System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager General
>
Configuration manager did not create objects for the AMT computers in the AMT OU in AD
Configuration manager did not create objects for the AMT computers in the AMT OU in AD
- Hello All,
we are experiencing the following problem:
we have MS SCCM 2007 SP1 R2 central site installed on windows 2008 SP2 enterprise with SQL Server 2008 Enterprise and using internal CA for our AMT machines. We have entered manually the certificate hash in the client machines.
What we experiencing is that we don't see any computer in the AMT OU in AD (it is empty!).
We have successfully provisioned some computers and we can stop and start them using SCCM, but we can't connect to them using the Out of band management console or through the web interface. We have granted full access to the AMT OU and all child objects as required according the documentation to the Primary Site servers group(we have followed Quick Start Install Guide for SCCM SP1 Rev1.9.1 ).
We have made also the required change in the registry according to the KB908209 (for the web based connection) and also tried to start the out of band management console from the central site, where the required patch KB960804 is installed.
A look in the amtopmgr.log give us no error, related to the AMT OU in the AD container. The error in the OOBConsole.log is the following:
==================================
GetAMTPowerState fail with result:0x80070035
==================================
When we tested the AMT technology in our test environment, we have in the AMT OU the computers which was provisioned.
So if anyone has a clue how can we solve this problem, please let us know.
Thanks in advance.
With best Regards
Kin
Answers
- Ok,
we have opened a ticket in Microsoft and here what they said:
==================================================
“We do not support disjoint namespaces with AMT and ConfigMgr SP1. Those types of scenarios were not tested and as we’ve now discovered, may have problems associated as well. At this time there is no support for this configuration with ConfigMgr SP2 either. However we will investigate what it would take to offer that support and make a determination at a later date”
“The answer to this problem would be to allow your clients to register in the correct DNS namespace that matches up to your AD LDAP path specified.”
==================================================
With best regards,
Kin- Marked As Answer byKindim Thursday, November 05, 2009 2:04 PM
All Replies
- Hi Kin,
Could you please try the following steps on your SCCM server:
1. Opening the SCCM Administrator Console.
2. Expanding Site Database -> Site Management -> SITE -> Site Settings -> Component Configuration.
3. Right-click "Out of Band Management" and select Properties.
4. Select the "AMT Settings" tab.
5. Under "AMT user accounts" select the new icon.
6. Select the Browse button, then select a group or user account to give access.
7. Customize the level of access by selecting "Supported AMT Features" appropriate to the user selected.
8. Select OK twice.
9. Expand Computer Management -> Collection and select the collection containing the target client.
10. Right-click on the client and select "Out of Band Management" -> "Update Provisioning Data in Management Controller Memory".
11. Select OK and then allow a few moments for changes to be updated.
12. Right-click on the client and select "Out of Band Management" -> "Out of Band Management Console".
13. Verify that status is connected and fields are populated.
14. OOBConsole.log should show:
[6][11/11/2008 5:09:46 PM] :GetAMTPowerState success with 2. - Hello Eric,
thanks for the advise. We have tried this, but without success. The container in AD for AMT is still empty and we can't login on the machine though the Web interface or using out of band management controller. In the troubleshooting guide from intel (SCCM_Troubleshooting_Guide.pdf ) is pointed that the Kerberos ticket size should not be more than 4Kb.
We are not so sure how to check this using the TOKENSZ tool recommended from this article and if this can be issue on the AMT OU group memberships.
Thanks in advance.
With best regards
Kin - Ok,
we have found the error in the :
======================================================================
CActiveDirectoryUtils::CreateObject - failed to get container.The resource loader cache doesn't have loaded MUI entry. AD Task - CreateObject failed. FQDN: <FQDN name>, ADDN: OU=Out of Band Management Controllers,OU=Computers,OU=Staging,OU=BG,DC=bg,DC=<firmname>,DC=com, UUID: 81E49682-C94A-CB11-86BE-CDDFBEF1E458, AMT Version: 4.0.8. STATMSG: ID=7602 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_PROXY_COMPONENT" SYS=<computer name> SITE=<code> PID=10216 TID=1024 GMTDATE=Wed Sep 23 09:58:57.191 2009 ISTR0="<FQDN name>" ISTR1="OU=Out of Band Management Controllers,OU=Computers,OU=Staging,OU=BG,DC=bg,DC=<firmname>,DC=com" ISTR2="81E49682-C94A-CB11-86BE-CDDFBEF1E458" ISTR3="4.0.8" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 Failed to run instruction: ADT CREATE;<FQDN name>;OU=Out of Band Management Controllers,OU=Computers,OU=Staging,OU=BG,DC=bg,DC=<firmname>,DC=com; Finished Executing Instruction: ADT CREATE;<FQDN name>;OU=Out of Band Management Controllers,OU=Computers,OU=Staging,OU=BG,DC=bg,DC=<firmname>,DC=com;
======================================================================
Our domain is europe.<firmname>.com and our DNS suffix for the country is bg.<firmname>.com and here in my opinion configuration manager is trying to find Domain Controller BG, but our domain is EUROPE not BG.
So has anyone a clue how can we fix this, if it is possible at all.
Thanks in advance.
With best regards,
Kin - Ok,
we have opened a ticket in Microsoft and here what they said:
==================================================
“We do not support disjoint namespaces with AMT and ConfigMgr SP1. Those types of scenarios were not tested and as we’ve now discovered, may have problems associated as well. At this time there is no support for this configuration with ConfigMgr SP2 either. However we will investigate what it would take to offer that support and make a determination at a later date”
“The answer to this problem would be to allow your clients to register in the correct DNS namespace that matches up to your AD LDAP path specified.”
==================================================
With best regards,
Kin- Marked As Answer byKindim Thursday, November 05, 2009 2:04 PM
- We updated the documentation to clarify that this feature does not support a disjointed namespace - both in "Prerequisites for Out of Band Management" (http://technet.microsoft.com/en-us/library/cc161785.aspx) and as a troubleshooting entry ("Configuration Manager Fails to Provision Computers with a Disjointed Namespace" in http://technet.microsoft.com/en-us/library/cc161803.aspx).
- Carol
This posting is provided “AS IS” with no warranties and confers no rights
