For more information about client deployment in Configuration Manager 2007, see Planning and Deploying Clients for Configuration Manager 2007.
If Configuration Manager 2007 clients are successfully installed and assigned to a site but fail to download policy, a likely reason is that either the site has no default management point or clients cannot locate it.
Solution
Make sure that a default management point is configured for the site. For more information, see How to Configure the Default Management Point for a Site.
Clients find their default management point using one of the following service location requests:
- Active Directory Domain Services (if the schema is extended for Configuration Manager 2007)
- DNS (if Configuration Manager 2007 is configured for DNS publishing)
- Server locator point
- WINS (mixed mode only)
Ensure that one of these mechanisms is available to clients. For more information, see Configuration Manager and Service Location (Site Information and Management Points).
Configuration Manager 2007 helps to ensure that each Configuration Manager 2007 client is uniquely identified. If a duplicate hardware ID is identified, by default Configuration Manager 2007 automatically creates a new client record for the duplicate record. This setting allows you to easily upgrade or deploy clients that might have duplicate hardware IDs, without requiring manual intervention. However, with this setting, a computer that has been re-imaged or restored from backup will have a new record created, which results in all previous information about that client being no longer available for reporting purposes.
An alternative configuration is to require the administrator to manually reconcile all conflicting records when they are detected. This setting results in affected clients being unmanaged and no longer displaying in collections, but displaying in the Conflicting Records node. These clients will remain unmanaged until the administrator resolves the conflict.
For more information, see the section "Managing Client Identity" in What's New in Client Deployment for Configuration Manager.
Solution
When a new record has been created, you cannot get back previous data for the client, but you can reconfigure Configuration Manager so that it does not automatically create new records in the future.
If clients are unmanaged and missing from collections, check the Conflicting Records node so that you can manually reconcile the records by merging them, creating a new record, or blocking the new record.
For more information about how to configure the site-wide setting and how to manually resolve conflicting records, see How to Manage Conflicting Records for Configuration Manager Clients.
If you view the following reports and they do not contain client data, ensure that clients are assigned to a fallback status point:
- Client Assignment Detailed Status Report
- Client Assignment Failure Details
- Client Assignment Status Details
- Client Assignment Success Details
- Client Deployment Failure Report
- Client Deployment Status Details
- Client Deployment Success Report
- Issues by incidence detail report for a specific collection
- Issues by incidence summary report for a specific collection
- Issues by incidence detail report for a specific site
- Issues by incidence summary report
Solution
Assign a fallback status point to Configuration Manager 2007 clients, and view the reports from the site in which the fallback status point is installed.
Note |
---|
SMS 2003 clients do not use these reports. |
For more information, see the following:
- About Reports for Configuration Manager Clients
- How to Create a Fallback Status Point in Configuration Manager
- How to Assign the Fallback Status Point to Configuration Manager Client Computers
Additionally, if you are deploying a high number of clients at the same time, there might be a delay in processing all the state messages sent from the fallback status point to the site. In this scenario, wait for the data to appear and consider configuring the throttling settings on the fallback status point. For more information about the throttling settings, see Determine If You Need to Configure Throttle Settings for the Fallback Status Point in Configuration Manager.
Error conditions reported by clients might be displayed using standard Microsoft Windows error codes, without a description of the error. Or they might use error codes that are specific to Configuration Manager 2007.
Solution
For information about how to map these error codes to an error description, see http://go.microsoft.com/fwlink/?LinkId=103419.
If Configuration Manager 2007 clients fail to obtain software updates from Configuration Manager and they have an Active Directory Group Policy setting configured for software update point based client installation, a likely reason is that the Active Directory Group Policy object is incorrectly configured.
The software updates feature automatically configures a local Group Policy setting for the Configuration Manager 2007 client so that it is configured with the software update point source location and port number. Both the server name and port number are required for the software updates client to find the software update point.
If an Active Directory Group Policy setting is applied to computers for software update point client installation, this overrides the local Group Policy setting. Unless the value of the setting is exactly the same (server name and port), the Configuration Manager 2007 software updates feature will fail on the client.
The following entries appear in the software updates log file WUAHandler.log:
[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server and Policy ENABLED]LOG
Solution
The software update point for client installation and software updates must be the same server, and it must be specified in the Active Directory Group Policy setting with the correct name format and with the port information (for example, http://server1.contoso.com:80 if the site system server is not configured to use a fully qualified domain name and is using the default Web site).
For more information, see How to Install Configuration Manager Clients Using Software Update Point Based Installation.
When you switch the Configuration Manager 2007 client to a different site mode while the installation of Background Intelligent Transfer Service (BITS) is pending a restart, the client computer might not be able to send hardware inventory files to the management point. Entries similar to the following will appear in DataTransferService.log on the client computer:
DTS::AddTransportSecurityOptionsToBITSJob - Failed to QueryInterface for IBackgroundCopyJobHttpOptions. BITS 2.5+ may not be installed properly.
Solution
Restart the computer, and then reinstall the Configuration Manager 2007 client software.
When you uninstall a Configuration Manager 2007 site without first deselecting the option Enable Software Update Point Client Installation on the Software Update Point Client Installation Properties dialog box, the client will remain published as a software update in Windows Server Update Services (WSUS). If you then reinstall a Configuration Manager 2007 site with a newer client version and publish the client to WSUS, both client versions will be published.
Solution
Clear the check box Enable Software Update Point Client Installation in the General tab of the Software Update Point Client Installation Properties dialog box before uninstalling a Configuration Manager 2007 site. You can also use the WSUS console to remove published software updates.
For more information, see How to Install Configuration Manager Clients Using Software Update Point Based Installation.
Client resynchronization is triggered when the state message system believes that data is missing from a client computer. When a high number of resynchronizations occur, this might cause a backlog of state messages that adversely affects the performance of the fallback status point server and of the Configuration Manager 2007 site server.
To identify whether clients are undergoing resynchronization, use the following SQL query to discover how many clients have resynchronized in the last seven days:
For information about creating queries, see How to Create a Query.
Solution
Wait for the backlog to clear. Alternatively, consider changing the default throttle interval on the fallback status point to limit the number of state messages sent to the site server. For more information, see Determine If You Need to Configure Throttle Settings for the Fallback Status Point in Configuration Manager.
Manually approving and blocking (or unblocking) a client is not supported from sites other than the client's assigned site. These options are not available when you right-click clients from sites higher in the hierarchy than their assigned site.
Solution
Perform these actions from the client's assigned site. For more information, see the following:
When Configuration Manager 2007 site systems are configured with a fully qualified domain name (FQDN) that is a CNAME (DNS alias) rather than the computer name registered in Active Directory Domain Services, the CNAME must be configured with a Kerberos service principal name (SPN) whenever Windows authentication is used. For example, Windows authentication is required in the following scenarios:
- Users initiate content download from distribution points on site systems configured with CNAMEs, and the content is not configured for anonymous access.
- The site is in mixed mode and configured with the option Automatically approve computers in trusted domains (recommended), and the management point site system is configured with a CNAME.
When Windows authentication fails in the preceding scenarios, the client records an HTTP 401 error in the log files Datatransferservice.log (for content download failures) and ccmexec.log (for automatic approval failures).
Note |
---|
If you see these 401 errors, even if the CNAME SPN is registered, it might be configured incorrectly. Re-register it using the procedure in the following solution. |
Solution
For all site systems configured to use a CNAME, register the SPN using the Windows Setspn tool with the following syntax:
Setspn –A HTTP/CNAME_FQDN computername
The Setspn tool is included in Windows Server 2003 Support Tools. You can install Windows Server 2003 Support Tools from the Support\Tools folder of the Windows Server 2003 startup disk. By default, the support tools install in the folder C:\Program Files\Support Tools.
For more information about using SPNs with IIS, see the following article that explains how to use SPNs when you configure Web applications that are hosted on IIS 6.0: http://go.microsoft.com/fwlink/?LinkId=94785.
Important |
---|
If you have configured a network load balancing (NLB) management point with a CNAME, do not use this procedure for the cluster name. Instead, follow the instructions in the following topic: How to Configure an SPN for NLB Management Point Site Systems. |
If clients assigned to the site can install software updates and run advertisements when they are directly connected to the intranet but not when they are connected over a virtual private network (VPN) connection, this is likely to be a configuration issue related to boundaries and the software update deployment or advertisement configuration.
If you haven't defined the VPN scope used by these clients as a boundary for their assigned site, the VPN connection will be considered to be within a slow network boundary. You will also see this issue if you have defined the VPN scope as a boundary but it is configured as a slow network boundary rather than a fast network boundary. In either of these scenarios, if software update deployments or advertisements are configured to not install for clients connected to a slow network boundary (the default configuration), VPN clients will not be able to access this content until they are connected directly to the intranet (on a defined, fast network boundary).
Solution
There are two possible solutions to this scenario. Select the solution that best meets your business requirements:
- If the VPN connection is fast and reliable enough that you want these clients to be considered as if they are connected directly to the intranet at their assigned site, configure a fast boundary. This will help ensure that they can always install advertisements and software update deployments available at their assigned site when they are connected over the VPN. Consult the VPN administrator to obtain a list of possible addresses for clients when they connect over the VPN, and use this information to create a fast network boundary with these addresses. Make sure that you are informed of any VPN scope changes so that you can modify the associated boundary information.
- If the VPN connection is not fast or reliable but selected software update deployments and advertisements are critical for VPN clients, reconfigure the software update deployments and advertisements. Configure them with the option to download content and run locally instead of the default option to not install when clients are connected within a slow network boundary. However, this can result in other clients also installing this content when they are roaming to another site if they fall back to asking their default management point for content.
For more information about configuring boundaries, see Planning Configuration Manager Boundaries and New Boundary Dialog Box.
For more information about when roaming clients fall back to accessing content at their assigned site from remote sites, see About Client Roaming in Configuration Manager and Example Roaming Scenarios for Configuration Manager: Simple.
When a client computer requests a user policy and finds that no policy updates are available, the message Validation data missing or invalid is generated in the log file PolicyAgent.log.
Solution
None. This is a benign error message and will not interfere with the operation of a Configuration Manager 2007 site.
If the Configuration Manager 2007 client is installed using the DISABLECACHEOPT=TRUE installation property, the user is unable to change the size of the temporary program download (cache) folder. However, the Amount of disk space to use (MB) item in the Advanced tab of the Configuration Manager Properties dialog box displays the value of 0, regardless of the size the folder has been set to.
Solution
There is currently no solution or workaround for this issue.
After client installation and at every restart of the client, the following is logged in the file CCMexec.log:
Error registering hosted class '{E67DBF56-96CA-4e11-83A5-5DEC8BD02EA8}'. Code 0x80040154
For more information about client log files, see Log Files for Managing Configuration Manager Clients.
Solution
This log entry does not identify a problem with the client and can be safely ignored.
Enjoy,
Paddy
0 comments:
Post a Comment