locked
Deploying SCCM 2012 Client over DirectAccess RRS feed

  • Question

  • I have not been able to successfully deploy the SCCM 2012 client to any DirectAccess clients when they are not connected to the internal network.  I have migrated my collections from SCCM 2007 and all machines connected internally had no issues.  I have added the new SCCM server to the Infrastructure Servers configuration on the UAG and applied the Group Policy.  In the CCM logs, I am seeing "the device %computername% does not exist on the network" although I can ping them.  The client push account is a local admin on the machines so I am at a loss as to why they can't connect.  Could it be boundary related?

    Rich

    Monday, August 13, 2012 6:48 PM

All replies

  • Errors in ccm.log have nothing to do with boundaries.

    Not existing on the network has nothing to do with credentials; at this point, this is purely a connectivity issue.

    You pinging these systems from your workstation is irrelevant; can you ping them from the site server?


    Jason | http://blog.configmgrftw.com

    Monday, August 13, 2012 7:28 PM
  • Sorry I wasn't clear.  Yes I can ping them from the site server.

    Rich

    Monday, August 13, 2012 7:41 PM
  • Are you pinging them via FQDN, short-name, IPv4, or IPv6?

    Jason | http://blog.configmgrftw.com

    Monday, August 13, 2012 8:08 PM
  • I can ping them by FQDN, short-name, and IPv6 address.  Most have not connected internally in quite a while so their IPv4 registrations are no longer present in DNS. 

    Rich

    Monday, August 13, 2012 8:25 PM
  • And what does ccm.log say it is connecting to? Can you post a relevant snippet please?


    Jason | http://blog.configmgrftw.com

    Tuesday, August 14, 2012 12:08 AM
  • Here is a snippet from the ccm logs:

    ---> The device computername.xxx.local does not exist on the network. Giving up~  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.927+300><thread=4568 (0x11D8)>

    ---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x0)~  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.927+300><thread=4568 (0x11D8)>

    ---> Attempting to connect to administrative share '\\computername\admin$' using account 'xxx\sccm_push'~  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.927+300><thread=4568 (0x11D8)>

    ---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account xxx\sccm_push (00000035)  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.942+300><thread=4568 (0x11D8)>

    ---> The device "computername" does not exist on the network. Giving up~  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.942+300><thread=4568 (0x11D8)>
    ---> ERROR: Unable to access target machine for request: "2097152018", machine name: "computername",  access denied or invalid network path.  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.942+300><thread=4568 (0x11D8)>

    Execute query exec [sp_CP_SetLastErrorCode] 2097152018, 53~  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.958+300><thread=4568 (0x11D8)>

    Stored request "2097152018", machine name "computername", in queue "Retry".  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.958+300><thread=4568 (0x11D8)>

    Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097152018, 2~  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.958+300><thread=4568 (0x11D8)>

    Execute query exec [sp_CP_SetLatest] 2097152018, N'08/14/2012 10:47:23', 198~  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.973+300><thread=4568 (0x11D8)>

    <======End request: "2097152018", machine name: "computername".  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:23.973+300><thread=4568 (0x11D8)>

    ---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account xxx\sccm_push (00000035)  $$<SMS_CLIENT_CONFIG_MANAGER><08-14-2012 05:47:25.989+300><thread=4688 (0x1250)>

    Tuesday, August 14, 2012 11:30 AM
  • It's super clear: error 35 = The network path was not found and "The device "computername" does not exist on the network" which basically tells you the same. It's a name resolution, firewall, networking issue outside the scope of ConfigMgr.

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, August 14, 2012 12:12 PM
  • I think that you are probably right in that it is most likely a firewall rule on the DirectAccess clients that has not been configured correctly to allow the new SCCM 2012 server to connect.  From the SCCM server, I can resolve and ping the machines but still get the "Error 53" when pushing out the client.  When clients are connected internally, there are no issues.
    Tuesday, August 14, 2012 1:13 PM
  • Since client push is one of the few server-initiated actions that Configuration Manager supports, maybe this is the difference?  In comparison, most DirectAccess connections are initiated by the client.  From the DirectAccess section of Supported Configs: http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigDirectAccess

    For server-initiated actions, such as remote control and client push installation, the initiating computer (such as the site server) must be running IPv6, and this protocol must be supported on all intervening networking devices.

    Wednesday, August 29, 2012 1:18 AM
  • I know this is a super old post but since it has not been answered yet I will weigh in. I've been trying to do the same thing in my environment. We have automatic client push enabled and when one of our consultant's gets a laptop and it gets configured and added to the domain as a direct access client but they are not in the office, we still want the SCCM client to be pushed.

    As far as I can tell, what is required is that the IPv6 scope your DA clients use has to be added correctly to AD for the AD site boundaries to work.

    More info on that in this post I found: http://www.isaserver.org/articles-tutorials/configuration-general/Configuring-SCCM-UAG-DirectAccess-Part2.html

    I haven't done this yet but I plan to, it seems like a good explanation to me

    Thursday, March 27, 2014 5:00 PM
  • As Client Push is a server initiated action, you need to configure ISATAP within your environment. This will allow internal ressources (like the SCCM Server) to contact external (with DirectAccess connected) devices. This is pretty easy to implement.

    More information:

    http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx

    Monday, June 2, 2014 1:12 PM