We are currently running SCCM 2012 R2 and currently have 6 dual MP/DP site systems.

For various reasons, we want to deploy multiple new DPs to service a particular boundary group.

I set the first of these DPs up with only the DP role, no MP and changed the Hierarchy to use the new DP for the new Boundary Group. I then took a freshly imaged PC (which had client installed as part of OSD) and started it after these changes. The client found a MP and showed that it was PKI for client certificate as all our clients do. It even began to install EPP (part of our default machine policy) and showed new software from required distributions to collections it was a member of. Looked like it was working.

Then all of a sudden, I checked again and the only available actions in the Control Panel applet were Machine and User policy. None of the others were present that we normally see like Hardware Inventory, etc. Sure enough all the components for these items had changed from Enabled to Installed. Running machine policy multiple times never seemed to address this as long as I waited.

It is almost as if the client was suddenly unable to read/enforce machine policy. Checking resultant set of policy from Console showed everything I expected to see for a typical computer though.

Finally, I decide to move the boundary from the new boundary group back to the original one it had been a part of. In pretty short order, the typical components were enabled, required deployments continued, and software returned to software center.

Granted, not all available deployed software had been moved to the new DP yet ( I wanted to test fall back behavior), and I could understand this causing issues with deployments, but I don't understand how the client could fail to enable basic components and therefore their actions simply by changing DP.

Any ideas for further troubleshooting?

How many MPs are there? DPs have nothing to do with retrieving policies. And how many clients are you managing in total?

I understand that. I'm just trying to describe what the symptom looks like.

As stated previously, we originally had 6 combination MP/DP site systems. I added one new DP. It is healthy and I have verified that content distributes to it. We probably have about 10K clients.

The point I was making was that when the relevant boundary is in the original boundary group it functions normally and promptly, but when moved to the new boundary group with the new DP referenced, it acts as if there is no machine policy assigned despite what resultant client policy states.

you should move one computer to the new boundary and look at the log locally to figure out what is happening.

if you are using 2012 R2 SP1 is it possible you have a broken MP assign to that boundary ?

CcmMessaging.log (general Mp comunication)

CertificateMaintenance.log (maybe broken certificate since i gather you using https)


LocationServices.log (to see what Mp you are now looking to)

PolicyAgentProvider.log and PolicyAgent.log (since you are saying the policy change)


Look at those might give you a idea of what is wrong.

Thank you, I did start down the path of looking at client logs but was a bit bewildered by the choices. I did see what looked like success, in the LocationServices log, but I obviously need to dig further.

You bring up a highly relevant point though:

"is it possible you have a broken MP assign to that boundary "

There are no site systems with the MP role in the boundary associated with the boundary group in questions. I was under the impression that boundary groups do not influence communication with MPs. In my case, the client would acquire an assigned MP and the relevant client certificate according to the Control Panel applet locally so I assumed the MP communication was sound.

Must there be a site system with a MP in the boundary?

Only starting with R2SP1 and if you enabled boundary/groups for MP selection.

No in SCCM 2012 r2 SP1 you can assign MP to boundary.Preferred management points enable a client to identify and prefer to communicate with a management point that is associated with its current network location or boundary


This is why i was asking maybe the DP ad the role briefly install and was not properly remove or something.

Can you look in clientlocation.log you should see something like this Assigned MP changed from <MP.FQDN> to <MP.FQDN>

This will tell you what MP the client was using before and what MP he`s using now that doesn't work.

Log shows what appears to be a lot of "rotating" between MP's.

It also seems to indicate that one is assigned then later is empty when queried again. Almost half a dozen rotations in just a few hours? That seems odd. Also, no other client is reporting any other issues so I don't believe we have a bad MP lurking though always a possibility. No issues in component monitoring.

http://1drv.ms/1hpJyqc

Hi,

Anoop's blog explains the MP Rotation problem. And there is a workaround in R2 CU3. Add a multi string in the registry of your client(s). The string (AllowedMPs) has the info of the correct management point for the client.

In ConfigMgr 2012 R2 SP1 there is an option "Clients prefer to use management points specified in boundary groups" in the properties of Sites. 

For more information: ConfigMgr 2012 R2 SP1: Rotating Assinged Management Point

Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.