Tag: Troubleshooting

Windows 10 – Provisioning Packages – Install multiple Applications by Command Line

Sailor,

this is part 5 of my series about Windows 10 provisioning packages:

Continue reading

SCCM Client Activity: Active / Inactive

Ahoey Pirate!

Recently I had an issue where every client went from active to inactive.

2015_02_17_17_39_06_Remotedesktopverbindung.png_2

 

At Site Status SMS_MP_CONTROL_MANAGER reported Management point as “critical” with two significant errors:

 

“MP could not write out CCM setting to WMI.

Possible cause: MP didn’t get installed properly.
Solution: Ensure MP setup succeeded; if not, reinstall MP”

 

and

 

“SMS Executive detected that this component stopped unexpectedly.

Possible cause: The component is experiencing a severe problem that caused it to stop unexpectedly.
Solution: Refer to your ConfigMgr Documentation or the Microsoft Knowledge Base for further troubleshooting information.”

 

For me the next step was to look into mpcontrol.log where I found these errors

2015-02-18 09_07_03- Remotedesktopverbindung

 

 

“CMPControlManager::WriteToCCMSettings(): pWmi->GetObject() failed – 0x80041002”

“MPStart(): WriteToCCMSettings() failed – 0x80041002”

“SMS_MP_CONTROL_MANAGER failed to start with 0x80041002”

“CMPControlManager::ReadConfigurationSettings(): m_pWmi->GetObject() failed – 0x80041010”

 

For me it seemed to be an issue with WMI. So first thing I tried was to connect to a client with Windows Management Instrumentation Tester (wbemtest) and that worked. Next I tried to do a clean client installation by using the “Uninstall existing Configuration Manager client before the client is installed” function. The client installation aboarded nearly instant with the following message:

 

“GetDPLocations failed with error 0x8000ffff”

“Failed to get DP locations as the expected version from MP ‘[SERVERNAME]’. Error 0x8000ffff”

 

So I tried to figure out if the client is able to connect to the management point. Therefore you can use your Web browser and type in following adress

 

HTTP://[Hostname or FQDN]/SMS_MP/.SMS_AUT?MPCERT

 

instead of something like this:

 

2015-02-18 10_39_03- Remotedesktopverbindung

 

I got an Internal server error.

So everything pointet out to be a faulty or misconfigured management point and I decided to reinstall that role. So I opened up Administration\Overview\Site Configuration\Servers and Site System Roles\ selected the affected Management Point and hit on Remove Role. In MPSetup.log you can follow the deinstallation.

 

2015-02-18 10_59_05- Remotedesktopverbindung_2

 

After a while I reinstalled the Management Point.

 

2015-02-18 11_41_17- Remotedesktopverbindung_2

Management Point was available via Internet Explorer and my client reported Client Activity as Active. Problem solved!

 

Good luck

*Captain

 

run as account cannot log on locally

Sailors,

I’ve set up a new SCOM environment at a customers side. Once the installation and the base configuration was finished, I let the server run and collect alerts for several days. On the next workshop day we had a lot of warnings like these and the customer asked me why:

CLEAN_run_as_account cannot log on locally

I have to admit, I was a litte bit confused in the beginning too, because I’m trying to configure my environments on the least privilege way. But then I recognized, that the customers admin has started to configure Run As Accounts on his own way and it became clearer…

If you create a Run as Account of type “Windows” and set the Distribution of this account to “less secure” this account gets distributed to every system and SCOM trys to autenticate with every “less secure” Run As Account on every system.

 

Run_As_Account_Type_Windows

You shouldn’t use “less secure” accounts at all. Work with more secure accounts and specify the servers on which you want them to be provided to.

 

Aaaaaaaaarrrrr

*Captian

Configuration Manager cannot create the object “SMS-Site-XXX” in Active Directory

Ahoy Sailor,

a few weeks ago I had a case at a customers site where the following event showed up in ConfigMgr Site status.

2014_09_18_14_19_35_P01_wwmmpb000319_Remote_Desktop_Connection

Configuration Manager cannot create the object “cn=SMS-MP-[SiteCode]-[FQDN]” in Active Directory ([DOMAIN]).

Possible cause: The site server’s machine account may not have full control rights for the “System Management” container in Active Directory
Solution: Give the site server’s machine account full control rights to the “System Management” container, and all child objects in Active Directory.

Possible cause: Another Active Directory object named “cn=SMS-MP-[SiteCode]-[FQDN]” already exists somewhere outside of the “System Management” container
Solution: Locate the other object with the same name, and delete the object from its current location.  Then allow the site to create a new object.

Possible cause: The Active Directory schema has not been extended with the correct ConfigMgr Active Directory classes and attributes.
Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended.  The schema can be extended with the tool “extadsch.exe” from the installation media.

2014_09_18_14_23_13_P01_wwmmpb000319_Remote_Desktop_Connection

 

 

Configuration Manager cannot create the object “SMS-Site-[SiteCode]” in Active Directory ([Domain]).

Possible cause: The site server’s machine account may not have full control rights for the “System Management” container in Active Directory
Solution: Give the site server’s machine account full control rights to the “System Management” container, and all child objects in Active Directory.

Possible cause: Another Active Directory object named “SMS-Site-[SiteCode]” already exists somewhere outside of the “System Management” container
Solution: Locate the other object with the same name, and delete the object from its current location.  Then allow the site to create a new object.

Possible cause: The Active Directory schema has not been extended with the correct ConfigMgr Active Directory classes and attributes.
Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended.  The schema can be extended with the tool “extadsch.exe” from the installation media.

 

For me the error seemed to be very obvious. So I decided to do the schema extension.

Referring on TechNet the ExtAdSch.exe is a good way to do this so I executed extadsch.exe on a domain controller. Unfortunately this did not work the first time…

 

<09-19-2014 17:21:29> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:21:29> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:21:30> Defined attribute cn=MS-SMS-Site-Code.
<09-19-2014 17:21:30> Defined attribute cn=mS-SMS-Assignment-Site-Code.
<09-19-2014 17:21:30> Defined attribute cn=MS-SMS-Site-Boundaries.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-Roaming-Boundaries.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-Default-MP.
<09-19-2014 17:21:31> Defined attribute cn=mS-SMS-Device-Management-Point.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-MP-Name.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-MP-Address.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Health-State.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Source-Forest.
<09-19-2014 17:21:32> Defined attribute cn=MS-SMS-Ranged-IP-Low.
<09-19-2014 17:21:32> Defined attribute cn=MS-SMS-Ranged-IP-High.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Version.
<09-19-2014 17:21:33> Defined attribute cn=mS-SMS-Capabilities.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Management-Point.  Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Server-Locator-Point.  Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Site.  Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range.  Error code = 8202.
<09-19-2014 17:21:33> Failed to extend the Active Directory schema, please find details in “C:\ExtADSch.log”.

<09-19-2014 17:25:47> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:25:47> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:25:47> Attribute cn=MS-SMS-Site-Code already exists.
<09-19-2014 17:25:47> Attribute cn=mS-SMS-Assignment-Site-Code already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Site-Boundaries already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Roaming-Boundaries already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Default-MP already exists.
<09-19-2014 17:25:48> Attribute cn=mS-SMS-Device-Management-Point already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-MP-Name already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-MP-Address already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Health-State already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Source-Forest already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-Ranged-IP-Low already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-Ranged-IP-High already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Version already exists.
<09-19-2014 17:25:50> Attribute cn=mS-SMS-Capabilities already exists.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Management-Point.  Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Server-Locator-Point.  Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Site.  Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Roaming-Boundary-Range.  Error code = 8202.
<09-19-2014 17:25:50> Failed to extend the Active Directory schema, please find details in “C:\ExtADSch.log”.

 

Turned out that I didn’t pick the schema master. So I had to figure out which server the schema admin is. Therefore I used the following command…

netdom /query fsmo

2014_09_19_17_53_44_MyDesk_Desktop_Viewer

Executing the extadsch.exe on the schema master and everything was fine…

<09-19-2014 17:46:19> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:46:19> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Site-Code already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Assignment-Site-Code already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Site-Boundaries already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Roaming-Boundaries already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Default-MP already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Device-Management-Point already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-MP-Name already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-MP-Address already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Health-State already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Source-Forest already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Ranged-IP-Low already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Ranged-IP-High already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Version already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Capabilities already exists.
<09-19-2014 17:46:20> Defined class cn=MS-SMS-Management-Point.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Server-Locator-Point.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Site.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Roaming-Boundary-Range.
<09-19-2014 17:46:21> Successfully extended the Active Directory schema.

<09-19-2014 17:46:21> Please refer to the ConfigMgr documentation for instructions on the manual
<09-19-2014 17:46:21> configuration of access rights in active directory which may still
<09-19-2014 17:46:21> need to be performed. (Although the AD schema has now be extended,
<09-19-2014 17:46:21> AD must be configured to allow each ConfigMgr Site security rights to
<09-19-2014 17:46:21> publish in each of their domains.)

 

*Captain

© 2017 IT-Pirate