I have been banging my head on the keyboard for three weeks with this one.

I built a 2008 R2 server with SCCM 2012 on it, connecting to a SQL 2008 server.  They talk fine with each other.

SCCM has the boundary and boundary groups set up.  I have ad discovery (tried with and without subnets) and those work. 

Auto installing the client upon discovery works.

The clients find their MP and know their site code.  All clients show approved (automatically) in the console - mpcontrol log lists 200 OK

The logs show that they prepare their scheduled eval and send it.  When I initiate a hardware policy update, I can netstat and see the connection on various ports to the server

I ran wireshark (OPNET) and initiated a reinstall and can see communication between the client and the server and the server and the sql server.

Everything seems to work correctly, I find some errors in the logs, but nothing that jumps out as the cause.

The problem is all clients have components listed as not installed and only machine and user policy retrieval listed.

In the console, the clients show Client Check - no results, nothing under Hardware or Software scan

I have research THOROUGHLY on the internet on all logs as well as the issue I just described, tried a million things, redoing webdav, ccmclean, etc)

Any thoughts - they would be greatly appreciated!

The problem is all clients have components listed as not installed and only machine and user policy retrieval listed.

That tells you that the client was not able to retrieve policies from the management point. See ClientIDManagerStartup.log (if the client was registered), ClientLocation.log and LocationServices.log

in clientIDmanager I see multiple "client is already registered" entries  and one that says "unable to backup CCM Identity in any identity stores (ox8000ffff)

In clientlocation is sees my MP name, and once and hour it gives me rotating assigned management point from %myserver% to %my server%  this is the same server, and it does it twice in a row once an hour

in clientlocation it correctly lists the ad place it sits

???

Can you upload all of the client logs to skydrive?

Torsten,

Thanks for looking - here they are (I had to remove certain names)

https://skydrive.live.com/redir?resid=9833B548057E1734!109&authkey=!ADium40C2JBMt5A

I couldn't spot any obvious errors. Have you already checked if the system is approved? You can add the 'approved' column in the console to check that.

all machines that are discovered get the client automatically installed and then show approved

now you see why I am banging my head on the keyboard!

I keep marking as answered sorry cruiser.

Maybe "unable to backup CCM Identity in any identity stores"has something to do with how the OS has been configured. Look at what GPO's are applied to the clients if all else fails.

Rob,

I do see that this error is unique as far as many other logs on the internet.  I started researching it and found, in the wmiporv.log, 1 entry per day saying Impersonation Failed - Access denied. 

I added to "Impersonate Client after Authentication" my sccm admin account, local service, and network service (the service group was already there, but I added the others anyway)  I still get access denied

- what would I be looking for in GPO that could affect this?

Thanks for the input!

i can also go to a client and initiate a machine policy retrieval and see the impersonation error show up in that log within 1 minute, so this has to have something to do with it I would imagine

interesting log from server (MP_Policy.log)

Detected at least one row in the result set from PolicyAssignment table which does not have a Signature, rejecting all rows

this error repeats over and over - any idea how to check this out (google was not of much help)

That's hard to tell without sitting in front of the server ... have you already rebooted it? Or tried a site reset?

i just did a site reset - I did one about a month ago - it seems to go well.  I will let it bake in over night and see what happens - perhaps reinstall a client as well

why did you do a site reset a month ago? did you restore/rebuild the site?

I did the site reset a month ago for this problem - SCCM 2012 has never worked and that was one of the initial troubleshooting items in the first couple weeks of digging deeper -

So what was the problem a month ago?, they could they be related.

it was for the same issue at the top of this thread - I have been trying to get this new install working that long and feel like I am at the bottom of the barrel of things to try!

What exactly are your boundaries and what exactly is the IP address and subnet mask on your clients?

my boundaries are AD sites

Site A

Site B

Subnet boundaries are multiple for each site (one for printers, one for clients, one for servers, etc)

I created two boundary groups

Site Assignment Boundary Group (members Site A, Site B, and the client subnet range for Site A)

Software Distro Boundary Group (members, Site A, Site B, and the client subnet range for Site A)

I have also tried just using subnets in the boundary and also just AD sites

client IP info is 10.10.72.1-10.10.75.254  the description in the boundary is %mydomain.net%/Site A/10.10.72.0/22

To be clear you client have an IP address with a subnet mask like:

10.10.73.68 255.255.252.0?

How exact is the subnet setup in AD?

10.10.72.0/22

well, the computer actually has a /24 as the subnet, even though the boundary discovers a /22.......sites and services lists it as the following though:

Site A Management 10.10.180.0/24

Site A Server 10.10.182.0/24

Site A Client 10.10.184.0/24

Site A Management 10.10.68.0/23

Site A Server 10.10.70.0/23

Site A Client 10.10.72.0/22

So you subnet masks are not matching between the client and AD. This is might be your problem.

Remember that CM clients will compare their subnets mask to the AD subnet and they will not match.  

So try this:

1. Create a new boundary  IP Address range of 10.10.72.0 10.10.75.254   and add it to your boundary group.
2. Make sure that the Use this boundary group for site assignment is set for the boundary group.
3. Confirm that the IP Address Range is added to AD
4. ~10 minutes later, on 1 PC in the 10.10.73.x (or 74 or 75) range, open the CM applet within the control panel
5. Click find site on the site tab. Does it find your site?

1) created and added to boundary group.  There is still the original discovered entry in the boundary, which is the same range except it starts with 10.10.72.1-10.10.75.254

2) confirmed

3) this has always been in AD as a /22.

5) it does find the site, but this has never been a problem, all the clients have been able to do this all along........I initiated a machine policy retrieval and can see in the logs that it raises the request event, thinks it sends the event, thinks it receives the info, and then says no changes needed.  I see this on the client logs