Reinstalling Forefront Client Security issue
Dear experts,
I have installed Forefront Client Security successfully and clients got installed on the member computers in the security group created on Active Directory. For disk space reasons and crashing problems, I decided to re-format and re-install the client security server. After re-installation (with the same computer name), i was thinking it will still connect to both WSUS and Forefront servers and would report fine since I used the same computer name and same IP address.
It didnt work, no computers connecting to wsus nor to the forefront server. I tried renaming the computer to another name, deploying a new policy to the same security group but still not working.
Would anyone please enlighten me.
Many thanks,
Joel
All Replies
Hi Joel!
When you reinstall the FCS server (using the same name and managenet group) all of your clients will try to connect back with the server. However the MOM is set to reject manually installed clients. And that is what has happend with your clients. Since you have reinstalled the FCS server you have to approve the clients again (Mom admin console under pending actions).
Just reapprove the manual installation of the clients and they will pop back into the FCS server.
Good luck!
/Johan
Hi Johan,
Thanks for the reply.
1. I have renamed my server now. And changed the Windows update policy to point on the new name http://newservername:8530. Applied the policy and now computers are showing up 1 by 1 and is starting to report on the WSUS console.
2. Now, forefront client security server has only 1 computer reporting which i think is the server itself. (BY THE WAY HOW WOULD U KNOW THE COMPUTER NAMES REPORTING TO THE FCS SERVER????)
3. No computers are on the pending on MOM.
4. I removed the FCS client on one of my servers to check if it will reinstall itself when it gets updated. But i see on wsus that this server is already 100% installed and the forefront updates are Not applicable (of course) since fcs is not there.
So again my dilemma is still here.
Regards,
Joel
Hi Joel,
This might have to do with renaming the server. try to uninstall on one of your clients and do a manual reinstall with the following switches.
clientsetup.exe /CG [managementgroup name (default: forefrontclientsecurity)] /MS [name of FCS server]
Example: clientsetup.exe /CG forefrontclientsecurity /MS FCSSrv01
Since this is a manual installation you have to approve it in MOM under pending actions.
If this works yo might want to create a GPO to push the new parameters to your clients.
paste the folowing code into a text file with ".adm" filextension
import the adm file into a GPO (admin templates) and set the new FCS parameters.
(do a test on a small number of clients)
CLASS MACHINE
CATEGORY !!category_name
POLICY !!_MOMServerName_polnameKEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0"
EXPLAIN !!_MOMServerName_explain
PART "!!_MOMServerName_partdesc" EDITTEXT REQUIRED
VALUENAME MOMServerName
END PARTEND POLICY
POLICY !!_MOMGroupName_polnameKEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0"
EXPLAIN !!_MOMGroupName_explain
PART "!!_MOMGroupName_partdesc" EDITTEXT REQUIRED
VALUENAME MOMGroupName
END PARTEND POLICY
END CATEGORY
[strings]category_name="Microsoft FCS MOM Configuration"
_MOMServerName_name="Description for MOMServerName"
_MOMServerName_explain="Help for MOMServerName"
_MOMServerName_polname="MOMServerName"
_MOMServerName_partdesc="Enter the name for the FCS MOM server"
_MOMGroupName_name="Description for MOMGroupName"
_MOMGroupName_explain="Help for MOMGroupName"
_MOMGroupName_polname="MOMGroupName"
_MOMGroupName_partdesc="Enter the value of the MOM Configuration Group name"
hope this helps
/Johan
Hello All,
Joel -
When you reinstall the computer and kept the same name that should have worked fine. The MOM agent on the client machine has a cache. We have seen that sometimes it is necessary for the MOM service on the agent to be restarted in order for it to check back to the new machine in once again. As Johan mentioned if you did not backup and restore the database after the client machines check back in they will need to be approved again. This should happen automatically after an hour via the FCS auto approval script.
Johan –
A couple minor comments: You are correct that MOM out-of-the-box is configured to reject new installations, however during FCS setup that MOM configuration value is altered to allow new agents to check into MOM and appear in pending actions. The FCS auto-approval script that runs once a hour should then detect those pending-action and make them managed computers.
The ADM template that you posted was used during the FCS beta to add certain registry values that newer builds of the client was looking for that older version of the server did not yet publish. The RTM (Eval or licensed) version of FCS automatically publishes those registry keys to any FCS console base policy deployment. Therefore the ADM file should no longer be necessary for FCS clients to receive those registry values.
2. Now, forefront client security server has only 1 computer reporting which i think is the server itself. (BY THE WAY HOW WOULD U KNOW THE COMPUTER NAMES REPORTING TO THE FCS SERVER????)
You should be able to view the machines via the MOM Admin console you are using below.
3. No computers are on the pending on MOM.
The problem here is likely that you have changed the name of your FCS server. Unless you have changed the client’s configuration they are still pointing to the old server name and trying to reach it. You can change the client configuration by either opening the MOM 2005 Agent in Add/Remove programs and changing the server name for the configuration group. Or you can remove the MOM agent entirely, and run clientsetup.exe again.
ClientSetup.exe should reinstall the MOM agent using the values found in the registry keys described above. Those values are only read by clientsetup.exe however, they are not constantly monitored by FCS and used to remotely control which FCS collection server the MOM agent is pointed to.
4. I removed the FCS client on one of my servers to check if it will reinstall itself when it gets updated. But i see on wsus that this server is already 100% installed and the forefront updates are Not applicable (of course) since fcs is not there.
Please ensure that all three components(FCS antimalware, FCS Security Assessment, and MOM agent) are removed. Also make sure that the machines is properly receiving the FCS policy values published by the console. Then run “wuauclt /detectnow”. This should force a detection cycle to the WSUS server.
Thanks,
Craig
To Craig & Johan,
Many thanks!
I was able to resolve the forefront console using both your suggestions.
1. Running ClientSetup.exe again with MS and CG parameters.
2. Restarting MOM service
3. Reapproving to MOM Admin console.
Regards,
Joel
Hi Craig,
Is there any way to do the change of MOM configuration by a script, policy or something like that?
I have been testing the Forefront in 30 computers, but now I want to migrate all to the production server. This computers already are in the WSUS server but I can not make this report to the MOM Server.
I put a policy in the Active Directory and changed the registry values but it did not work.
Thanks
Yes, you have a couple options:
-
Uninstall the FCS and MOM agent and let them be deployed by WSUS
-
Manually via Add/Remove Programs by choosing Modify on the MOM Agent
-
Call the MOMAgent.msi from the command line to invoke the same changes as Add/Remove Programs.
Since #3 is probably the closest to what you are looking for, see the MOMAgent command line reference at http://www.microsoft.com/technet/prodtechnol/mom/mom2005/Library/e830c5cb-8a68-4c61-8ac2-9edbc69a315e.mspx
You could do something similar to:
MsiExec.exe /I{F692770D-0E27-4D3F-8386-F04C6F434040} /norestart /qn /l*v "%temp%\MOMReinstall.log" CONFIG_GROUP="ForefrontClientSecurity" CONFIG_GROUP_OPERATION="ModifyConfigGroup" MANAGEMENT_SERVER="NewServer.corp.com" AM_CONTROL="Full" REQUIRE_AUTH_COMMN=1 REINSTALL="ALL"
Hope this helps,
Craig
-
Hi Craig,
Thanks for the tips.
It works fine in Windows XP but in Windows Vista it does not send any error but does not change the values of ConfigGroup neither the Management Server, do you have a solution for this?
Regards,
Please ensure you are running from an elevated command prompt on Vista. If that doesn't work investigate the %temp%\MOMReinstall.log.
Thanks,
Craig
- My situation was slightly different. I wanted to install a clean copy of FCS on a new server. I uninstalled FCS from the old server and installed it on a new server without any want to preserve the old settings or database. I ended up with all of my clients not being able to report.
I ran Craig's scipt and it fixed it. All is good now.
I just wanted to say thanks, I was not looking forward to manually uninstalling and reinstalling hundreds of FCS clients.
