sce managed security group is missing
I installed System Center 2010 on a Server 2008 R2 VM server, pointing the DB to SQL 2008 running on Server 2003 and all seemed well. I ran through the wizard and chose local policy because I already have a lot of group policies set up
that do a lot of important things and don't want a bucket of GP settings to be dropped into AD without knowing exactly what is being added. I updated my two WSUS GPs to point to the new WSUS server since the wizard indicated the settings were conflicting with
Essentials. The changed worked as expected and all the clients (XPSP3) point to the new Essentials server as verified in the registries. I am getting errors on the essentials server though indicating that the computers don't point
to the essentials server and don't belong to the Security Group named SCE Managed Computers Group. I looked in AD and there is not a SG named SCE Managed Computers. From what I have read it gets created when you run the automated domain policy
portion of the wizard. What are the required GP settings for essentials? Are they listed somewhere? In addition, I can only install the clients when I turn off the client firewalls. I added all the following ports - TCP 135,139,445,6270 and UDP 137,138
as indicated in the Essentials help but still know success. File and Print Sharing, Remote Desktop, and Remote Administration are also enabled.
EB
October 18th, 2010 1:11am
The warning that clients are not configured to use the essentials server is fairly common. I see it initially on almost every computer I put the agent on. Group policy settings for SCE are fairly simple but important. There's the wsus server
address which you have, tell the clients to actually USE the internal wsus server, windows update scheduling and interactions with logged in users. It also creates the firewall exceptions for the agent to communicate with your sce server, and any other
options you want like remote desktop, remote assistance, etc. As far as ports go, you have some of them open, but you need a few more, plus some of them are dynamic, which is why the gpo is a good idea. Lastly there is a self-signed cert for system
center and wsus publisher cert that is included in the gpo that also needs attention if you're doing local policies. As far as the agent installs, if you can get them to install only by turning off the firewall then obviously there is a port that's still
blocked. What is the error message logged when you try to push an agent?
Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
Free Windows Admin Tool Kit Click here and download it now
October 18th, 2010 4:27pm
Hi,
Regarding Group Policy and Local Policy settings about System Center Essentials 2010, please refer to:
Local Policy vs. Group Policy in System Center Essentials 2010
http://technet.microsoft.com/en-us/library/bb437395.aspx
Meanwhile, please also see the section “Troubleshooting Configuration: Group Policy” of the following post:
Troubleshooting ‘Unknown’ software and update status, ‘Not yet contacted’ and lack of hardware and software inventory
http://blogs.technet.com/b/systemcenteressentials/archive/2010/03/29/troubleshooting-unknown-software-and-update-status-not-yet-contacted-and-lack-of-hardware-and-software-inventory.aspx
Regarding the agent installation issue, please also refer to:
Agent discovery and push troubleshooting in OpsMgr 2007
http://blogs.technet.com/b/kevinholman/archive/2007/12/12/agent-discovery-and-push-troubleshooting-in-opsmgr-2007.aspx
Console based Agent Deployment Troubleshooting table
http://blogs.technet.com/b/kevinholman/archive/2009/01/27/console-based-agent-deployment-troubleshooting-table.aspx
In addition, please let us know the exact error message you noticed on the SCE server and the detail error you found in Event Log.
Thanks.Nicholas Li - MSFT
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 19th, 2010 12:18pm
Thanks for the feedback; I will look at the references. I did finally get the clients to install and I added all of the local policies to the various domian/OU level GPOs so the clients are getting the settings. I apparently still have some to go
though since the console shows errors on all machines reporting no membership in the SCE Managed computer security group whcih apparently gets created if you run the domain GPO choice in the wizard.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 7:03pm
Ok, after following through on some of the information listed. On clients were the agent is installed the local group policy is applying the WSUS information to the client and it is being overwritten by the domain WSUS policy as expected. The settings
are the same ans RSOP shows the domain's OU policies are winning as expected. I cannot though find the scheduled task that is reapplying the Local GPO though; it does nor show up in the task scheduler even with "show hidden tasks" selected.
It is running though because I cleaned up the Local GPO yesterday and the settings were back today - this occurred on both Windows XP SP3 and Windows 7 computers. Since the domain policy is winning I am not sure it matters. I added the Ess certificates
to the trusted certificates store in the domain GPO so that should clean up that issue. Does the SCE Managed Computer group matter since from reading the threads it only controls access the the WSUS and ESS GPO's which I already have using differents security
groups (not all computers can reboot at 3:00 am)? Looking at the update log all is well but the computers still show alert status and agent status errors in the ESS console.
October 20th, 2010 7:59pm
If you're not wanting to apply any sort of local policy you can modify the domain policy to turn off local policy processing. (Computer Settings->Administrative Templates->System->Group Policy, keep in mind this is for Vista or higher).
The SCE managed group also controls firewall exceptions, remote admin/desktop options, unsolicited communication from your sce server, etc. Not having the correct firewall configuration for sce can interfere with heath service monitoring which WILL
generate errors.Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 8:22pm
I have added the remote admin/destop options to the firewall section of the same group policy object that controls WSUS and it is being applied to the client. Push installs appear to be working but at the client I do not see the OpMgr service listed as
an installed service. I do see a service named Operations Manager Audit Forwarding Service that is set to disabled. Clinet pushes are working. I saw in one of the articles that a huge number of the upper ports have to be enabled to support DCOM but if
you have to do that then why have a firewall.
October 20th, 2010 8:46pm
There is no OpMgr service, the audit service you see is enabled if you want clients to foward error events to your server for review. The service for the agent is the System Center Management service.
DCOM is a protocol that uses random upper level ports, that's why you make the firewall exception to specify that the DCOM protocol is allowed to pass through, it opens the port requested, then closes it when finished, as opposed to specifying a port number
to remain open.
Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 8:51pm
When I look at the script error after rerunning WUconfig at the server and chasing the script error through the local registry there appears to be a key missing in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management
Groups\TUSESS01_MG. The script seems to suggest there should be a subkey named "\Parent Health Services\0", with a value named "NetworkName". Does anyone have this specific key on the client?
October 20th, 2010 9:48pm
Yep, network name is the fqdn of your sce serverOk, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 9:50pm
So the whole key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\TUSESS01_MG\Parent Health Services\0 with a strvalue NetworkName and a setting of the fqdn of my SCE server?
October 20th, 2010 9:58pm
Correct, string value NetworkName YOURSERVER.yourdomain.com (or .local)
Keep in mind there are a other string values and dwords in that 0 key, but for networkname, the value is the fqdn of the server.Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 10:02pm
Do you happen to know of a source for the balance of the settings?
October 20th, 2010 11:20pm
not sure what you mean...
the authentication name and network name are the only values that look environment specific.Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2010 11:24pm
I rebooted the workstation and all the keys showed up. I will wait and see if the server shows it is getting updated - thx
October 20th, 2010 11:40pm