locked
Inventory and assement wizard fails to connect to many computers RRS feed

  • Question

  • I've been attempting to utilise the toolkit but have been unable to get it to satisfactorily query the servers in our domain.

    I have been running the query against a particular OU containing server computer accounts (I am uninterested in desktops at this time) and get results like this (this being the first run with a newly created database):

    Computer Discovery
    Discovered by Active Directory: 131
    Identified by User: 0
    Failed to connect from previous inventory: 0

    Windows Management Instrumentation (WMI)
    Connected to Successfully: 21 of 131
    Failed to connect: 5 of 131

    Assessment: Completed

    So not only is it failing to connect to several machines, it's not correctly reporting that it has failed, as 21+5 != 131.

    If I run it again, each time it might tell me it has failed to connect to two or three machines, but no more.

    I'm at a bit of a loss where to start troubleshooting this, as I'm not finding useful information about which errors were encountered contacting which computers in any logs. Help appreciated!
    Monday, December 7, 2009 4:00 PM

All replies

  • Which version are you using (4.0 or 5.0 CTP)?

    Generate the Machine Inventory Results report and look at the WMI result column.  It will give a failure reason for each computer.
    Monday, December 7, 2009 5:21 PM
  • It's version 4.

    The Machine Inventory Results report lists only 25 compuers. The only failures listed are expected - one server that was turned off and a couple of non-Windows servers that have AD machine accounts.

    There's no mention at all of the 106 other machine accounts it should have tried to contact.
    Tuesday, December 8, 2009 2:17 PM
  • I have now installed MAP on a Win 2008 server (I had it running on an XP workstation). Same result, still no mention of the 100+ machines not scanned but for which no failure is reported.

    The servers that were successfully scanned are the same as on the XP workstation.


    Tuesday, December 8, 2009 4:23 PM
  • Generate the Machine Inventory Results report and look at the WMI result column.  It will give a failure reason for each computer.
    Wednesday, December 9, 2009 3:03 PM
  • Generate the Machine Inventory Results report and look at the WMI result column.  It will give a failure reason for each computer.

    No, it does not. It lists only those machines which the inventory and Assessment Wizard acknowledges it has connected successfully to or failed to connect to. It does not list the more than 100 servers which have somehow fallen into a limbo state of being neither successes nor failures.
    Monday, December 14, 2009 9:31 AM
  • Can you share with us what you are seeing?  Please send us a copy of your report and a copy of the MAPS logs (located: Program files\MAPS\Bin\Log).  Please zip these up and mail them to mapfdbk@microsoft.com, then we can have some product team experts take a look into your issues.

     

    Thanks,

    Eric

    Monday, December 14, 2009 9:11 PM
  • Thanks. They've been sent.
    Tuesday, December 15, 2009 9:52 AM
  • From the log:

    <ADInfoGatherer 16:10:11>  Begin processing AD records.
    <ADInfoGatherer 16:10:11>  Total AD records processed: 128
    <ADInfoGatherer 16:10:11>  Live devices: 26  AD computer objects: 128

    a total of 128 items were found in AD, and 102 of them were filtered out by MAP because they have stale machine account passwords (those machines haven't connected to AD in over 90 days, they're supposed to sync passwords every 30 days by default).

    Is this a test lab or something where you've created a bunch of computers in the past that are no longer active?

    Tuesday, December 15, 2009 3:52 PM
  • From the log:

    <ADInfoGatherer 16:10:11>  Begin processing AD records.
    <ADInfoGatherer 16:10:11>  Total AD records processed: 128
    <ADInfoGatherer 16:10:11>  Live devices: 26  AD computer objects: 128

    a total of 128 items were found in AD, and 102 of them were filtered out by MAP because they have stale machine account passwords (those machines haven't connected to AD in over 90 days, they're supposed to sync passwords every 30 days by default).

    Is this a test lab or something where you've created a bunch of computers in the past that are no longer active?

    Not at all, our live servers are in there. There could be one or two accounts that have been orphaned like that, but the overwhelming majority are live and in production.
    Tuesday, December 15, 2009 5:09 PM
  • Assuming the MAP code is working correctly, those machines aren't updating their machine account passwords.  The way MAP determines this is to look at the PwdLastSet property of the object in AD.  If that date is > 90 days earlier than today, the account is skipped.

    The OldCmp.exe tool located here: http://www.joeware.net/freetools/ can give you verification independent of the MAP tool if this is in fact the case.

    Tuesday, December 15, 2009 6:59 PM
  • Assuming the MAP code is working correctly, those machines aren't updating their machine account passwords.  The way MAP determines this is to look at the PwdLastSet property of the object in AD.  If that date is > 90 days earlier than today, the account is skipped.

    The OldCmp.exe tool located here: http://www.joeware.net/freetools/  can give you verification independent of the MAP tool if this is in fact the case.

    You've hit the nail on the head. Digging around, I've discovered that we have a group policy setting maximum machine account password age to 999 days and we have machine accounts that last changed their passwords in 2007. I've learnt that this was set on recommendation of a consultant for reasons forgotten before my time. As an aside, do you have any idea why this might be done?

    Now I'm going to face resistance changing this any time soon. Is there any possibility of configuring MAP to attempt to connect to all accounts regardless of the pwdLastSet property?
    Wednesday, December 16, 2009 10:12 AM
  • Ironically, there's a note in our source code immediately above where this value is hardcoded that says: "we really should make this a configurable value".

    I can't do anything for you in the current version, but I can change this so that it's configurable in the beta release of MAP 5.0, due out sometime in February or March of 2010.  Sorry about that.

    As an alternative, if you can get a list of the machine names into a flat file (maybe you could pipe the output of OldCmp to a text file & then edit it to remove everything but the machine names, one name per line), you can use MAP's import from file option to get the machine names into the tool that way, and then it will inventory them.

    Sorry for the hassle, but you're the first customer we've run into with non-default machine password expirations.  I don't know of any reason why someone would make the recommendation to change the password expiry, short of a scenario like a branch office /retail shop scenario where it's known that a machine would be disconnected from a network for an extended period of time.

    Thanks,
    Jay

    Wednesday, December 16, 2009 5:24 PM
  • Oh, and of course, you could always do an IP address range scan if that will work for your environment....
    Wednesday, December 16, 2009 6:02 PM
  • We use the non-expiring setting for thin clients running XPe so that they don't get booted from the domain every 90 days since there settings aren't stored after a reboot.  This cause us to have the same issue.  Can you confirm this is a new feature of BETA 5? I have tried an IP range and importing from a list still with a very high failure rate. Any ideas?
    Tuesday, April 13, 2010 5:36 PM
  • In Beta 1 of MAPS 5, we removed the filter on machine account password sync, and simply reported the number of days since the last sync on the Machine Inventory Results report.  There shouldn't be any filterng on AD.

    To confirm, you can look in the log file (%ProgramFiles%\Microsoft Assessment and Planning Toolkit\bin\Log) for the lines that I pasted above "Total AD Records Processed:   Live Devices: etc" to see how many records the tool thinks it's going to process.

     

     

    Friday, April 30, 2010 3:59 PM