Domain Client behaving like a workgroup one !!
greetings, long time no post !! We have a customer with a very strict AD (single domain) locked down to policy domains applied to separate OUs. These OUs are role based and contain all computer ojects and security groups. These are also separated by firewall policies Schema is extended and changes are being written to it successfully. We have all our SCCM/SQL servers (mixed mode) sitting in one OU (with its own domain policy) and clients (servers at this juncture) sitting in one or more other OUs All accounts/service accounts/user accounts have appropriate access to all objects. Servers have been built using SCCM/OSD and have the client installed, boundaries are correct and these are still showing as assigned when in the new OU All "firewall" port requirements are controlled on a policy domain to policy domain basis, and not IP to IP (hope that makes sense) Ports are open between clients and SCCM (custom HTTP for both client and SUP) and all tests prove these work OK (mp URL test and portqry) Port 3268 is open between clients and AD domain controllers (confirmed with portqry) HOWEVER when doing a manual discovery from any client - clientlocation and locationservices logs indicate that that the AD schema has not been extended, and client cannot verrify site version. Manual install of client using SMSSLP= or using the registry key, is 100% successful, however this is NOT an acceptable fix. Any thoughts or ideas on why these clients are not reading the GC properly, very greatly appreciated. thankyou for your time Nick B Solutions Architect
August 26th, 2011 1:08pm

Hope, SCCM computer accounts have access to System Management Container and the related objects (sms-site-<sitecode> and sms-mp-<servername>) are already created.Anoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 1:19pm

thanks for the reply yes - SCCM is functioning perfectly apart from this issue. As Ive already stated - Schema is extended, objects are there and are being updated - scopes can be crated/removed roles can be moved between servers - MP/SUP/SLP etc - and always register in AD perfectly. Check GC against each client logon server (probably around 20 dom conts) to make sure its being replicated - and it is. Ive been working with SCCM (and SMS before that ) a long time - never seen this before Solutions Architect
August 26th, 2011 5:05pm

Hello - I would have tried to enable verbose and debug mode on the client machine so that we can more detailed error logs from locationservices.log http://blogs.msdn.com/b/gabeb/archive/2008/08/06/enabling-debug-and-verbose-logging-in-configmgr-2007.aspx Anoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 5:22pm

You said "locked down". Did they change the permissions on the System Management container or the ConfigMgr objects so that the clients do not have permissions to view them?Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
August 26th, 2011 8:24pm

Authenticated Users have Read Special, where special = List Contents; Read All Properties and Read Permissions same is true for Anonymous. Will try and set verbose on an appropriate client and post as soon as I have update. thanks all. Solutions Architect
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2011 10:00am

Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container. Enable Active Directory publishing for the Configuration Manager site. You may confirm if all of the steps are done. You can refer to: How to Extend the Active Directory Schema for Configuration Manager http://technet.microsoft.com/en-us/library/bb633121.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 30th, 2011 12:03pm

Hello - I would have tried to enable verbose and debug mode on the client machine so that we can more detailed error logs from locationservices.log http://blogs.msdn.com/b/gabeb/archive/2008/08/06/enabling-debug-and-verbose-logging-in-configmgr-2007.aspx Anoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights. You can get more details by enabling the debug and verbose logging. Why don't you try that ?Anoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2011 12:20pm

@ Arthur - yes this has all been done successfully - without wishing to be rude, I really do know what Im doing, and have been working with SCCM/SMS for many years and designed and implemented many solutions. @ An00p - yep, all done and pretty much confirms existing logging text with no real added info - happy to post a section if required (will try and keep it concise thanksSolutions Architect
August 30th, 2011 1:10pm

@ Arthur - yes this has all been done successfully - without wishing to be rude, I really do know what Im doing, and have been working with SCCM/SMS for many years and designed and implemented many solutions. @ An00p - yep, all done and pretty much confirms existing logging text with no real added info - happy to post a section if required (will try and keep it concise thanks Solutions Architect Have you able to see any lines like "(&(&(&(&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries" and please go through the lines before and after this line.Anoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2011 1:29pm

not for boundaries, but for MP Current AD site of machine is "valid AD site name" 1 LocationServices 30/08/2011 09:06:09 2060 (0x080C) Successfully retrieved the local machine subnet information LocationServices 30/08/2011 09:06:09 2060 (0x080C) Attempting to query AD for site code LocationServices 30/08/2011 09:06:09 2060 (0x080C) Client is not in Native mode, IBCM is not supported. LocationServices 30/08/2011 09:06:09 1152 (0x0480) Local Machine is joined to an AD domain LocationServices 30/08/2011 09:06:09 1152 (0x0480) Attempting to retrieve MP certificate encryption info from AD LocationServices 30/08/2011 09:06:09 1152 (0x0480) MP search filter is '(&(ObjectCategory=mSSMSManagementPoint)(|(mSSMSSiteCode=CEN)))' LocationServices 30/08/2011 09:06:09 1152 (0x0480) Failed to retrieve MP certificate encryption info from AD. LocationServices 30/08/2011 09:06:09 1152 (0x0480) There are no management points to send the MPLIST1 request to. LocationServices 30/08/2011 09:06:09 1152 (0x0480) Successfuly executed task to refresh encryption certificate info. LocationServices 30/08/2011 09:06:09 1152 (0x0480) Client is not in Native mode, IBCM is not supported. LocationServices 30/08/2011 09:06:14 1152 (0x0480) Client is not in Native mode, IBCM is not supported. LocationServices 30/08/2011 09:06:44 1132 (0x046C) System is not in quarantine state. LocationServices 30/08/2011 09:07:09 1984 (0x07C0) Unknown task LSProxyMPModificationTask in non-quarantine - ignoring. LocationServices 30/08/2011 09:07:09 1984 (0x07C0) Executing Task LSRefreshLocationsTask LocationServices 30/08/2011 09:43:02 4044 (0x0FCC) Executing Task LSRefreshLocationsTask LocationServices 30/08/2011 10:43:02 1588 (0x0634) Executing Task LSRefreshLocationsTask LocationServices 30/08/2011 11:43:02 2864 (0x0B30) Executing Task LSRefreshLocationsTask LocationServices 30/08/2011 12:43:02 2156 (0x086C) Solutions Architect
August 30th, 2011 2:48pm

The client is having some authetication issue with AD? Anything specific in ClientIDManagerStartup.log? Am not sure this will help you not ...Just thought of sharing it http://technet.microsoft.com/en-us/library/bb632435.aspxAnoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2011 3:02pm

Hi An00p !! nothing untoward showing in the ClientID log. As with you, we're convinced its down to authentication issues, but we cant prove it or work out what's causing it !! It would be good to know/find a statement that defines precisely what rights a client needs to AD and the SCCM objects and/or any other ports that are required that may be blocked here. We know we can use a ccmsetup SMSSLP= to fix it..........but thats not really an acceptable solution at this point in time (plus the techie in me NEEDS to know what the problem is !!!) thanks Nick BSolutions Architect
August 31st, 2011 10:26am

I think, you have already seen the port requirements .... http://technet.microsoft.com/en-us/library/bb632618.aspxAnoop C Nair - Twitter @anoopmannur MY BLOG: http://anoopmannur.wordpress.com SCCM Professionals This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 10:35am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics