none
CcmExec.log Request Failed: 403 Forbidden

    Question

  • I'm having a problem with machines receiving an advertisement.

    ·         The initial issue was that machines were not receiving the FEP advertisement and were reporting back “No Status”

    o   All these machines appeared fine in all other reports such as hardware and software inventories

    o   I discovered that on a sample selection of machines their logs still showed HQG (the old site code) instead of MON (the new site code). I checked this against what the ConfigMgr server and the ConfigMgr console, on the server, said and they all show as MON.

    o   Using the SCCM Right-Click tools addon as well as a Client Actions Tool program I began forcing the clients to change the site code to MON. Being as the machine has to be on and connected to the network in order to force this change it has been slow going.

    o   On the sample selection of machines where I watched their logs while making the change they both accepted it and shortly thereafter processed the FEP advertisement.

    o   I then relaxed and began running the previously mentioned programs to update the site codes on the remaining machines as they connected

    ·         After a few days I noticed that many machines still reported as having “No Status.” This time when looking into a new sample selection of machines (as my previous sample selections had all worked) I saw that they were properly getting the new site code of MON. The only errors I can find in their logs now are in ccmexec.log:

    o   OutgoingMessage(Queue='mp_[http]mp_policymanager', ID={86F63D02-045B-4DB5-AE99-484B7E2E1B82}): Will be discarded (expired).

    o   Request failed: 403 Forbidden

    o   When I use the SCCM Client Actions Tool program to “Get management point” it comes back saying the correct management point.

     

    This is as far as I’ve gotten with troubleshooting. Any help is greatly appreciated.

    Tuesday, January 31, 2012 8:34 PM

Answers

All replies

  • Are both site active?

    Have you defined boundaries?

    Tuesday, January 31, 2012 10:05 PM
  • The SMS server is no longer active and boundaries are defined based on AD Site code.
    Tuesday, January 31, 2012 11:24 PM
  • I had begun to think that it was a certificate issue and had our network admin check it out, as I know nothing of certificates.

    He said that the cert is fine but the problem now appears to be that the clients with problems are not communicating on port 443, only port 80.

    Any ideas on how to move them over to port 443?
    • Edited by Tom Aguero Wednesday, February 01, 2012 3:43 PM
    Wednesday, February 01, 2012 3:42 PM
  • I took a step back and looked at the problem from the top down and realized that I made a foolish assumption. All the clients that are having these issues were not upgraded to SCCM. They are showing version 2.50.4160.2000 instead of version 4.00.6487.2000.

     

    So now the question turns to why they were never upgraded. Since SCCM was installed (by a consultant) there has been a collection of Systems needing client upgrade and a deployment of the client upgrade package targeted to them. I've also just done a client push installation to that collection and it seems to have had no effect thus far. Any ideas?

    Wednesday, February 01, 2012 7:26 PM
  • Hi Tom,

    If you do a push installation to one of the systems in that collection, what does the ccm.log say on the server?  Are you including systems not in the site boundaries when running through the push wizard?  You mentioned that AD Sites are used as boundaries and if you have supernetted subnets in AD, the boundaries may not being interpereted correctly.

    Does it successfully connect to the client and create and start the ccmsetup service?  If so, what is the ccmsetup.log saying on that client?

    Let me know

    Thanks - BH

    Monday, February 06, 2012 4:36 PM
  • This was resolved by using Jason Sandys group policy script to check client status and upgrade them to the SCCM client if they were not.

     

    http://blogs.catapultsystems.com/jsandys/archive/2010/12/30/updated-configmgr-startup-script.aspx

     

     

    • Marked as answer by Tom Aguero Monday, February 06, 2012 5:24 PM
    Monday, February 06, 2012 5:24 PM
  • I think SMS server is no longer active and based on AD Site code.Thanks for sharing the information.
    Saturday, February 11, 2012 3:49 AM