Why is SCE 2007 removing computers from the AD management group?
-
Thursday, May 17, 2012 3:58 PM
Recently (within the last week or so), our SCE has stopped accepting new clients (SCE 2007, Windows Server 2008 R2).
If I do a Discover and install the agent that way, it deploys, I get one round of updates on the client and then it tells me that it's not set up to check for updates.
Looking in AD, the machine isn't in the SCE Managed Computers group. If I add it manually, it disappears in less than 5 minutes.
I've tested new deployments, and SCE is adding the machine to the group upon agent install, but then again, the machine isn't in the group 5 minutes later.
This happens with Windows 7 x64 and x86 client machines.
I have never successfully installed a client manually. I've tried, but only on machines that already have issues due to the console deployment method failing.
Any ideas? There isn't some sort of limit for the number of agents or anything?
Thanks :)
All Replies
-
Monday, May 21, 2012 9:24 AMModerator
Hello Gareth,
SCE 2007 cannot manager more than 30 servers and 300 clients by design. And you need enough licenses to manage these computers. How many computers have been managed and how many licenses have been purchased and imported?
Did you change any user privilege/password recently?
Also, please check if the following GPOs were not applied because they were filtered out by a wrong policy:System Center Essentials All Computers Policy
SCE Managed Computers Group PolicyFor your information, please refer to a similar thread here:
SCE 2010 Group Policy
http://social.technet.microsoft.com/Forums/en-US/systemcenter/thread/ac2ca6e3-f9d2-4e57-b4d7-7be9c6601f58Thanks,
Yog Li
TechNet Community Support
- Marked As Answer by Yog LiMicrosoft Contingent Staff, Moderator Monday, June 04, 2012 10:29 AM
-
Tuesday, May 22, 2012 8:11 AM
Thanks for getting back to me.
First question then is how do I check how many licenses I have?
The Agent Managed screen shows 277 total devices, but I'm unsure as to how many we're licensed for.We haven't changed any user privileges or passwords recently.
On a sample machine, I'm getting System Center Essentials All Computers Policy" under "Applied Group Policy Objects" and SCE Managed Computers Group Policy (SCE_MG) under "the following GPOs were not applied because they were filtered out.
I've even tried deleting a few unused machines from the Agent Managed screen, but to no avail.
So yeah, how do I check on license usage?
Thanks.
EDIT: Ok, it says I'm using 234 client licenses and 44 server licenses, but I still don't know how to check how many licenses we've got in total.- Edited by Gareth Turner Tuesday, May 22, 2012 9:04 AM Update
-
Thursday, May 24, 2012 9:49 AMModerator
Hello Gareth,
The Administration Overview pane displays the current Essentials license count and a link to purchase additional licenses.
Purchased editions of Essentials 2010 are configured to support up to 500 client operating system environments and 50 server operating system environments. During a discovery operation, if the number of discovered computers exceeds the number of managed computers for which you have client licenses, agents are still deployed to the discovered computers; however, those computers will be shown in the Pending Management list in the Administration workspace, and Essentials 2010 does not manage them until you remove agents from other computers to make licenses available for the new computers.
More important, the policy "SCE Managed Computers Group Policy (SCE_MG)" should NOT be filtered out and NOT applied. This policy must be applied, or the agents will not report its status to the Essentials management server.
To check Group Policy configuration on the managed computer
- Registry Editor and navigate to HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. Verify that the WUServer and WUStatusServer values are set to https://<FQDN of your Essentials server>:8531. If the values are set to the Essentials management server, try the workaround to check the Windows Update log instead, otherwise continue to step 2.
- SCE Managed Computer <management group name> security group located in the Users container in your Active Directory domain. If the computer is not a member of this group, add the computer to the security group, and then restart the managed computer.
- gpresult.exe /v on the managed computer to determine if the computer is receiving the SCE Managed Computer <management group name> Group Policy. If the computer is not applying the policy, see Troubleshooting Group Policy in Microsoft Windows Server (http://go.microsoft.com/fwlink/?LinkId=199025).
Thanks,
Yog Li
TechNet Community Support
-
Monday, May 28, 2012 3:07 PM
Hi,
Apparently it is 2010, although some of the componants it referrs to are 2007, hence my earlier confusion. So we've definitely got enough licenses.On my test computer the SCE Managed Computers Group Policy (SCE_MG) policy is Not Applied (Unknown Reason), although I'm fairly sure that the reason is it's not in the SCE Managed Computers group.
To answer your questions:
1. There is no \WindowsUpdate in the Microsoft key in the registry. According to the WindowsUpdate.log, Server URL = https://www.update.microsoft.com/v6/ClientWebService/client.asmx
2. I have done this a few times. The computer disappears out of the group within 30 minutes.
3. The computer is not receiving the policy, as it's not in the SCE Managed Computers group.
I don't think this is a group-policy or Active Directory problem, as all computers that were in the group before a couple of weeks ago are still there and recieving updates.
.png)
