When using System Center Configuration Manager 2007 and restoring from a backup created via the "Backup ConfigMgr Site Server" maintenance task, OSD and Task Sequences no longer function if the restore was performed after a Windows OS reinstall on the server or restoration to new server hardware. Obtaining the SMSTS.log from a failing client PC reveals the following errors:
Parsing Policy Body. TSMBootstrap
(!sNetworkAccessAccount.empty()) && (!sNetworkAccessPassword.empty()), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1518) TSMBootstrap
Found empty NetworkAccessUsername/NetworkAccessPassword from NAAConfig CCM_NetworkAccessAccount TSMBootstrap
GetEncodedNetworkAccessAccount (sEncodedAccount, sEncodedPassword), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1544) TSMBootstrap
Network Access Account is not set TSMBootstrap
GetNetworkAccessAccount( sNetworkAccessAccount, sNetworkAccessPassword ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,1597) TSMBootstrap
pTSPolicyManager->GetContentLocations( m_sPackageID, m_lSourceVersion, m_dwContentSourceFlags, slistContentLocations, slistHttpContentLocations, slistMulticastContentLocations, m_dwContentPackageFlags ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,2330) TSMBootstrap
(*iTSReference)->Resolve( pTSPolicyManager, dwResolveFlags ), HRESULT=80040101 (e:\nts_sms_fre\sms\framework\tscore\tspolicy.cpp,2862) TSMBootstrap
m_pSelectedTaskSequence->Resolve( m_pPolicyManager, TS::Policy::TaskSequence::ResolvePolicy | TS::Policy::TaskSequence::ResolveSource, fpCallbackProc, pv, hCancelEvent), HRESULT=80040101 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,1208) TSMBootstrap
Failed to resolve selected task sequence dependencies. Code(0x80040101) TSMBootstrap
hrReturn, HRESULT=80040101 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediaresolveprogresspage.cpp,408) TSMBootstrap
ThreadToResolveAndExecuteTaskSequence failed. Code(0x80040101) TSMBootstrap
ThreadToResolveAndExecuteTaskSequence returned code 0x80040101 TSMBootstrap
Setting wizard error: Failed to read network access account from machine policy. For more information, please contact your system administrator or helpdesk operator. TSMBootstrap
Reviewing the above SMSTS.log seems to reveal that the Network Access Account (NAA) is not set. The Network Access Account is needed by the Task Sequence while in WinPE to access network resources since the client PC while in WinPE is the equivalent of a non-domain joined workgroup PC.
Note: For additional information about the the Network Access Account see the following TechNet articles:
About the Network Access Account
How to Configure the Network Access Account
Reviewing the properties of the Computer Client Agent in the ConfigMgr 2007 admin console under Site Settings --> Client Agents reveals that the Network Access Account is set. Resetting the Network Access Account in the properties of the Computer Client Agent by reentering the Network Access Account's username and password seems to resolve the error, but then causes a new error in the SMSTS.log. Reviewing the SMSTS.log on the failed client PC reveals the following error:
Decompressing reply body. TSMBootstrap
Decompression (zlib) succeeded: original size 476, uncompressed size 2568. TSMBootstrap
CryptMsgControl (hMsg, 0, CMSG_CTRL_VERIFY_SIGNATURE, pCert->pCertInfo), HRESULT=8009100e (e:\nts_sms_fre\sms\framework\osdmessaging\libcrypt.cpp,351) TSMBootstrap
signature varification failed TSMBootstrap
ipCertContext != listpServerCertContext.end(), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\osdmessaging\libsmsmessaging.cpp,2476) TSMBootstrap
signature check failed: <signature> TSMBootstrap
DoRequest (sReply, true), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\osdmessaging\libsmsmessaging.cpp,5010) TSMBootstrap
Failed to get client identity (80004005) TSMBootstrap
ClientIdentity.RequestClientIdentity (), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,815) TSMBootstrap
failed to request for client TSMBootstrap
Exiting TSMediaWizardControl::GetPolicy. TSMBootstrap
pWelcomePage->m_pTSMediaWizardControl->GetPolicy(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawelcomepage.cpp,280) TSMBootstrap
Setting wizard error: An error occurred while retrieving policy for this computer (0x80004005). For more information, please contact your system administrator or helpdesk operator. TSMBootstrap
This issue is caused by the backup restoring the srvacct folder from the original ConfigMgr 2007 installation instead of keeping the srvacct folder from the new ConfigMgr 2007 installation. The srvacct folder can be found at the root level of the directory where ConfigMgr 2007 is installed. Normally this folder has a text file in it with the name srvacct.<site_code>. The text file has the public keys that along with private keys stored in the Windows OS allow it to decrypt service account information (username/password) which includes the Network Access Account.
When a Windows OS is freshly installed, either via a reinstall of the OS or install on new hardware, new private keys are generated in the Windows OS when ConfigMgr 2007 is installed. The applicable public keys that match up with the private keys are then generated and stored in the srvacct folder in the file srvacct.<site_code>. If a backup restores the srvacct folder from another instance of the Windows OS, the public keys in the srvacct.<site_code> folder will no longer match up with the private keys in the Windows OS. This will cause the information for any service account used by ConfigMgr 2007, including the Network Access Account, to not be able to be decrypted and used.
This issue can also cause problems in other areas of ConfigMgr 2007 other than Task Sequences and OSD. Service accounts are not normally used in ConfigMgr 2007 since most operations use the SYSTEM/site server's computer account. The only exception to this rule is the Network Access Account which is needed by Task Sequences when running in WinPE and is the reason why this issue most prominently affects OSD.
Service accounts can be used instead of the SYSTEM/site server's computer account in other areas of ConfigMgr 2007 other than Task Sequences and OSD. For a list of the different areas in ConfigMgr 2007 that can be optionally configured to use service accounts and may be affected by this issue, please see the following TechNet articles:
Accounts Configured in the Configuration Manager Console
How to Configure Configuration Manager 2007 Accounts
The two other areas that would most likely be affected by this problem other than OSD would be the use of Site Address Accounts (leading to sites not being able to communicate with one another) and database access accounts (leading to site roles not being able to access the database). The issue is mostly seen with OSD since a service account (the Network Access Account) is always needed and used.
To resolve the issue, the ConfigMgr 2007 site will need to be reinstalled from scratch. The current restored ConfigMgr 2007 site cannot be used since the original srvacct folder no longer exists.
Note: If the above solution is being used to resolve the issue for a component other than OSD (i.e., site address accounts or database connection accounts), in Steps 8-9, navigate to the appropriate section in the ConfigMgr 2007 Admin Console (i.e., Addresses or properties of the Site Systems roles) and reset the appropriate service accounts using the same same instructions listed in Steps 10-12.
Article ID: 2509330 - Last Review: 06/20/2011 18:05:00 - Revision: 7.0