Computers not showing up in FCSMC / Clients definition don't install automaticly
As stated in the headline I have a couple of problems:
1. NO computers showing up in FCS Management Console (number of managed computers = 0)
2. Client agent definition updates are not Automaticly installed after download from WSUS. FCS agent are in a warning state and the Automatic Update warning icon states that forefront updates are ready to install.
My setup is FCS 2 topolygy:
Server 1: Reporting, management console, databases etc.
Server 2: Distribution (WSUS 3.0 with SP1)
What I have done is:
-
Follow the deployment guide for a 2 topology line after line.
-
On the WSUS server:
-
Selected the Forefront product category
-
Enabled the Automatic approval
-
Manually approved the forefront agent for installation (had to accept the license thingy)
-
-
I made a WSUS policy for servers and clients with this things, among others:
-
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
Scheduled install day: 0 - Every day
Scheduled install time: 05:00 -
Allow Automatic Updates imidiate installation - Enabled
-
Changed the update service location to the WSUS server
-
Applied it to all relevant computers
-
Updates seems to be installed, and the computers restarted when necessary (at night)
-
-
I made a FCS policy (in management console) with the following:
-
Full scan once a week and quick scan every day
-
Check for updates before scanning
-
I also ran the GPMC modeling tool to check that the policies was applied.
The updates are not installed automatically, except from around 5 am.
Is there something I have forgotten here? You have to do this manually??
-
Todas las respuestas
Hello!
I'll start with question 2.
I do belive you have forgotten to enable a automatic update setting in your WSUS policy.
"allow automatic update immediate installation" has to be enabled. If not enabled the definition updates will follow the scheduled time for installation.
Question 1..
Have you created a policy in the FCS main console and deployed that policy to your clients? Without it, no clients will install and no clients will pop up in the managment console.
Hope this helps!
/Johan
I did enable immediate installation policy. I've added it to my original post.
Ran rsop.msc on client and a server just to confirm. The correct wsus settings is in place.
I have made 2 forefront policies through the management console. One for clients and one for servers. Difference just in amount of admin priveleges. I deployed both to it's right OU with machine accounts.
When checking in GPMC on my DC, the policy is applied to the correct OU's but it's only authenticated users that is set under Security Filtering. Non the less the extra registry settings are applied to the computers. Checked again with the rsop. Most of my clients and servers have installed the FCS agent, except for the WSUS server...
The only agent updating without user intervention is the FCS management server it self.
I'll just add that this is all servers and klients run on a Virtual Host (vmware server).
I have the exact same situation with client definitions not instralling/downloading from my WSUS V3.0 SP1 server. I'm not using FCSMC yet.
I can see the updates are approved for installing and other non-forefront updates get installed.
Forefront client always says there are no updates and is running with the built in definitions from 2006.
I have two instances, W2008x64 server with hyper-V and a W2008 x86 without Hyper-V VM in that server.
Group Policy is set to install updates immediately.
No errors logged anywhere I can find.
Cheers,Mark
- I had a hard time with that one, but finally saw the problem:
A friggin "User license agreement"!
Aaaargh! If there had been a Microsoft person next to me at that time I think he would be very nervous.
The agreement for the FCS agent have to be accepted, or else it will never install.
I don't remember the exact steps, but you have to accept the Agreement in the WSUS management. Select the FCS agent component and play around.
Things like this should be better documented in deployment guide!
By the way. I STILL have no computers showing up in the management console.
Any clue as to why?? The agreement is accepted when you approve the update in the WSUS. Had done that. It seems like the UPDATE NOW feature just doesn't work in forefront. My group policy enbales immediate update and every update that wasn't for forefront got applied immediately.
The updates had been done automtically by the following morning, forefront only does updates when it suits forefront apparently.
Mr Haugen wrote: I had a hard time with that one, but finally saw the problem:
A friggin "User license agreement"!
Aaaargh! If there had been a Microsoft person next to me at that time I think he would be very nervous.
The agreement for the FCS agent have to be accepted, or else it will never install.
I don't remember the exact steps, but you have to accept the Agreement in the WSUS management. Select the FCS agent component and play around.
Things like this should be better documented in deployment guide!
By the way. I STILL have no computers showing up in the management console.
Any clue as to why??
I have been digging for days to a answer to this problem. I check WSUS and the latest client that superseded the previous needed to have the license agreement accepted. Thanks for the help!- Guy's
Has anyone come up with a fix for the 1st issue as i am currently having the same problem ?
I have set the relevant exceptions in the clients firewalls to allow communication from the clients, i can see the clients in the Administration console as being managed clients and I can push client updates fine, the clients also update correctly via WSUS, I can and have deployed policies from the management console and i can view mom errors within the same console, the clients except the policies fine, but i still can’t see any reports of policy deployments or any managed clients in the management console and getting a little frustrated now, as it all seems like everything is installed correctly and working apart from that one little but important part.
O have also installed some clients using the /MS and /CG switches which installs fine with no errors at all on the desktops, which seems like they can communicate with the management server and group ?
Any ideas or pointers will be appreciated
- Almost have the exact problem. Using SCE to deploy the client, which does get deployed. It does send back an
actual error to the SCE console that the install failed, but client gets installed, and gets updated by the SCE server.
Each client also gets the MOM server info as well as the Group info, so MOM client installs (at least looks like it)
correctly. FCS console, as well as MOM console (on FCS server) do not show any information on the clients
that have the client installed. Could not find any info about how to determine if there is any communication
though. I will say, though, that the client keeps trying to get installed from the SCE server (because the status
is failed), but errors out now because the client on the machine(s) are newer than the one already installed (it
was updated by SCE server). Has anyone found an answer on how to verify communication between clients, and the FCE
console ?
Thanks
Steve - Hi Haugen,
I think for computers to show up in your FFMC, you've to send agent to them in MOM, then they will be part of ur managed systems. Hope it'll help.
Nura - HiI too have this problem but I managed to read up on another forum post that the problem was aimed at MoM and not ForeFront or WSUS.I have a 1 server tropology and 3 testing computers, I have 2 computers being managed by FFCMC (ForeFront Client Management Console) successfully and the other 2 Machines are not showing up.*Edit* i forgot to mention that all client testing machines and the server have the Client security software installed successfully through WSUS.After looking on my MoM Operator console i noticed that the ones that were showing in my FFCMC had all there details showing in MoM and receiving heartbeats while the other 2 machines had no details at all and had a status of Unknown instead of success plus they did not have any heartbeats.What i'm trying to find out now is how to fix this... so i can get it all up and running and start to deploy it out to the rest of the firm.if you have any soluvtions please let me knowThanks :)
- Hello Colin
See, for any computer to show on your FFCMC, it must have MOM agent installed on it. you can do that by pushing the agent directly from your MOM server. Note that you hav to disable the firewall on the clients, sometimes on the server too. or pref open the port 1270. If you need more help, you can let me know.
Nura- Propuesto como respuestaNuratech miércoles, 16 de diciembre de 2009 9:29
Hi Nura
I have managed to get it work since your reply, best way to do it is for a start not to rush the process as it's all automated and may take time depending how often your WSUS box and GP gets updated. The main problems I suggest to look out for is:
1. Make sure all the correct services are running and are automatic on each client computers. (Netlogon, Remote regestry, Bits)
2. Make sure there is no other antivirus on the client machine
3. Make sure your WSUS is fully working and updating correctly
4. Make sure the MoM agent is installed correctly (90% of the time it is)
5. Be Patient :)
We now have 64 / 66 computers managed and all working fine, MoM is working correctly and so is WSUS and FF... happy days
The 2 that are not working are offline and under going repair (complete wipe)
Thanks for your feed back though much appreciated.
Colin H
