thank you.
  Best regards.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Network Access Account, used by only Workgroup Computers or Domain Computers also?

  Our environment has a few servers that are in a workgroup (not ideal, but is an application requirement on these few boxes) rather than being on the domain.  We have to patch these servers routinely and would like to use SCCM 2012 to do so.  As
  I understand it all that is needed is to configure the Network Access Account for the site and install the client manually on the workgroup computers, correct?  My next question is, do the domain computers continue to use their computer accounts to access
  network locations during content deployment or will they too use the newly configured  network access account?  Or, does the client first attempt to use its computer account and if that fails then results to using the SCCM Network Access Account?
   I've searched everywhere and can't seem to find this info.  Thanks in advance if you can point me in the right direction.

  Hi,
  I haven't seen any table like this for the Configuration Manager 2012 so this is for 2007, I haven't heard of any changes to this and the conclusion is that the account is used more often than you would think depending on what you are doing with the client.
  http://technet.microsoft.com/en-us/library/bb680398.aspx
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• I'm on an iMac for work and I'm having network/user account issues?

  I'm on an iMac for work and have my own user account.  I usually shut down the mac at the end of the day.  Recently, in the morning its started to not let me login at all.  When I enter the *correct* password, the box does the shakey thing and not let me in.  The IT people here are primarily PC, but they've discovered if I unplug the network cable for a couple seconds and plug it back in, it will then accept my password and let me in.  It only happened once in awhile, now it happens every time I log off and try to log back onto my user account.  What is causing this and why do I need to constantly unplug and replug the network cable?

  You can red this article about transfering your tunes - http://www.myfirstmac.com/index.php/mac/articles/how-do-i-move-my-itunes-library -from-pc-to-mac-and-keep-my-settings-intact
  MJ

• SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

  Hello,
  Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
  I get the folowing error in smsts.log:
  ::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  End program:  TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Here is the complete smsts.log: http://1drv.ms/1pwTEBf
  To explain the Problem in Detail:
  The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
  Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
  During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
  If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
  My Problem must be related to the different Domains and the forest trust.
  My Setup:
  MP published to DNS in both domains
  Schema Extended in both domains
  System Management Container published and verified in both domains
  ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
  Network Access account configured with Domain B account
  Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
  DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
  Any suggestions?
  Many thanks.
  regards,
  Christian

  Hi Christian,
  So do you actual get an error message in your TS or is it just failing to join Domain B?  (Could be both if the machines fails to join the domain).
  Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
  Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

• Network access: Do not allow anonymous enumeration of SAM accounts and shares

  Hi guys,
  What will happen if I enable "Network access: Do not allow anonymous enumeration on SAM accounts and shares" ?
  Does the users (everyone) would not be able to list all shared folders on that computer?
  What is the impact of this one?
  Been searching for the effect of this but I cannot find precise answer.
  Thank you in advance for your help!

  Hi whitesql,
  It’s difficult to talk about when a policy disable effect if we know how it works right? You can refer the following KB to realize the enumeration mainly work for first:
  The effects of removing null sessions from the Microsoft Windows 2000 and Microsoft Windows NT environment
  http://support.microsoft.com/kb/890161/EN-US
  Network access: Do not allow anonymous enumeration of SAM accounts
  https://msdn.microsoft.com/en-us/subscriptions/downloads/jj852230(v=ws.10).aspx
  Restricting Anonymous Access
  https://msdn.microsoft.com/zh-cn/library/cc785670(v=ws.10).aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• SCCM 2012 OSD and WinPE-StorageWMI?

  Hi,
  I am using SCCM 2012 SP1 OSD with MDT 2012. I am trying to work out how to use the command from the
  WinPE-StorageWMI.
  I have added them to my boot wim and am trying to invoke them from powershell from the F8 prompt first
  then once I get them going in there put them in my task sequence.
  However when I do not see them?
  Am I not seeing any extra modules is there something basic I am missing? Am I meant to see a module
  called WinPE-StorageWMI?
  Thanks,
  Ward.

  The module is a part of Powershell. You need to enable WinPE-PowerShell.
  http://technet.microsoft.com/en-us/library/hh824926.aspx
  Juke Chou
  TechNet Community Support

• TACACS+ Accounting "Network Access Profile" name is missing

  Hello,
  I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2
  In the document http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/guide/appendixA.html Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.
  Is this some bug in ACS View or ACS or maybe I simply missing something?;)
  Best Regards,
  Igor

  Cisco created a new bug for it:
  CSCtq85420
  Best Regards,
  Igor

• SCCM 2012 R2 & MDT 2013 OSD Refresh - BDEDrive Assigned letter

  Hello,
  I'm having an issue with my MDT OSD refresh for Win 7 machines. I've capture a Win 7 reference image from a VM using MDT capture TS and I can successfully deploy that image to a bare metal VM
  using an MDT integrated SCCM TS. The disk partitions are expected, C:\ is the primary OS and BDEDrive is assigned 500MB and is hidden, no drive letter assigned.
  DISKPART> list volume
    Volume ###  Ltr  Label        Fs     Type        Size     Status    
  Info
    Volume 0     E                       DVD-ROM         0 B  No Media
    Volume 1         BDEDrive (P  NTFS   Partition    500 MB  Healthy
    Volume 2     C   OSDisk       NTFS   Partition     19 GB  Healthy    System
  DISKPART>
  However, when I run a refresh TS to re-deploy the same imaged used in my bare metal TS, the BDEDrive is assigned D:\ and is visible in windows explorer.
  DISKPART> list volume
    Volume ###  Ltr 
  Label        Fs    
  Type        Size    
  Status     Info
    Volume 0    
  E                      
  DVD-ROM         0 B 
  No Media
    Volume 1    
  D   BDEDrive (P  NTFS  
  Partition    500 MB  Healthy
    Volume 2    
  C   OSDisk      
  NTFS   Partition    
  19 GB  Healthy
  DISKPART>
  In the ‘Formart and Partition Disk 6.1’ step, I have checked the option ‘Do 
  not assign a drive letter this partition’ but it’s obviously not working as expected. Any suggestions?
  Thanks!

  Not sure if this is the same as what you are seeing, but check out this post: https://social.technet.microsoft.com/Forums/systemcenter/en-US/b3e2fc1f-e9df-4c6e-99a5-5d0e0dff648a/refresh-scenario-with-bitlocker-partition?forum=configmgrosd
  Jeff

• Controlling network access for user accounts

  Can anyone suggest a way to control airport access to a wireless network?
  I have an iMac G4 with AirPort running Tiger that I'd like to set up for a young teen to practice doing some video editing. I'd like to have network access disabled under normal circumstances, but be able to enable it easily during times when there is supervision.
  Ideally, I'd like to have the airport icon in the menubar and select a network to join causing a prompt for an administrator password. I can't seem to get anywhere close to that. Any help would be appreciated.
  Thanks.

  Thank you for your quick response.
  5. Click the checkbox under Require Administrator
  password to:
  The two choices I have are:
  - when changing networks
  - when creating a computer-to-computer network
  The first almost gets me what I want, there are two problems with this as I see it.
  1. when the computer comes up and automatically logs in, the user is greeted by authentication dialogs. (AirPort trying to connect?) I'd like to configure AirPort not to automatically try to connect and therefore not produce these dialogs.
  2. once approved, the network stays approved until the next reboot. I'd like to not be forced to reboot just to "lock down" the network again.
  Any help on those two points?

• SCCM 2012 SP1 OSD in 802.1X environment

  Dears, 
  we have SCCM 2012 SP1 CU5, and the network team has enabled the CISCO port security (802.1X network authentication) on the desktops VLAN and OSD is not working since then until port security is removed. i've seen some guides regarding how to make SCCM 2007
  OSD, WinPE 3.0 and 802.1X work together like : http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx  , but ot's very confusing.
  does anybody have the same scenario with SCCM 2012, WinPE 5.0, and 802.1X . please help me.

  Hello,
  What confused you here? 802.1X authentication is to authenticate before sending network packages. That is why we need import netwrok profile to win pe for anthentication. The point is authenticate, so I think it won't be any difference between
  ConfigMgr 2012 and 2007.          
  Another good article here:
  http://blogs.technet.com/b/deploymentguys/archive/2010/03/02/adding-support-for-802-1x-to-winpe.aspx
  Please also pay attention to the shared document in the blog.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• RemoteApps Error "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator."

  Hello All,
  Good day. May I ask if anyone experienced this error when trying to access remoteapps in Azure? We are using IaaS and set-up RDS using Windows 2012 R2 but we are getting an error below.
  "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator.
  Various roles and services (Broker, Session Host, RD Gateway and Web Access are installed on each VMs).
  Please advise.
  Thanks,
  Glenn

  Hi Glen;
  Looks like the set up was not done correctly. Please follow the guidelines given on this
  blog by Keith Mayer.
  Regards;
  Prasant