troubleshooting tips

Troubleshooting Tips: Non SCCM & Unhealthy Client Machines

Sometimes the most challenging part of the Configuration Manager 2007/SMS 2003 deployment phase can be ensuring that the client successfully reports to the site server. We occasionally see these issues here in support, typically either as cases for clients not reporting after the client installation, or maybe where it’s noticed that the client count is decreasing from the collection.

When we look at the SMS/SCCM console collection, there is an entry for the client status that indicates either Yes or No. Assuming everything is installed and configured properly, a client installed on a system should automatically report as Yes, but sometimes that does not turn out to be the case. The reason could be that the client has not yet reported to the SCCM\SMS server, or it was reporting previously but has now stopped. Managing the client in the collection is a continuous task and for a healthy environment the client should be continuously reporting to the SMS\SCCM server.

There are various reasons why a client may not be able to report to even if the SMS\SCCM agent is installed on a machine. A few of these reasons are discussed below:

The first thing to check is whether the client is on the network, and if it’s not on the network, does the system even exist? It’s possible that represents a stale record from AD.

Systems NOT on the network: If the system is not actually on the network, check if it is shutdown, and if so if it’s been shut down for long time. If yes then first restart the system and then initiate the discovery cycle from the control panel agent properties action TAB.

Stale Entries: When you use AD discovery, the DDRs are created for the computers that reside in the AD container that we have requested to be queried by the discovery process. If that container has the stale records for the resources, then client records may be created for systems that don’t actually exist, thus they will never report.

There is a Maintenance task that will clear the inactive records but if the discovery process runs again and the AD container still has these entries then they will simply show up again.

Resolution: For the stale records you need to make sure that the AD container is cleared of these stale records and scavenging is done for the computers container in AD regularly. Once this is done you can either make use of the maintenance task or you can create a collection for the NON SMS CLIENTS and then do a delete special to the collection so that the entries will be removed permanently from the SMS\SCCM database. Then a discovery can be run which will bring back only the active systems in the collection.

Once the agent is available on the network and the client is installed, the client goes through the following actions as part of the reporting process:

1. Client location services identify the site code and the MP it is supposed to connect to.

2. The client connects to the Management Point and downloads the policies.

3. Once the policies are downloaded it sends the heartbeat record to the server.

4. Once the server receives this heartbeat record these are converted in to DDR and processed. This will set the client flag to 1 which will make the client status display as Yes in the console.

5. On a regular basis the agent will send the heartbeat and if no heart beat or inventory shows up for a length of time then the client flag will be marked as 0 by the client flag maintenance task, setting the client status to No.

So only if this process is completed and it continues to happen will the client remain reporting to the server. This is why I said earlier that client management is a continuous task. There can be a variety of reasons why this process might fail, and I’ve outlined a couple of them below:

The Boundaries of the Agent are not specified in the site server

If the client is not assigned in the console or the client is unable to discover the site code, make sure that the AD site or the IP subnet is added in the boundary list. The server will only allow those clients within its boundary to download the policies, so if you have not specified the boundaries the client will not be authorized and the policies will not get downloaded. For boundary issues you can use this as a reference:

In the client if you check the location services.log (log location: C:\Windows\System32\CCM\Logs), you can get the information of the site assigned to it as well as the MP it is reporting to. If it is not able to report properly, you need to make sure that the agent can communicate over the network to the site server successfully.

Unable to get the site code

If the client is not able to get the site code, you need to check first the boundaries as above, and also verify that the site information is published in the AD. You can check the last part of the sitecomp.log after you start the site component manager which will say that the components like the MP, SLP etc successfully published or updated. If you are unable to see that and you get access denied errors, make sure that the computer account has read\write permission to the system container in AD. Make sure the permission is flowing to the objects within and the objects below. If you are not publishing the information in AD then you need to make sure that the SLP is configured and working.

The client itself is not installed in the Agent

To confirm this, try checking ccmexec.log file from client machine or check ccm.log from server end.

Make a list if you find any of these issues-

1. Newly discovered client computers are not assigned to the current site

2. Advanced Client Push Installation is not enabled at the appropriate site

3. The SMS Client Configuration Manager cannot connect to the client Admin$ share or to the Remote Registry Service (IPC$)

4. The SMS Advanced Client Push Installation account is configured incorrectly or is missing or is locked out

5. The SMS Advanced Client cannot access the installation file on the SMS site server

6. The SMS Advanced Client cannot access the management point during an upgrade

7. The SMS Advanced Client displays a site assignment but does not appear as installed

8. The Client computer appears in collections with the following values:

Site Code Client Assigned Client Type

This occurs when one or more of the following conditions are true:

a) The collection information has not been updated. Collection updates usually run on a daily or weekly schedule. In this case, you must make sure that the collection information has been updated. You can manually update the collection membership, and then update the collection view.

b) The client computer shares the same SMSID with another client computer. This issue can occur when you use a disk image to install the SMS Advanced Client. Duplicate SMSIDs are also referred to as duplicate GUIDs. You must determine whether duplicate SMSIDs exist on the client computers. For more information about how to detect duplicate GUIDs and how to use Tranguid.exe to create a New SMS GUID for the affected clients.

c) The SMS Advanced Client is assigned. However, the SMS Advanced Client is not installed. You must verify that the SMS Advanced Client is installed successfully and is assigned to the site that you are viewing.

d) The Network Discovery method is enabled. When you use the Network Discovery method in Systems Management Server (SMS), it populates the IsClient fields in the database by using a Null value. If other discovery methods are enabled, the computer will appear in the collection as Assigned with no client installed even though the client is installed. To resolve this issue, disable the Network Discovery method. Also, verify that the Heartbeat Discovery method that is enabled by default has not been disabled. Then, wait for the specified Heartbeat Discovery polling interval to pass. When the clients send up new discovery data, the database is updated to reflect the correct values.

Note Only the Heartbeat Discovery method will set the client installation status to Yes. The Active Directory System discovery method does not update the IsClient field in the SMS database.

e) Heartbeat Discovery has not reported since the client was installed.

There is a name resolution issue in the Client.

Make sure that the client is able to communicate to the SMS\SCCM server using the FQDN as well as the NetBIOS name. Use Nslookup or ping to check the name resolution. If you can’t ping the server using the FQDN then you will have problems.

The client is behind a firewall

If clients are behind a firewall, it may be restricting it from contacting the SMS site server. Check if the necessary ports are opened.

MP not working as a result of which the policies are not getting downloaded

You first need to check to see whether the MP is working. For that you will need to check the mpcontol .log (Log location: \SMS\logs in SMS and \program files\Microsoft Configuration Manager\logs in SCCM). If it is showing a 200 OK status code then that means the MP is working.

If the MP is working fine and the client is unable to contact and download polices, you will have an error on download in the policyagent.log file on the agent (Log location: C:\Windows\System32\CCM\Logs). Before checking this though, check if the locationservices.log has the correct MP information. If it does have the correct MP information, make sure that the BITS service is started on the client. You can try the following URLs to verify that this is working:

http:///sms_mp/.sms_aut?mplist

and

http:///sms_mp/.sms_aut?mpcert

Client is unable to download policy

You may also have issues downloading policies if the client agent has WMI corruption. If you suspect this to be the cause of your issue, if it is a XP client then follow these steps:

1. Uninstall SCCM client agent. Use the ccmsetup.exe /uninstall

2. Troubleshoot or rebuild WMI.

When to rebuild WMI : SCCM Client is not able to install on machines.

When to repair WMI : SCCM Client is installed on machines but inventory data is not reporting to SCCM database.

3. Restart the system and install the agent.

Server unable to process DDR

Once you find that the client is able to send the heartbeat data to the server, you next need to check on the server to see if these are getting processed successfully.

Clients going to NO after it had reported

1. The first reason for this is that the heartbeat discovery is enabled and that the DDRs are not reaching the server.

2. The second is that Clear Install Flag is running.

Solution: Initiate Discovery data collection cycle manually from client and update collection after few minutes.

Packages stucked to copy on DP: 'Install Pending'

There might be different scenarios so apply fix as per need-

1. Packages are not copied to DP due to lack of permissions, pls check the necessary rights.

2. Check for package on affected DP whether it's present or not.

3. If not, check distmgr.log file on affected DP and manually copy .pck file from primary server to affected DPs and use PreloadPkgOnSite.exe tool to replicate package information to SCCM database.

here's info regarding this tool-

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C36FCDA8-9336-4D44-9568-5530FF7635DD&amp%3Bdisplaylang=en

4. If package is present on DP but not updated to database or SCCM console; refresh DP again.

5. If still DPs not updated, try run these queries for affected DPs through central server-

update pkgstatus set Status = 2 where id = ' ' and sitecode = ' ' and type = 1

update pkgstatus set SourceVersion = 0 where id = ' ' and sitecode = ' ' and type = 1

6. After running above queries, refresh DPs again.

November 24, 2010SQL query to get patch compliance reports

SELECT DISTINCT

ps.Bulletin AS Bulletin_No,

ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed - ps.Verified AS Unpatched,

ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed AS 'Total with Status',

ROUND((100 * (ps.Verified + .00000001)) / (.00000001 + ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed), 0) AS '% Compliant',

ps.Verified, ps.NoStatus, ps.Retrying, ps.PreSuccess, ps.Uninstalled, ps.PendReboot, ps.Failed, real_total.total, ps.CollectionID

FROM (

SELECT fcm.CollectionID,

pse.ID AS Bulletin,

SUM(CASE WHEN pse.LastStateName = 'No Status' THEN 1 ELSE 0 END) AS NoStatus,

SUM(CASE WHEN pse.LastStateName = 'Install Verified' THEN 1 ELSE 0 END) / 2 AS Verified,

SUM(CASE WHEN pse.LastStateName = 'Retrying' THEN 1 ELSE 0 END) AS Retrying,

SUM(CASE WHEN pse.LastStateName = 'Preliminary Success' THEN 1 ELSE 0 END) AS PreSuccess,

SUM(CASE WHEN pse.LastStateName = 'Uninstalled' THEN 1 ELSE 0 END) AS Uninstalled,

SUM(CASE WHEN pse.LastStateName = 'Reboot pending' THEN 1 ELSE 0 END) AS PendReboot,

SUM(CASE WHEN pse.LastStateName = 'Failed' THEN 1 ELSE 0 END) AS Failed

FROM

v_ApplicableUpdatesSummaryEx INNER JOIN

v_GS_PatchStatusEx pse ON v_ApplicableUpdatesSummaryEx.UpdateID = pse.UpdateID RIGHT OUTER JOIN

v_FullCollectionMembership fcm ON pse.ResourceID = fcm.ResourceID

WHERE

(pse.QNumbers NOT LIKE 'None')

AND (pse.ID NOT LIKE 'None')

AND (fcm.CollectionID = 'SMS000ES' )

GROUP BY pse.ID

, v_ApplicableUpdatesSummaryEx.Type

, fcm.CollectionID

HAVING

(v_ApplicableUpdatesSummaryEx.Type = 'Microsoft Update')) ps

INNER JOIN

(

SELECT DISTINCT ID0

FROM v_GS_PATCHSTATEEX

WHERE (Language0 = 'English' Or LocaleID0 In ('0','9'))

AND ID0 <> 'none'

AND Type0 = 'Microsoft Update'

AND Severity0 = '10') As PatchList

ON ps.Bulletin = PatchList.ID0

CROSS JOIN

(SELECT CollectionID, COUNT(ResourceID) AS total

FROM v_FullCollectionMembership

GROUP BY CollectionID

HAVING (CollectionID = 'SMS000ES' )) real_total

ORDER BY ps.Bulletin DESC

-- specify collectionID to get respective compliance rate

November 24, 2010SQL query to get patch compliance reports

SELECT DISTINCT

ps.Bulletin AS Bulletin_No,

ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed - ps.Verified AS Unpatched,

ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed AS 'Total with Status',

ROUND((100 * (ps.Verified + .00000001)) / (.00000001 + ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed), 0) AS '% Compliant',

ps.Verified, ps.NoStatus, ps.Retrying, ps.PreSuccess, ps.Uninstalled, ps.PendReboot, ps.Failed, real_total.total, ps.CollectionID

FROM (

SELECT fcm.CollectionID,

pse.ID AS Bulletin,

SUM(CASE WHEN pse.LastStateName = 'No Status' THEN 1 ELSE 0 END) AS NoStatus,

SUM(CASE WHEN pse.LastStateName = 'Install Verified' THEN 1 ELSE 0 END) / 2 AS Verified,

SUM(CASE WHEN pse.LastStateName = 'Retrying' THEN 1 ELSE 0 END) AS Retrying,

SUM(CASE WHEN pse.LastStateName = 'Preliminary Success' THEN 1 ELSE 0 END) AS PreSuccess,

SUM(CASE WHEN pse.LastStateName = 'Uninstalled' THEN 1 ELSE 0 END) AS Uninstalled,

SUM(CASE WHEN pse.LastStateName = 'Reboot pending' THEN 1 ELSE 0 END) AS PendReboot,

SUM(CASE WHEN pse.LastStateName = 'Failed' THEN 1 ELSE 0 END) AS Failed

FROM

v_ApplicableUpdatesSummaryEx INNER JOIN

v_GS_PatchStatusEx pse ON v_ApplicableUpdatesSummaryEx.UpdateID = pse.UpdateID RIGHT OUTER JOIN

v_FullCollectionMembership fcm ON pse.ResourceID = fcm.ResourceID

WHERE

(pse.QNumbers NOT LIKE 'None')

AND (pse.ID NOT LIKE 'None')

AND (fcm.CollectionID = 'SMS000ES' )

GROUP BY pse.ID

, v_ApplicableUpdatesSummaryEx.Type

, fcm.CollectionID

HAVING

(v_ApplicableUpdatesSummaryEx.Type = 'Microsoft Update')) ps

INNER JOIN

(

SELECT DISTINCT ID0

FROM v_GS_PATCHSTATEEX

WHERE (Language0 = 'English' Or LocaleID0 In ('0','9'))

AND ID0 <> 'none'

AND Type0 = 'Microsoft Update'

AND Severity0 = '10') As PatchList

ON ps.Bulletin = PatchList.ID0

CROSS JOIN

(SELECT CollectionID, COUNT(ResourceID) AS total

FROM v_FullCollectionMembership

GROUP BY CollectionID

HAVING (CollectionID = 'SMS000ES' )) real_total

ORDER BY ps.Bulletin DESC

-- specify collectionID to get respective compliance rate

Thanks!

Posted by Atul Kr. at 8:48 PM 1 comments

Email This

BlogThis!

Share to Twitter

Share to Facebook

Share to Google Buzz

SQL query to get patch summary report for specific collection

declare @Total int, /* total count collection membership */

@SMSInstall int, /* count installed by SMS */

@OtherInstall int, /* count installed externally */

@Missing int, /* count missing patch */

@NotRequired int, /* count not requiring patch */

@Required int, /* count requiring patch */

@Outstanding int /* count outstanding */

/* count non-obsolete clients */

select @Total=count(*)

from v_FullCollectionMembership fcm

join v_R_System sys on fcm.ResourceID=sys.ResourceID

where IsNull(sys.Obsolete0,0)=0 and sys.Client0=1

and fcm.CollectionID='IN000061' /* specify collectionID here */

/* patches installed by SMS */

/* patches installed by others */

/* patches required by systems */

/* v_GS_PatchStatusEx already filters out obsolete clients */

select @SMSInstall=count(distinct case

when ps1.LastState is not null and ps1.AgentInstallDate is not null and ps1.LastState=105 then ps1.ResourceID

when ps1.LastState is null and ps2.AgentInstallDate is not null and ps2.LastState=105 then ps2.ResourceID

else null end),

@OtherInstall=count(distinct case

when ps1.LastState is not null and ps1.AgentInstallDate is null and ps1.LastState=105 then ps1.ResourceID

when ps1.LastState is null and ps2.AgentInstallDate is null and ps2.LastState=105 then ps2.ResourceID

else null end),

@Missing=count(distinct case

when ps1.LastState is not null and ps1.LastState!=105 then ps1.ResourceID

when ps1.LastState is null and ps2.LastState is not null and ps2.LastState!=105 then ps2.ResourceID

else null end),

@Required=count(distinct case

when ps1.ResourceID is null then ps2.ResourceID else ps1.ResourceID end)

from (select LastState, AgentInstallDate, ResourceID, UpdateID

from v_GS_PatchStatusEx

where ID='ms08-067' and QNumbers=958644 and

UniqueUpdateID is not null) ps1

full outer join

(select LastState, AgentInstallDate, ResourceID, UpdateID


where ID='ms08-067' and QNumbers=958644 and

UniqueUpdateID is null) ps2

on ps1.ResourceID=ps2.ResourceID

join v_FullCollectionMembership fcm

on (ps2.ResourceID is null and ps1.ResourceID=fcm.ResourceID) or

(ps1.ResourceID is null and ps2.ResourceID=fcm.ResourceID) or

(ps1.ResourceID=fcm.ResourceID and ps2.ResourceID=fcm.ResourceID)

where fcm.CollectionID='IN000061'

/* not requiring patch */

select @NotRequired=count(distinct fcm.ResourceID)

from v_FullCollectionMembership fcm

join v_R_System sys on fcm.ResourceID=sys.ResourceID

join v_GS_SCANPACKAGEVERSION spv on fcm.ResourceID=spv.ResourceID

join (select upkg.PackageID, max(upkg.PackageVersion) as PackageVersion

from v_ApplicableUpdatesSummaryEx us

join v_UpdatePrograms upkg on us.UpdateID=upkg.UpdateID

where us.ID='ms08-067' and us.QNumbers=958644 and upkg.PackageType=1

group by upkg.PackageID) updpkg

on spv.PackageID0=updpkg.PackageID and spv.PackageVer0>=updpkg.PackageVersion

left join (select ResourceID


where ID='MS08-067' and QNumbers=958644) ps

on fcm.ResourceID=ps.ResourceID

where fcm.CollectionID='IN000061' and

ps.ResourceID is null and IsNull(sys.Obsolete0,0)=0 and sys.Client0=1

/* outstanding computers */

Select @Outstanding=@Total-(@NotRequired+@Required)

select @Total as 'Computers in collection'

select @Required as 'Computers requiring update', 100*@Required/@Total as '% of Total'

select @SMSInstall as 'Computers updated by SMS', 100*@SMSInstall/@Total as '% of Total'

select @OtherInstall as 'Computers updated by external means', 100*@OtherInstall/@Total as '% of Total'

select @SMSInstall+@OtherInstall as 'Total computers updated', 100*(@SMSInstall+@OtherInstall)/@Total as '% of Total'

select @Missing as 'Computers missing update', 100*@Missing/@Total as '% of Total'

select @NotRequired as 'Computers not requiring update', 100*@NotRequired/@Total as '% of Total'

select @Outstanding as 'Outstanding computers', 100*@Outstanding/@Total as '% of Total'

--outstanding computers are the computers that have not ran that scan yet to know if they need the patch.

--Outstanding=@Total-(@NotRequired+@Required)


Email This

BlogThis!

Share to Twitter

Share to Facebook


SQL query to get patch status report of production servers

-- It provides information about servers and their patch status as per MS bulletin ID and Qnumber.

select distinct a.name0,a.user_name0,b.id0,b.qnumbers0,

b.language0,b.product0,b.reboottype0,b.scanagent0,

'b.severity0' = Case

When b.severity0 = 10 Then 'Red'

When b.severity0 = 8 Then 'Amber'

When b.severity0 = 6 Then 'Green'

else ' '

End,

b.status0,b.type0,b.title0,b.timeapplied0,b.timeauthorized0

from v_r_system a,v_GS_PATCHSTATEEX b

where a.resourceid=b.resourceid

and b.id0 in ('MS08-003','MS08-005','MS08-006','MS08-007','MS08-008','MS08-010',

'MS08-020','MS08-021','MS08-022','MS08-031','MS08-032','MS08-033','MS08-034','MS08-035',



'MS08-065','MS08-066','MS08-067','MS08-068','MS08-069','MS09-001')

and b.qnumbers0 not in ('951746','955069','954459','954606')

and status0 like 'Applicable'

and a.operating_system_name_and0 like '%server%'

-- bulletinid and qnumbers are provided by server team. I pulled reports of servers which required these patches as per requirements.

Hope, It will help you to someway!


Email This

BlogThis!

Share to Twitter

Share to Facebook


SQL query to get computer names which do NOT have specific file installed

-- It returns all computer names which do NOT have specific file installed:

SELECT DISTINCT Netbios_Name0

FROM v_R_System

WHERE Netbios_Name0 NOT IN

(SELECT DISTINCT v_R_System.Netbios_Name0

FROM v_R_System INNER JOIN v_GS_SoftwareFile

ON (v_GS_SoftwareFile.ResourceID = v_R_System.ResourceId)

WHERE v_GS_SoftwareFile.FileName = 'filename.exe')

ORDER by Netbios_Name0


Email This

BlogThis!

Share to Twitter

Share to Facebook


Query to get machines with specific exe

SELECT DISTINCT v_R_System.Netbios_Name0

FROM v_R_System INNER JOIN v_GS_SoftwareFile

ON (v_GS_SoftwareFile.ResourceID = v_R_System.ResourceId)

WHERE v_GS_SoftwareFile.FileName = 'Notepad.exe'

-- it returns machines with specific file name. You can change file name as per your requirements.


Daily SCCM Administrative Activities: ConfigMgr'07 Inboxes to Monitor

Listed here is a list of the ConfigMgr 2007 inboxes that should be checked on a regular basis to ensure that your site(s) function as expected.

Auth\Dataldr.Box

A backlog of files can indicate problems accessing the site database.

Auth\Dataldr.Box\Process

A backlog of files can indicate problems accessing the site database.

Auth\Ddm.box\Bad_DDRs

A backlog of files can indicate a network corruption problem or a problem with the DDM

Auth\Sinv.Box

A backlog of files can indicate that the Software Inventory Processor cannot connect to the site database or that too many files were received.

Auth\Sinv.Box\Orphans

A backlog of files can indicate problems with specific clients, with management points, or with the network that could cause data corruption.

Compsumm.Box

A backlog of files can indicate that the Component Status Summarizer cannot process the volume of messages.

Dataldr.Box

A backlog of files can indicate problems accessing the Systems Management Server (SMS) database

Dataldr.Box\Badmifs

A backlog of files can indicate a bad custom MIF file or that a client computer cannot transfer the file correctly.

Ddm.Box

A backlog of files can indicate a bad DDR is preventing other DDR’s to process.

Ddm.Box\Bad_DDRs

A backlog of files can indicate a network corruption problem or a problem with the DDM

OfferSum.Box

A backlog of files can indicate a performance problem that is caused by a large number of messages.

Policypv.Box

A backlog of files in the policypv.box folder indicates that the policy provider component is not running.

Replmgr.Box\Ready

A backlog of files can indicate that the Scheduler is backlogged or is already processing files of the same priority

Schedule.Box

A backlog of files can indicate that the Sender cannot connect to or cannot transfer data to another site.

Schedule.Box\Outboxes

A backlog of .srq files indicates that the sender cannot process the number of jobs scheduled for that sender or that the sender cannot connect to or transfer data to another site.

Schedule.Box\Tosend

A backlog of files can indicate that many send requests are not completed or that the Scheduler has not yet deleted the files.

Sinv.Box

A backlog of files can indicate that the Software Inventory Processor cannot connect to the site database or that too many files were received.

Sinv.Box\BadSinv

A backlog of files can indicate problems with specific clients, with management points, or with the network, causing data corruption.

SiteStat.Box

A backlog of files can indicate a performance problem. Examine status messages for the Site System Status Summarizer for possible problems.

Statmgr.Box\Futureq

A backlog of files can indicate that some site systems' clocks are not synchronized with the site server.

Statmgr.Box\Queue

A backlog of files can indicate a problem with the Status Manager or that the component is trying to process too many messages.

Statmgr.Box\Retry

A backlog of files can indicate problems with the connection to the computer that is running SQL Server.

Statmgr.Box\Statmsgs

A backlog of files can indicate a problem with the Status Manager or that the Status Manager is trying to process too many messages

Swmproc.Box

A backlog of .sum and .sur files can indicate that the Software Metering Processor component cannot connect to the SMS database.

Troubleshooting Management Point Issue : Steps to be taken

MP Issues Desription:

Failed to send http request /SMS_MP/.sms_aut?MPLIST. Error 12029 SMS_MP_CONTROL_MANAGER 1/11/2010 4:51:40 PM 3924 (0x0F54)

Http verification .sms_aut (port 80) failed with no header received SMS_MP_CONTROL_MANAGER 1/11/2010 4:51:40 PM 3924 (0x0F54)

How to Handle:

Within IIS, a virtual directory is added under the default website during the Management Pointinstallation. The virtual directory is called “SMS_MP” (without the quotes). This virtual directoryis how the advanced clients are able to communicate with the MP and ultimately via theISAPI’s convert the data transmitted to the MP to files and information for insertion into the SMS database.

Need to mention that the MPControl is a self-checking component of the Management Point. In case it’s giving error messages first you need to check if the functionality is working at all.

A good test would be to check if a given client talking to that MP can send up HW inventory (you can check in resource explorer) AND if the client can get policy (policy spy on the client)

In order to send a Full HW Inventory you need to fire this vbs on the client and the trigger a HW Inventory cycle

Dim oLocator

Set oLocator = CreateObject("WbemScripting.SWbemLocator")

Dim oServices

Set oServices = oLocator.ConnectServer( , "root\ccm\invagt")

' Delete the specified InventoryActionStatus instance

x = "{00000000-0000-0000-0000-000000000001}"

oServices.Delete "InventoryActionStatus.InventoryActionID=""" & x & """"

If the functionality is ok, most likely only the self tests are wrong. In this case you need to check with the MP troubleshooter or with the URL’s. The cause could most likely be network related

If the functionality is wrong we need to check

IIS (Does WWW run? IISRESET)

IIS permissions (clients have anonymous access? Is the IUSR and the IWAM account locked?)

DCOM

The SMS Management Point and SMS Agent Host service consist of several COM objects. TheSMS Agent Host service usually runs under the context of LocalSystem, so increased DCOMsecurity does not often cause a problem for the Advanced Client. The SMS Management Point, however, runs under the identity of the IWAM account, so any additional restrictions on DCOMsecurity can prevent the MP from functioning. If the MP does not start under the IWAM identitiy, but uses either a copy of this account or an entirely new account, then default permissions may not be enough to start the MP.

SQL (Has the MP account a “clear way” through the OS and SQL permissions to the SQL tables? Use SMS groups on the site servers!!)

Status Message Codes in IIS

If the client’s request does appear in the web service log, the next field to look for is the status code. The three digit return code of an http request will consist of two parts. The first digit will indicate the general status.

General Status Codes in IIS

First Digit General Status

2xx Success

3xx Redirection

4xx Client Error

5xx Server Error

The second two digits will give a more descriptive explanation of the status. In some

instances, such as a 401 or 403 error code, there will be a sub code, such as 401.1 or 403.4

A complete list of IIS status codes can be found in the following article:

294807, “HOW TO: Turn Off the Internet Explorer 5.x and 6.x "Show Friendly HTTP Error

Messages" Feature on the Server Side”

http://support.microsoft.com/default.aspx?scid=KB;EN-US;294807

URLScan

UrlScan version 2.5 is a security tool that restricts the types of HTTP requests that Internet Information Services will process. By blocking specific HTTP requests, the UrlScan security toolhelps prevent potentially harmful requests from reaching the server.URLSCan is an ISAPI filter that was designed to block extremely long or incorrectly formatted

web requests, which are common means of expoiting buffer overflows. It also can block avariety of verbs and commands in web requests that can exploit security holes orconfiguration errors.

URLScan 2.5 consists of URLScan.dll, the ISAPI filter, and URLScan.ini, the configuration file. The SMS 2003 toolkit has a modified version of the URLScan.ini file that allows theManagement Point ISAPI extensions to pass through. Any previous version of this ini file will cause URLScan to block client communication with the management point. Clients will be able to download packages for advertisements they already know about, but they won’t be able to get policy updates or upload inventory. An incorrect version of URLScan on an SMS MP will show up in the IIS logs as:

2005-02-04 17:03:48 10.128.22.240 GET /ccm_system/request - 80 -

10.128.22.136 ccmhttp 404 0 2


10.128.22.174 ccmhttp 404 0 2


10.128.22.148 ccmhttp 404 0 2

NTFS Permissions for IUSR

This section will talk about the standard default NTFS permissions in a typical SMS environment. In a typical SMS environment, you will have a Management Point, a Reporting Point; BITS enabled Distribution Point, and a Server Locator Point. Each of these SMS site components requires a virtual directory within IIS and subsequently NTFS permissions for each of those virtual directories.

Below is the default breakdown for those SMS components for reference.

Management Point (SMS_MP virtual directory)

○ Default path: c:\SMS_CCM\SMS_MP

○ Default NTFS Permissions:

■ Administrators-Full Control

■ Interactive-List Folder Contents

■ IUSR account-List Folder Contents

■ IWAM account-List Folder Contents

■ SYSTEM-Full Control

Management Point (CCM_Incoming virtual directory)

○ Default path: c:\sms\ccm\incoming

○ Default NTFS Permissions:


■ IUSR account-Special:

□ Traverse Folder/Execute File

□ List Folder/Read Data

□ Read Attributes

□ Read Extended Attributes

□ Create Files/Write Data

□ Create Folders/Append Data

□ Delete subfolders and files

□ Read Permissions

■ IWAM account Special:

□ Traverse Folder/Execute File

□ List Folder/Read Data

□ Read Attributes

□ Read Extended Attributes

□ Create Files/Write Data

□ Create Folders/Append Data

□ Delete subfolders and files

□ Read Permissions


Management Point (CCM_Outgoing virtual directory)

○ Default Path: c;\SMS\CCM\Outgoing

○ Default Permissions:


■ IUSR Account-Read

■ IWAM Account-Read


Management Point (CCM_SYSTEM virtual directory)

○ Default Path: c:\SMS\CCM\ ServiceData\System



■ Interactive-List folder contents

■ IUSR Account-List folder contents

■ IWAM Account-List folder contents


Reporting Point (SMSReporting virtual directory)

○ Default Path: C:\inetpub\wwwroot\SMSReporting_



■ SMS Reporting Users

□ Read & Execute

□ List Folder Contents

□ Read


BITS Distribution Point (SMS_DP_SMSPKGC$)

○ Default Path: C:\SMSPKGC$



■ Guests

□ Read & Execute


□ Read

■ Users

□ Read & Execute


□ Read

Server Locator Point (SMS_SLP virtual directory)

○ Default Path: C:\SMS\BIN\I386\SMS_SLP



■ Everyone

□ Read & Execute


□ Read


Resetting the Password for IUSR

This section will describe how to perform a manual IUSR reset if the issue arises where the

IUSR becomes out of sync via either a attempted manual removal of IIS or a failed attempt to

reset the password via the AD Users and Computers or local user interface if a member

server.

1. Reset the IUSR Password via the local user reset password option or use AD Users and

Computers if the machine happens to be a domain controller.

2. Reset the IUSR Password in the metabase.xml or metabase.bin file using the Metabase

Explorer tool which can be downloaded from the below URL link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-

b628-ade629c89499&displaylang=en

a. Open metabase explorer on the target machine where the password will be reset.

- A good plan is also to take a network trace from traffic between client – MP and MP – server

Basic difference between .MSI and .MST File

Packages (.MSI files)

This is the file that contains the instructions for MSIEXEC.EXE to install the application. The MSI file is a Database file format and is now the preferred application packaging format for the windows platform. Sometimes the MSI file gets too big and some or all of the files are placed in a .CAB file.

Transforms (.MST files)

In the MSI world, if you didn't create the MSI file, you want to keep the MSI file from the developer intact. To make changes beyond what the original MSI does you use a transform. The transform is applied at the time that the MSI package is installed.If you would repackage an application and it would fail, the Original Developer of the application would sometimes refuse to support it since repackaging strips out their installation logic.

If you create your own MSI packages you can also use transforms to change some parameters for each department of your company. That way you have only one package to maintain and nobody can accuse you of doing a better package for one department vs. another.

Note: Transform files are in fact MSI files with a different file extension. The contents of both files are merged together at install time. They are not supposed to add files to the package but there are way. Wise Package Studio does allow adding files using Transforms but they create a CAB file to bring files in without breaking the MSI rules.

Script to ping a list of machines and export result in Excel File

Please create a file "MachineList.txt" and include machine name in this file.

copy the below script in notepad and save as "ping_result.vbs" file.

run the script in command prompt by specifying the same path.

run method: cscript ping_result.vbs

Script:

Set objExcel = CreateObject("Excel.Application")

objExcel.Visible = True

objExcel.Workbooks.Add

intRow = 2

objExcel.Cells(1, 1).Value = "Machine Name"

objExcel.Cells(1, 2).Value = "Results"

Set Fso = CreateObject("Scripting.FileSystemObject")

Set InputFile = fso.OpenTextFile("MachineList.Txt")

Do While Not (InputFile.atEndOfStream)

HostName = InputFile.ReadLine

Set WshShell = WScript.CreateObject("WScript.Shell")

Ping = WshShell.Run("ping -n 1 " & HostName, 0, True)

objExcel.Cells(intRow, 1).Value = HostName

Select Case Ping

Case 0 objExcel.Cells(intRow, 2).Value = "On Line"

Case 1 objExcel.Cells(intRow, 2).Value = "Off Line"

End Select

intRow = intRow + 1

Loop

objExcel.Range("A1:B1").Select

objExcel.Selection.Interior.ColorIndex = 19

objExcel.Selection.Font.ColorIndex = 11

objExcel.Selection.Font.Bold = True

objExcel.Cells.EntireColumn.AutoFit

Understanding difference between WQL and SQL

Below are few points which make difference between WQL and SQL-

WMI provides its own query language that allows you to query managed objects as data providers

WMI Query Language (WQL) is essentially a subset of SQL (Structured Query Language) with minor semantic changes.

Unlike SQL, WQL does not provide statements for inserting, deleting, or updating data and does not support stored procedures.

WQL does have extensions that support WMI events and other features specific to WMI. WQL is the basis for Configuration Manager queries, whereas SQL is used for ConfigMgr reports.

One important advantage of WQL is that a WQL query can return WMI objects as well as specific properties.

Because management applications such as the Configuration Manager console interact with WMI objects, WQL queries can return result sets that you can use within the ConfigMgr infrastructure.

For example, Configuration Manager collections are based on WQL queries.

Benefits of Extending Active Directory

Once you extend the Active Directory schema and perform the other steps necessary to publish site information to AD, clients in the same AD forest as your ConfigMgr sites can query AD to locate Configuration Manager services and retrieve important information about your ConfigMgr sites. Those clients in workgroups and domains without trust relationships are not able to take advantage of the schema extensions.

The following ConfigMgr features require extending the AD schema and publishing site information to AD:

Global roaming—Roaming in ConfigMgr allows clients such as laptop computers to connect to the network at various locations and receive certain services from the local site. The schema extensions allow a client to query AD for the mSSMSRoamingBoundaryRange objects and determine whether a site exists on the IP subnet of their current network location. This is known as global roaming. Without the schema extensions, clients can only receive services when at their assigned site or roaming to the sites below their assigned site in the ConfigMgr hierarchy.

Global roaming can make content available to clients at network locations where it would otherwise not be available. Global roaming can also prevent unnecessary network traffic otherwise caused by those clients at remote locations requiring services from their assigned site.

Network Access Protection—You can use ConfigMgr’s NAP capabilities to prevent clients that do not comply with specified security patch requirements from connecting to the network. NAP requires the client to retrieve health state reference information stored in the attributes of the mSSMSSite AD object.

Client site assignment—To receive ConfigMgr services, you must first assign a client system to a site. The schema extensions provide an option for the client to retrieve the information from AD that it needs to identify and contact its assigned site.

Client installation properties—A number of configurable options, such as the size of the download cache, are available through the extended schema.

Site mode settings—The extended schema can supply information to the client about the site’s security mode and certificate information required for native sites.

Server locator point and management points—Clients can use Active Directory to identify the server locator point and management points. Without the schema extensions you must provide this information in other ways, such as manually creating special Windows Internet Naming Service (WINS) entries.

Custom Transmission Control Protocol (TCP)/Internet Protocol (IP) Port information—If a site has been configured to use nonstandard ports for client communications, this information can be provided through the schema extensions.

In addition, the schema extensions allow for automated public key exchange, thus facilitating site-to-site communication. If you have clients assigned to your central site and do not have the schema extended, recovery from a site failure can require reprovisioning all clients manually using the trusted root key.

Choose Between a Standard and Branch Distribution Point

Before deciding to protect any distribution points, you need to know the following information:

The location of all distribution points in the site

The location of all distribution points in the hierarchy if you support roaming

The location and available bandwidth of any slow network links

The largest package sizes you tend to distribute

You should consider protecting a distribution point if any of the following are true:

The distribution point is across a slow network link from other clients in the site

The distribution point is a branch distribution point

You frequently distribute large packages and want only clients closest to the distribution point to download content from it

You should be careful about protecting all distribution points in the site for the following reasons:

If all distribution points in the site are protected but not all boundaries are assigned to protected distribution points, a client belonging to an unassigned boundary will be unable to access any distribution points and the package will fail.

If a client roams to a new site and the package is not available in the resident site, the client will attempt to fall back to the assigned site but will fail if all of the distribution points in the assigned site are protected. For more information about roaming scenarios involving protected distribution points.

If you protect your distribution points, for each advertisement or software update deployment that you create, you must consider whether to allow clients to fall back to unprotected distribution points when the content is not available on the protected distribution point. Before making the decision, consider the following factors:

If the package is very large and would consume too much bandwidth, you can prevent fallback to unprotected distribution points, understanding that the clients might not receive the content at all.

If the package is small or if the content is critical, you can allow fallback to unprotected distribution points.

Choose between Server and Server Share Distribution Point

Server

Advantages:

1. Configuration Manager 2007 automatically creates a common package share when the first package is copied to the distribution point.

2. There is less chance of failing to copy a package because Configuration Manager 2007 creates a new SMSPKGx$ share when more space is needed.

3. The server can be configured as a branch distribution point.

4. The server can be configured to support Internet-based clients.

Disadvantages

1. Every time Configuration Manager 2007 copies a package to the distribution point, it chooses the NTFS drive with the most free space, making it difficult to determine which drive letter will hold the new package.

2. Configuration Manager 2007 can take over all available NTFS disk space on the server.

Server Share

Advantages

Configuration Manager 2007 will not use space reserved for other functions on other partitions.

Disadvantages

1. Administrator must manually create a shared folder before creating the new site system server share.

2. Configuration Manager 2007 might fail to create a package if there is no free space on the partition where the shared folder was created.

3. Configuration Manager 2007 does not create a data discovery record (DDR) to monitor the health of the site system.

4. The server share cannot be configured as a branch distribution point.

5. The server share cannot be configured to support Internet-based clients.

Difference between Refresh DP and Update DP: SMS/SCCM

Updating distribution points includes these steps:

Recopy the source files for a package to the compressed version located at the site where the package originated.

Copy the source files to the local distribution points.

Replicate the new compressed version to all child sites that are selected as distribution points for this package.

Refresh the package includes this step:

Replicate the existing compressed version of the source files to selected distribution points.

What's difference between Security Patch, HotFix and Service Pack?

Security Patch - Publicly released update to fix a known bug/issue

A security patch is a change applied to an asset to correct the weakness described by a vulnerability. This corrective action will prevent successful exploitation and remove or mitigate a threat’s capability to exploit a specific vulnerability in an asset.

Security patches are the primary method of fixing security vulnerabilities in software. Currently Microsoft releases their security patches once a month, and other operating systems and software projects have security teams dedicated to releasing the most reliable software patches as soon after a vulnerability announcement as possible.

Hotfix - update to fix a very specific issue, not always publicly released

A hotfix is a single, cumulative package that includes one or more files that are used to address a problem in a software product (i.e. a software bug). Typically, hotfixes are made to address a specific customer situation and may not be distributed outside the customer organization.

A hotfix package might contain several encompassed bug fixes, raising the risk of possible regressions. An encompassed bug fix is a software bug fix which is not the main objective of a software patch, but rather the side-effect of it. Because of this some libraries for automatic updates like StableUpdate also offer features to uninstall the applied fixes if necessary.

In a Microsoft Windows context, hotfixes are small patches designed to address specific issues, most commonly to freshly-discovered security holes. These are small files, often automatically installed on the computer with Windows Update (although some may only be able to be obtained via Microsoft Support) and could contain a hot patch eliminating the need for a reboot.

Service Pack - Large Update that fixes many outstanding issues, normally includes all Patches, Hotfixes, Maintenance releases that predate the service pack.

A service pack (in short SP) is a collection of updates, fixes and/or enhancements to a software program delivered in the form of a single installable package. Many companies, such as Microsoft or Autodesk, typically release a service pack when the number of individual patches to a given program reaches a certain (arbitrary) limit. Installing a service pack is easier and less error-prone than installing a high number of patches individually, even more so when updating multiple computers over a network.Service packs are usually numbered, and thus shortly referred to as SP1, SP2, SP3 etc

troubleshooting tips

Documents