I installed System Center 2010 on a Server 2008 R2 VM server, pointing the DB to SQL 2008 running on Server 2003 and all seemed well. I ran through the wizard and chose local policy because I already have a lot of group policies set up that do a lot of important things and don't want a bucket of GP settings to be dropped into AD without knowing exactly what is being added. I updated my two WSUS GPs to point to the new WSUS server since the wizard indicated the settings were conflicting with Essentials. The changed worked as expected and all the clients (XPSP3) point to the new Essentials server as verified in the registries. I am getting errors on the essentials server though indicating that the computers don't point to the essentials server and don't belong to the Security Group named SCE Managed Computers Group. I looked in AD and there is not a SG named SCE Managed Computers. From what I have read it gets created when you run the automated domain policy portion of the wizard. What are the required GP settings for essentials? Are they listed somewhere? In addition, I can only install the clients when I turn off the client firewalls. I added all the following ports - TCP 135,139,445,6270 and UDP 137,138 as indicated in the Essentials help but still know success. File and Print Sharing, Remote Desktop, and Remote Administration are also enabled. EB

The warning that clients are not configured to use the essentials server is fairly common. I see it initially on almost every computer I put the agent on. Group policy settings for SCE are fairly simple but important. There's the wsus server address which you have, tell the clients to actually USE the internal wsus server, windows update scheduling and interactions with logged in users. It also creates the firewall exceptions for the agent to communicate with your sce server, and any other options you want like remote desktop, remote assistance, etc. As far as ports go, you have some of them open, but you need a few more, plus some of them are dynamic, which is why the gpo is a good idea. Lastly there is a self-signed cert for system center and wsus publisher cert that is included in the gpo that also needs attention if you're doing local policies. As far as the agent installs, if you can get them to install only by turning off the firewall then obviously there is a port that's still blocked. What is the error message logged when you try to push an agent? Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.

Hi, Regarding Group Policy and Local Policy settings about System Center Essentials 2010, please refer to: Local Policy vs. Group Policy in System Center Essentials 2010 http://technet.microsoft.com/en-us/library/bb437395.aspx Meanwhile, please also see the section “Troubleshooting Configuration: Group Policy” of the following post: Troubleshooting ‘Unknown’ software and update status, ‘Not yet contacted’ and lack of hardware and software inventory http://blogs.technet.com/b/systemcenteressentials/archive/2010/03/29/troubleshooting-unknown-software-and-update-status-not-yet-contacted-and-lack-of-hardware-and-software-inventory.aspx Regarding the agent installation issue, please also refer to: Agent discovery and push troubleshooting in OpsMgr 2007 http://blogs.technet.com/b/kevinholman/archive/2007/12/12/agent-discovery-and-push-troubleshooting-in-opsmgr-2007.aspx Console based Agent Deployment Troubleshooting table http://blogs.technet.com/b/kevinholman/archive/2009/01/27/console-based-agent-deployment-troubleshooting-table.aspx In addition, please let us know the exact error message you noticed on the SCE server and the detail error you found in Event Log. Thanks.Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the feedback; I will look at the references. I did finally get the clients to install and I added all of the local policies to the various domian/OU level GPOs so the clients are getting the settings. I apparently still have some to go though since the console shows errors on all machines reporting no membership in the SCE Managed computer security group whcih apparently gets created if you run the domain GPO choice in the wizard.

Ok, after following through on some of the information listed. On clients were the agent is installed the local group policy is applying the WSUS information to the client and it is being overwritten by the domain WSUS policy as expected. The settings are the same ans RSOP shows the domain's OU policies are winning as expected. I cannot though find the scheduled task that is reapplying the Local GPO though; it does nor show up in the task scheduler even with "show hidden tasks" selected. It is running though because I cleaned up the Local GPO yesterday and the settings were back today - this occurred on both Windows XP SP3 and Windows 7 computers. Since the domain policy is winning I am not sure it matters. I added the Ess certificates to the trusted certificates store in the domain GPO so that should clean up that issue. Does the SCE Managed Computer group matter since from reading the threads it only controls access the the WSUS and ESS GPO's which I already have using differents security groups (not all computers can reboot at 3:00 am)? Looking at the update log all is well but the computers still show alert status and agent status errors in the ESS console.

If you're not wanting to apply any sort of local policy you can modify the domain policy to turn off local policy processing. (Computer Settings->Administrative Templates->System->Group Policy, keep in mind this is for Vista or higher). The SCE managed group also controls firewall exceptions, remote admin/desktop options, unsolicited communication from your sce server, etc. Not having the correct firewall configuration for sce can interfere with heath service monitoring which WILL generate errors.Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.

I have added the remote admin/destop options to the firewall section of the same group policy object that controls WSUS and it is being applied to the client. Push installs appear to be working but at the client I do not see the OpMgr service listed as an installed service. I do see a service named Operations Manager Audit Forwarding Service that is set to disabled. Clinet pushes are working. I saw in one of the articles that a huge number of the upper ports have to be enabled to support DCOM but if you have to do that then why have a firewall.

There is no OpMgr service, the audit service you see is enabled if you want clients to foward error events to your server for review. The service for the agent is the System Center Management service. DCOM is a protocol that uses random upper level ports, that's why you make the firewall exception to specify that the DCOM protocol is allowed to pass through, it opens the port requested, then closes it when finished, as opposed to specifying a port number to remain open. Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.

When I look at the script error after rerunning WUconfig at the server and chasing the script error through the local registry there appears to be a key missing in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\TUSESS01_MG. The script seems to suggest there should be a subkey named "\Parent Health Services\0", with a value named "NetworkName". Does anyone have this specific key on the client?

Yep, network name is the fqdn of your sce serverOk, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.

So the whole key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\TUSESS01_MG\Parent Health Services\0 with a strvalue NetworkName and a setting of the fqdn of my SCE server?

Correct, string value NetworkName YOURSERVER.yourdomain.com (or .local) Keep in mind there are a other string values and dwords in that 0 key, but for networkname, the value is the fqdn of the server.Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.

Do you happen to know of a source for the balance of the settings?

not sure what you mean... the authentication name and network name are the only values that look environment specific.Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.

I rebooted the workstation and all the keys showed up. I will wait and see if the server shows it is getting updated - thx