none
A device which is not part of this management group has attempted to access this Health Service.

    Question

  • Has anyone found an answer to this yet?  I have uninstalled/reinstalled the agents both manually and through the push. Rebooted the client, rebooted the  sce server. Forced the group policy to reapply, forced the health agent to /reportnow and I still get the error. The client shows up under the agent managed section but under the health state column it shows not monitored. The clients can ping the SCE server by FQDN and RDP to it as well so name resolution is working fine.

    On the the SCE server I get this in the log
    Event Type: Information
    Event Source: OpsMgr Connector
    Event Category: None
    Event ID: 20000
    Date:  6/25/2009
    Time:  10:09:40 AM
    User:  N/A
    Computer: *******
    Description:
    A device which is not part of this management group has attempted to access this Health Service.
    Requesting Device Name : *****

    And this

    Event Type:            Information

    Event Source:           OpsMgr Connector

    Event Category:       None

    Event ID: 21042

    Date:                        6/25/2009

    Time:                       10:25:14 AM

    User:                        N/A

    Computer:                ***********

    Description:

    Operations Manager has discarded 1 items in management group Servername_MG, which came from $$ROOT$$.  These items have been discarded because no valid route exists at this time.  This can happen when new devices are added to the topology but the complete topology has not been distributed yet.  The discarded items will be regenerated.


    On the client I get
    Event Type: Error
    Event Source: OpsMgr Connector
    Event Category: None
    Event ID: 20070
    Date:  06/25/2009
    Time:  10:06:13 AM
    User:  N/A
    Computer: ******
    Description:
    The OpsMgr Connector connected to ****** but the connection was closed immediately after authentication occured.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

    And this as well

    Event Type:            Error

    Event Source:           OpsMgr Connector

    Event Category:       None

    Event ID: 21016

    Date:                        06/25/2009

    Time:                       10:06:18 AM

    User:                        N/A

    Computer:                ******

    Description:

    OpsMgr was unable to set up a communications channel to **** and there are no failover hosts.  Communication will resume when ******* is both available and allows communication from this computer.

    And this

    OpsMgr has no configuration for management group Servername_MG and is requesting new configuration from the Configuration Service.

     

    .

     

    Thursday, June 25, 2009 2:29 PM

Answers

  • Thanks David,
    We finally opened a case with MS. The problem was we had some orphan machines in our SCE database. Apparently SCE dosent handle this situation very well and did not let any other machines talk to theSCE server or join the SCE group untill they were removed. The orpahn machines did not show up in the console, but they were in an encypted in a table.

    If anyone is interested I can email them the script that I was sent to detect and correct this issue.

    Thursday, November 12, 2009 2:48 PM
  • Hey Nathan,

    Yea I have sent the script to eveyone that has aked for it. I dont know if its helped anybody else as none has given me any feedback either way.

    I guess I can post it here for everyone to use.
    Please keep in mind that if you use this script from MS its at your own risk, If your DB blows up, massive catastrophic failure ensues and so forth ITS YOUR OWN FAULT. MAKE SURE YOU HAVE GOOD BACKUPS

    Step 1) Run this against your SCE 2007 DB

    DECLARE @BaseManagedEntityInternalId int

    DECLARE @BaseManagedEntityId uniqueidentifier

    DECLARE @ViewName sysname

    DECLARE @Statement nvarchar(max)

     

    SET @BaseManagedEntityInternalId = 0

     

    WHILE EXISTS (SELECT * FROM BaseManagedEntity WHERE (BaseManagedEntityInternalId >

     

    @BaseManagedEntityInternalId))

    BEGIN

    SELECT TOP 1

    @BaseManagedEntityInternalId = bme.BaseManagedEntityInternalId

    ,@BaseManagedEntityId = bme.BaseManagedEntityId

    ,@ViewName = met.ManagedTypeViewName

    FROM BaseManagedEntity bme

    JOIN ManagedType met ON (bme.BaseManagedTypeId = met.ManagedTypeId)

    WHERE (bme.BaseManagedEntityInternalId > @BaseManagedEntityInternalId)

    AND (bme.IsDeleted = 0)

    ORDER BY BaseManagedEntityInternalId

     

    SELECT @Statement = 'IF NOT EXISTS (SELECT * FROM ' + QUOTENAME(@ViewName) + '

    WHERE BaseManagedEntityId = ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ''')

     

    PRINT ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ' ' + @ViewName + ''''

    EXECUTE(@Statement)

    END

    STEP 2) 

    If your problem was the same a mine you should get some GUID’s returned.  (For example 93790c0B-09C4-3A4D-CE72-F4E3Dd917D78 MTV_DeploymentSettings)

     

    Using the GUID that we got in the output file
    Execute the below given query:

    ==========================
    select fullname

    from basemanagedentity

    where basemanagedentityid = ‘<GUID>
    ==========================

    Verify that the device or the object mentioned in the above output is not displayed in Operations console.

    Only in case if the object is not displayed then use the below given query to delete it from database.

    ==========================
    update basemanagedentity
    set isdeleted = 1
    where basemanagedentityid = ‘<GUID>’
    ==========================

    Before executing the above query please ensure that you have the backup of the database. Also note that you need to run the above said query only incase if you do not see the object in the Operations console.

    After executing this query, run this stored procedure:

     

    ==========================

    exec p_Detectandfixinstancespaceinconsistencies
    ==========================


    Once it is done:
    > Stop all the three OpsMgr services: health, Config and SDK on Management Server
    > Cleared the health service state folder.
    > Start all the three OpsMgr services: SDK, Config, and health on Management Server.

    > Wait for 30 minutes and see if the agents start getting monitored.




    I hope this helps everyone

    Wednesday, December 02, 2009 1:47 PM

All replies

  • Hello,

    I noticed the last sentence. Did you run the Feature Configuration Wizard after you installing SCE? 

    Generally, when the Feature Configuration Wizard was run and Domain Policy mode was selected, a security group named “SCE Managed Computers (<Management Group Name>)” and two Group Policy objects named “SCE Managed Computers Group Policy” and “System Center Essentials All Computers Policy” should be created in Active Directory.

     

    You can recreate it by rerunning the Feature Configuration Wizard.

     

    1. Delete any SCE GPO from AD.

     

    2. Run the command line below on the SCE server:

        SCECertPolicyConfigUtil.exe /ManagementGroup <MGName> /uninstall

     

    3. Confirm that the Registry key is removed:

        HKLM\Software\Microsoft\System Center Essentials\1.0\PolicySettings

     

    4. Run the Feature Configuration Wizard again and configure a domain-level Group Policy.

     

    5. Confirm that the Management Group is created.

     

    Hope it helps. Thanks.

     
    Yog Li - MSFT
    Monday, June 29, 2009 10:10 AM
    Moderator
  • Before you install the agents manually, have you checked Global Settings (Administration --> Settings-->Server) to ensure you have configured security to not reject manual agent installations? They are rejected by default, and will result in some of the error messages you see above.
    Pete Zerger, MVP-OpsMgr and SCE | http://www.systemcentercentral.com
    • Proposed as answer by VictorYKR Friday, March 09, 2012 7:20 PM
    Wednesday, July 01, 2009 7:53 AM
  • Yog,

    the Feature Configuration Wizard was already run. I have 100 desktops in the group functioning just fine its just one desktop thats getting the above message.
    the desktop is the exact image/hardware/sp/patch level ____ all the other desktops that are working just fine.

    Wednesday, July 01, 2009 1:54 PM
  • Thanks Pete Yea I have the SCE server set to allow all manual installs.
    Wednesday, July 01, 2009 1:55 PM
  • Hi,

    Is there any other error message logged, such as 20067 or 21002? If yes, it could be the problem of Mutual Authentication. Please navigate to the C:\Program Files\System Center Essentials 2007\Certificates directory on the Agent, verify if there are two files: WSUSSSL.cer and WSUSCodeSigning.cer.


    Please also check the following conditions if the certificates correct:

    1. Verify that the affected computer is in the SCE_Managed_Computers group:

    a. Open Active Directory Users and Computers <DSA.MSC>

    b. View the OU that contains one of the computers that is experiencing the issue

    c. Open the properties of the Computer

    d. Select the "Member Of" tab.

    e. Verify that SCE_Managed_Computers is listed here. If not, add the computer to the SCE_Managed_Computers group.

    f. Log the client off of the network, then log the client back on.

    g. Restart the OpsMgr Health Service on the client.

    2. Check if duplicate SPNs are there or missing, use following query command: 

    ldifde -f C:\*.txt -t 3268 -d dc=domain,dc=com -l serviceprincipalname -r (serviceprincipalname=*) -p subtree

    In the above command, replace DC=domain,DC=com with the DN of the domain 

    If you find and remove duplicate SPNs, use setspn -D to delete all of the HealthService SPNs. Then, restart OpsMgr Health Service on the management server and let it register its SPNs with the correct logon account. For example: 

    Using the example above, the setspn -D commands would be as follow:

    setspn -D MSOMHSvc/OPSMGRFA opsmgrfa
    setspn -D MSOMHSvc/OPSMGRFA.ChildDomainA.ForestA.local opsmgrfa
     

    Note: You can find setspn.exe from Windows Server 2003 support tools.


    More information:

    Event IDs 20070 21016 (see end of Body for text to event log errors)
    http://social.technet.microsoft.com/Forums/en-US/systemcenterdeployment/thread/fde0524e-eb67-4b44-9a22-c3cff00b1ffc

    Thanks,


    Yog Li - MSFT
    Thursday, July 02, 2009 10:09 AM
    Moderator
  • Ok here is a new twist, after a long weekend the machine finally showed up as being managed and all the of the event log error messages have disappeared.
    Now, however, the PC is in the "All Computers" Group but not in the all "All clients" default group or the "windows xp" group that I created.

    Any ideas as to why It took about a week for it to show up as being managed and whoy not its not showing up in the proper groups?
    Monday, July 06, 2009 3:13 PM
  • Hi,

    I have met a similar issue. Please delete all Network Devices from Administration space -> Device Management -> Networked Devices and reinstall agents to see if the issue resolved.

    It seem like a bug of the SCE Network Device MP. You can download and install the latest version of Network Device Monitoring Library MP from the link below:

    Microsoft System Center Network Device Monitoring Management Pack for System Center Essentials 2007 SP1 (KB960569)
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8200e405-f871-4f19-a991-0411285fcbe5&displaylang=en

    Thanks,
    Yog Li - MSFT
    Wednesday, July 08, 2009 11:03 AM
    Moderator
  • Yog,

    There are no devices under the "network devices" section in Administration space -> Device Management -> Networked Devices
    All of the computer are under the "agent managed" section.

    Wednesday, July 08, 2009 1:24 PM
  • Yog,

    Any ideas on this, any new computers i add to the domain are showing up as not monitored. The 100 or so original PC's are working fine

    in the SCE server i get :

    Event Type: Information
    Event Source: OpsMgr Connector
    Event Category: None
    Event ID: 20000
    Date:  8/11/2009
    Time:  5:23:31 PM
    User:  N/A
    Computer: *******
    Description:
    A device which is not part of this management group has attempted to access this Health Service.
    Requesting Device Name : ******

    On the clients i get
    Event Type: Error
    Event Source: OpsMgr Connector
    Event Category: None
    Event ID: 20070
    Date:  08/11/2009
    Time:  5:29:17 PM
    User:  N/A
    Computer: ******
    Description:
    The OpsMgr Connector connected to ********* but the connection was closed immediately after authentication occured.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

     

    Tuesday, August 11, 2009 9:34 PM
  • Hello,

    Sorry for no more ideas on this issue except what I posted before. I would suggest you contacting CSS to start a case if possible.  

    Microsoft System Center Essentials 2007
    https://support.microsoft.com/oas/default.aspx?&c1=508&gprid=12684

    Hope it helps,


    Yog Li - MSFT
    Wednesday, August 12, 2009 12:18 PM
    Moderator
  • Hi jc23,
    have you solved this problem? Our customer have to solve the same issue.

    Thanks Jan
    Friday, September 25, 2009 9:48 AM
  • Hi Jan.

    Open the Systems Center Operations Console, go to the administration area right click throw the management server or gateway server that you want, click on properties and on the security tab select  this option "Review new manual agents installation in pending management view "

    Hope this works. (Worked for me :) )

    David C.
    Wednesday, November 11, 2009 6:21 PM
  • Thanks David,
    We finally opened a case with MS. The problem was we had some orphan machines in our SCE database. Apparently SCE dosent handle this situation very well and did not let any other machines talk to theSCE server or join the SCE group untill they were removed. The orpahn machines did not show up in the console, but they were in an encypted in a table.

    If anyone is interested I can email them the script that I was sent to detect and correct this issue.

    Thursday, November 12, 2009 2:48 PM
  • JC23,
    Can you send me the script you used to resolve your issue.
    I would greatly appreciate it. mtaylor@tsocorp.com
    Thanks,
    Matt
    Friday, November 13, 2009 10:39 PM
  • Hi JC23,

    Can you send it to as erll please giga.michael @ gmail.com

    We put our RMS and MS into maintenance mode for our patch weekend and then installed 78 new agents. I believe it is due to the RMS being in maintenance mode that the health service doesn't register the new agents properly. I need to remove the entries from the database and I think a reinstall will fix it as at the moment it doesn't help.

    Thanks - I hope you can save me =)

    Thanks,
    M
    Saturday, November 14, 2009 6:57 PM
  • Matt and Michael

    I have emailed you both the MS scripts. Let me know how it works out for you.
    Monday, November 16, 2009 2:32 PM
  • jc23,

    Please send me the script as well: bonysmokes@yahoo.com

    I suspect that I'm having the same issue. For a while, I was seeing phantom servers -- servers that used to be connected but were removed. Now I'm trying to add servers with the same name but cannot.

    Hopefully your solution helps.

    Thanks either way!

    -Bony
    Monday, November 23, 2009 5:26 PM
  • Hello

    Can you send me also the script 
    fabrice@softrix.fr



    ds
    Thursday, November 26, 2009 8:48 AM
  • Hi jc,
    can you please post me a copy of that script also?

    fitzyhayden@hotmail.com
    Monday, November 30, 2009 2:12 AM
  • Hi JC,
    Can you please email me a copy of that script?
    Thanks in advance!  markcervantes@live.com

    Mark
    Tuesday, December 01, 2009 5:06 PM
  • Hi JC,

    Hopefully you are still listen to this thread as it appears more people are affected by this issue.

    I have logged a PSS call and they don't know anything about this script!  Could you please send me this script or perhaps post it here so we can just see what it does?

    The MS guy just claimed the script may have been running a powershell command, Get-AgentPendingAction, however I expect it actually does some SQL queries to find the orphaned entries in the  database.

    littlenath AT Hotmail.com

    Thanks

    Nathan
    Wednesday, December 02, 2009 4:53 AM
  • Hey Nathan,

    Yea I have sent the script to eveyone that has aked for it. I dont know if its helped anybody else as none has given me any feedback either way.

    I guess I can post it here for everyone to use.
    Please keep in mind that if you use this script from MS its at your own risk, If your DB blows up, massive catastrophic failure ensues and so forth ITS YOUR OWN FAULT. MAKE SURE YOU HAVE GOOD BACKUPS

    Step 1) Run this against your SCE 2007 DB

    DECLARE @BaseManagedEntityInternalId int

    DECLARE @BaseManagedEntityId uniqueidentifier

    DECLARE @ViewName sysname

    DECLARE @Statement nvarchar(max)

     

    SET @BaseManagedEntityInternalId = 0

     

    WHILE EXISTS (SELECT * FROM BaseManagedEntity WHERE (BaseManagedEntityInternalId >

     

    @BaseManagedEntityInternalId))

    BEGIN

    SELECT TOP 1

    @BaseManagedEntityInternalId = bme.BaseManagedEntityInternalId

    ,@BaseManagedEntityId = bme.BaseManagedEntityId

    ,@ViewName = met.ManagedTypeViewName

    FROM BaseManagedEntity bme

    JOIN ManagedType met ON (bme.BaseManagedTypeId = met.ManagedTypeId)

    WHERE (bme.BaseManagedEntityInternalId > @BaseManagedEntityInternalId)

    AND (bme.IsDeleted = 0)

    ORDER BY BaseManagedEntityInternalId

     

    SELECT @Statement = 'IF NOT EXISTS (SELECT * FROM ' + QUOTENAME(@ViewName) + '

    WHERE BaseManagedEntityId = ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ''')

     

    PRINT ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ' ' + @ViewName + ''''

    EXECUTE(@Statement)

    END

    STEP 2) 

    If your problem was the same a mine you should get some GUID’s returned.  (For example 93790c0B-09C4-3A4D-CE72-F4E3Dd917D78 MTV_DeploymentSettings)

     

    Using the GUID that we got in the output file
    Execute the below given query:

    ==========================
    select fullname

    from basemanagedentity

    where basemanagedentityid = ‘<GUID>
    ==========================

    Verify that the device or the object mentioned in the above output is not displayed in Operations console.

    Only in case if the object is not displayed then use the below given query to delete it from database.

    ==========================
    update basemanagedentity
    set isdeleted = 1
    where basemanagedentityid = ‘<GUID>’
    ==========================

    Before executing the above query please ensure that you have the backup of the database. Also note that you need to run the above said query only incase if you do not see the object in the Operations console.

    After executing this query, run this stored procedure:

     

    ==========================

    exec p_Detectandfixinstancespaceinconsistencies
    ==========================


    Once it is done:
    > Stop all the three OpsMgr services: health, Config and SDK on Management Server
    > Cleared the health service state folder.
    > Start all the three OpsMgr services: SDK, Config, and health on Management Server.

    > Wait for 30 minutes and see if the agents start getting monitored.




    I hope this helps everyone

    Wednesday, December 02, 2009 1:47 PM
  • Hi JC,

    Could it be the script got mixed up by posting it to the forum?
    I mean like the quote's got mixed up or something?

    When I copy the script and paste it into a SQL Query the part below is mixed up I think....

    Can you edit your post and put the script into a code  box SQL like below...
    Thanks,

     

    SELECT @Statement = 'IF NOT EXISTS (SELECT * FROM ' + QUOTENAME(@ViewName) + ' 
    
    WHERE BaseManagedEntityId = ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ''') 
    
     
    
    PRINT ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ' ' + @ViewName + ''''
    
    Thursday, December 03, 2009 3:07 PM
  • Thank you so much JC!

    The above query was recommended to me by PSS this morning.  Running this query takes some time (around 40 min).  It spat out a single GUID.

    After following your repair notes,  I now have a very healthy SCOM Agent view.

    Thanks again

    Nathan
    Monday, December 07, 2009 3:26 AM
  • Glad it helped.
    Monday, December 07, 2009 7:07 PM
  • Thanks, it works.

    Friday, March 09, 2012 7:20 PM
  • Thanks David,
    We finally opened a case with MS. The problem was we had some orphan machines in our SCE database. Apparently SCE dosent handle this situation very well and did not let any other machines talk to theSCE server or join the SCE group untill they were removed. The orpahn machines did not show up in the console, but they were in an encypted in a table.

    If anyone is interested I can email them the script that I was sent to detect and correct this issue.

    Hi,  I think I have the same situation.  Some machines that were working in one domain and then moved to another trusted domain, started to show this error.   They were being monitored ok before the move to a different domain

    Can you email me at Lance_lyons@onlifehealth.com

    Thanks.


    Thanks Lance

    Friday, August 02, 2013 9:31 PM
  • It looks like some table names have changed in SCOM 2012.  Does anyone know which table names to use?  The problem ones are BaseManagedEntity and BaseManagedEntityInternalId.
    Tuesday, December 17, 2013 7:31 PM