Frequently Posted Questions and Answers
Question List: Supported platforms How can I create auditing rules in Essentials? How do I set up a remote console in a different domain or using local policy? How can I discover network devices to manage? Can I run both SCE and WSUS in the same domain? Can I monitor a machine that is in a workgroup? My clients are reporting an error in the RedirectWSUS.vbs script. What does this error mean and how can I fix it? My install has an error when trying to run a software or inventory report saying it cannot connect to the SUSDB. How can I fix this problem? My install failed during the reporting setup. What should I look for? I get an error when creating software packages saying verification failed. How do I resolve the issue? SCE prereqs are failing on ASP.NET 2.0. What should I try to register ASP.NET correctly? How can I create a dynamic deployment group? My managed computers installed successfully, but still report a status of "unknown" in the computer space. How can I get them to contact? Why do I not see any charts when I run reports? I need a hotfix mentioned in the forums. How can I receive the updates? Can I use Essentials 2007and Forefront Client Security to manage the same computers? Failure while attempting to upgrade SQL Server 2005 Express with Advanced Services to Service Pack 2 How to upgrade the Eval bits to Volume licensing Question 1: Setup Base requirements: Essentials 2007 must be installed on x86 hardware. Forefront Client Security must be installed in the 2 machine (or more) supported configuration from their guide, where the SCE server is the distribution server component. No other FCS workload is supported on the Essentials server. All FCS managed machines must be SCE managed machines Configuration notes: If the FCS distribution server is installed on to Essentials 2007, it will alter the subscription and approval settings already configured. The administrator will need to re-run the Update Management Wizard again to apply custom settings. It is important that the Definitions classification and the Forefront product remain subscribed and declared in the auto-approval settings. If Essentials is installed on to the Distribution server running FCS, the same classification and product settings need to be applied. The Essentials 2007 default client and server scan times fall 1-2 hours after the FCS scan, which may leave managed machines up to 22 hours stale. We recommend using Group Policy to set the client scan time to 4:00 AM, and the Server Sync time to 1:00AM. Question 2: How can I create auditing rules in Essentials? Answer: (credit -John Joyner) In Essentials, you can create custom rules that collect events from the security log. Go to Authoring space, select Rules -> Create a new rule -> Alert Generating Rules/Event Based/NT Event Log. Select theEssentials group you want to collect events from. To collect from all computers, select the Agent group. Select the Security Log to collect events from. Next you build the Filter Expression. The Source will be Security and the Event ID will be the security event you are interested in,for example event 612 is Audit Policy Changed. Finally, configure the alert with title and description to match the event, such as "Audit Policy was Changed". You need to make sure that auditing for the type of event you want to capture is turned on at the domain group policy or local security policy level, otherwise the security events won't be written to the log for Essentials to see them. Question 3: How do I set up a remote console in a different domain or using local policy? Answer: When in the same domain, the certificates used to connect to SCEare generally available from the group policy, but for a different domain or local policy, the certificates require manual import on the UI machine. The two certificates are available on the SCE server in the install directory folder titled Certificates. The WSUSSSLCert.cer should be imported into the local computer's trusted root authority store. The WSUSCodeSigningCert.cer should be imported into the local computer's trusted root authority, third party publishers and third partyroot certification authority stores. Question 4: How can I discover network devices to manage? Answer: To discover network devices, launch the same wizard used to discover computers and chose the advanced option (it appears in the administration space on the right hand side of the splash page with the name "Configure computers and devices to manage"). In the drop down menu for computers and device types, chose network devices. Question 5: Can I run both SCE and WSUS in the same domain? Answer: Individual machines can only report to one WSUS server. Those machines managed by SCE should only report to the SCE server for updates, although users are not prohibited from contacting Microsoft update directly by default. If not all machines in the domain report to the SCE server, a second WSUS server can be used to managed just those machines not included in SCE. If the current environment is running a WSUS 2.0 or WSUS 3.0 server, you can upgrade the current server to be a SCE server and retain the settings and data currently stored. Question 6: Can I monitor a machine that is in a workgroup? Answer: Essentials requires that all managed computers are a member of a domain. Question 7: My clients are reporting an error in the RedirectWSUS.vbs script. What does this error mean and how can I fix it? Answer (credit - Dustin Jones): We are working on fixing this MP for Essentials SP1. Until then, you can disable the Discover XP SP2 clients discovery rule. Question 8: My install has an error when trying to run a software or inventory report saying it cannot connect to the SUSDB. How can I fix this problem? Answer: If your WSUS was a 2.0 upgrade from MSDE, or a WSUS 3.0 install existed previously on the install provided database option, there are two available options to fix the issues - one for SQL Express users (the database provided with SCE) and one for full SQL server reporting services users. *If you chose to use SQL Express for the database - try the following Due to SQL Express limitations in Reporting Services, the WSUS database must be moved to SQL Express. Close any open consoles connecting to SCE or WSUS. Launch the local SQL Server Management Studio express version and log into the np:\\.\PIPE\MSSQL$MICROSOFT##SSEE\SQL\QUERY instance. Backup the SUSDB before continuing. Stop the Update Services service, then chose to detach the SUSDB (selecting to stop active connections). Log into the SQL Express instance in SQL Server Management Studio. The SQL Express instance installed with SCE will be %COMPUTERNAME%\SCE. A default SQL Express install will be %COMPUTERNAME%\SQLEXPRESS. Chose to attach the SUSDB to this SQL instance. This database will be in the WSUS content directory in a folder calledUpdateServicesDbFiles. By default this location will be %SYSTEMDRIVE%\WSUS\UpdateServicesDbFiles. Using regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup . Change the SqlServerName key to be the new SQL instance, including the machine name. You will need to change the HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup\WmsdeInstalled value from 1 to 0 Restart the Update Services service. Try running the report that failed previously. *If you chose not to use SQL Express for the database - try the following Close the SCE UI Launch IE and navigate to http://localhost/reports[$instancename] Chose the "Show Details" button on the resulting page's bar on the right hand side Select the "WSUS Database" data source option In the connection string, replace 'data source=[SCESERVER\INSTANCENAME]' with 'data source=np:\\.\PIPE\MSSQL$MICROSOFT##SSEE\SQL\QUERY'. Do not modify the remainder of the connection string. Apply the changes Launch the SCE UI In the SCE UI, try running the report that failed previously. Question 9: My install failed during the reporting setup. What should I look for? Answer: If your domain FQDN does not have the format NETBIOS.[Ending] (example domain NETBIOS:CONTOSO FQDN: TEST.CONTOSO.NET), a QFE is needed to complete your install. [Credit Justin Incarnato] To obtain the update, you will need to contact Microsoft Customer Support Services. For information on how to contact CSS, click the following link located on the System Center Essentials Self-help Resources page. http://support.microsoft.com/oas/default.aspx?Gprid=12684 The update is Knowledge Base article number 937831 - http://support.microsoft.com/kb/937831 You may also request this fix from the web: https://support.microsoft.com/contactus2/emailcontact.aspx?scid=sw;en;1410&WS=hotfix Other commonproblems in reporting can be a failure to access SQL Reporting Services. Check that you are able to connect to http://localhost/reports[$instancename] and correct any errors using the Reporting Services Configuration utility available from SQL and adding any required exceptions that may be required by your proxy server. Note that having SSL enabled on the website containing SRS is not supported for the RTM release of SCE. Question 10: I get an error when creating software packages saying verification failed. How do I resolve the issue? Answer: The product configuration wizard must be run before using any of the software packaging features of the product. If this is a remote UI, ensure that the WSUSSigningCert.cer is imported onto the local UI machines Trusted Root Authorities, Third Party Publishers and Trusted Publishers certificates store. You can find this certificate on the SCE server installation directory in a folder called Certificates. Question 11: SCE prereqs are failing on ASP.NET 2.0. What should I try to register ASP? Answer: Often installing .NET versions before IIS can cause ASP not to be registered correctly. Try running the following command to correct the issue: X86: %WINDIR%\Microsoft.Net\Framework\v2.0.50727\aspnet_regiis.exe -i -enable X64: %WINDIR%\Microsoft.Net\Framework64\v2.0.50727\aspnet_regiis.exe -i -enable Question 12: How can I create a dynamic deployment group? Answer: Many dynamic groups are available in SCE that are not initially update/software deployment groups. For example, groups already exist for the monitored sql, active directory, or exchange servers. To make these deployment groups, chose to create a group from an already exiting group in the computers space grouping wizard. If the group you would like to create does not exist by default, the authoring space (denoted by the paper and pencil icon in the right hand corner of the wunderbar) contains a more complex grouping wizard that can create a dynamic computer group based on computer properties. Once the group has been created from the wizard, it will be available to become a update/software deployment group in the computers space using the create new groups wizard. Question 13: My managed computers installed successfully, but still report a status of "unknown" in the computer space. How can I get them to contact? Answer: The configure product features wizard must have been run before computers will report status in this section. If using group policy, the settings may take some time to update before the clients will contact. If using local policy, the configure product features wizard must be run before agent deployment. If these steps have been completed successfully, check one of the machines that is reporting the "unknown" inventory by running the rsop.msc. Computer Configuration\Administrative Settings\Windows Components\Windows Update\Specify intranet Microsoft updates location should point to https://sceserver.fqdn:8531. If this is not the case, check that the computer is a member of the AD security group SCE Managed Computers (SCESERVER_MG) and if so, try relogging into the machine or rebooting to pick up the group membership. If the correct server is reported, check the %WINDIR%\WindowsUpdate.log to see if any errors are occurring with contacting the SCE server. As always, if the answer is not clear, these forums are here to help! Including the log file information in your post will aid in quick answer. Question 14: Why do I not see any charts when I run reports? Answer: If you are running with SQL Express Advanced or the SQL install that is available as part of SCE setup, charts that use external charting controls will fail to display the graph due to limitations of the SQL Express product. Also, if you have upgrade SQL from one version to another, the graphs which were previously displaying may fail to display due to losing the registration of the external charting controls. Question 15: I need a hotfix mentioned in the forums. How can I receive the update? If the fix is not a Microsoft Update for System Center Essentials, you can request the update for CSS using the following website: https://support.microsoft.com/contactus2/emailcontact.aspx?scid=sw;en;1410&WS=hotfix Question 16: Can I use Essentials 2007and Forefront Client Security to manage the same computers? Yes. Please read through these configuration steps to understand how to use both products in the same environment. Setup Base requirements: Essentials 2007 must be installed on x86 hardware. Forefront Client Security must be installed in the 2 machine (or more) supported configuration from their guide, where the SCE server is the distribution server component. No other FCS workload is supported on the Essentials server. All FCS managed machines must be SCE managed machines Configuration notes: If the FCS distribution server is installed on to Essentials 2007, it will alter the subscription and approval settings already configured. The administrator will need to re-run the Update Management Wizard again to apply custom settings. It is important that the Definitions classification and the Forefront product remain subscribed and declared in the auto-approval settings. If Essentials is installed on to the Distribution server running FCS, the same classification and product settings need to be applied. The Essentials 2007 default client and server scan times fall 1-2 hours after the FCS scan, which may leave managed machines up to 22 hours stale. We recommend using Group Policy to set the client scan time to 4:00 AM, and the Server Sync time to 1:00AM. Operation It is important to note that the purchased limits of the FCS solution must remain within the purchased limits of the Essentials solution. Question 17: Failure while attempting to upgrade SQL Server 2005 Express with Advanced Services to Service Pack 2 If you are attempting to upgrade the SQL Server 2005 Expressinstance that Essentials setup installed to Service Pack 2 and receive the following error message: SQL Server Setup failed to execute a command for server configuration. The error was [Microsoft][SQL Native Client][SQL Server]CREATE DATABASE failed. Some file names listed could not be created. Check related errors.. Refer to the server error logs and Setup logs for detailed error information. Please see this Knowledge Base article. Error message when you install SQL Server 2005 SP2, SQL Server Express SP2, or SQL Server Express with Advanced Services SP2: "SQL Server Setup failed to execute a command for server configuration. CREATE DATABASE failed" http://support.microsoft.com/kb/935371 Question 18: How to upgrade from Eval bits to Volume License Using the VL fulfillment media CD, follow these steps: 1. On the root folder of the installation files (CD) you will find a file named productkey.txt 2. On the server running Essentials, click Start-> All programs -> System Center Essentials 2007 -> System Center Essentials Licensing Wizard 3. Complete the wizard entering the key from productkey.txt, that should unlock the timebomb and the server/client limit.
June 28th, 2007 10:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics