locked
SCCM Client keeps disappearing in console RRS feed

  • Question

  • Hi Guys

    I have a few servers that if I run a ddr cycle they check in fine, show up in the console and then about 15-30mins later disappear again. Kicking off another ddr cycle they are back in and working again. Deployments come through, patches come through etc. It just doesnt remain in the console.

    Is this something to do with the heartbeat? The environment has many levels of complexity and is failry secure. If you could advise where to start or common causes that would be great.

    Thanks in advance

    NN

    Thursday, April 6, 2017 3:16 PM

All replies

  • What version of SCCM do you use exactly 2012 ? 2012R2 ? what SP and CU

    Merci de marquer comme réponse les sujets qui vous ont permis d'avancer afin que cela puisse être bénéfique aux personnes qui rencontrent le même problème.

    Thursday, April 6, 2017 7:18 PM
  • There is nothing built into ConfigMgr that will do this. You must have some external process doing this.

    Where exactly are you looking in the console when you do look for these resources?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Frank Dong Friday, May 5, 2017 8:18 AM
    Thursday, April 6, 2017 8:36 PM
  • What version of SCCM do you use exactly 2012 ? 2012R2 ? what SP and CU

    Merci de marquer comme réponse les sujets qui vous ont permis d'avancer afin que cela puisse être bénéfique aux personnes qui rencontrent le même problème.

    The version is
    ConfigMgr 2012 R2 SP1 CU4 5.00.8239.1501 8239

    Friday, April 7, 2017 9:39 AM
  • There is nothing built into ConfigMgr that will do this. You must have some external process doing this.

    Where exactly are you looking in the console when you do look for these resources?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    All Systems. Run a search and its not there. Run DDR then run a search for the machine, it pops up. 10 minutes later its gone again. Another DDR cycle and its there again.

    All deployments are working and around 200 servers are fine. This appears to happen to 3 servers.

    I have even redployed the MP due to another recent issue.

    Thanks to you both

    Friday, April 7, 2017 9:42 AM
  • > "This appears to happen to 3 servers."

    Are these all the same "type" of server? Like Exchange CAS servers?

    The most likely scenario here is that a duplicate cert enabled for client auth is deployed to these systems as well as some others.

    ConfigMgr uses client auth certs for identity and thus duplicate cert = duplicate identity. Each time one of the systems with a duplicate cert sends a DDR, the resource in ConfigMgr is renamed.

    You can validate by finding the ConfigMgr UUID/GUID of these systems (in the ConfigMgr control panel) and then searching for that GUID in the console after they "disappear". The GUID/UUID is directly generated from the client auth cert.

    In the case of Exchange CAS servers, the certs should not have client auth enabled -- the yonly need server auth. Duplicate server auth certs are acceptable and generally standard practice; duplicate client auth certs are not acceptable. Just to clarify, a cert can be enabled for both but it is bad practice to include client auth when not needed or when including the cert on multiple systems. Unfortunately, most walk-throughs for creating server auth certs neglect this detail.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Saturday, April 8, 2017 12:06 AM
  • > "This appears to happen to 3 servers."

    Are these all the same "type" of server? Like Exchange CAS servers?

    The most likely scenario here is that a duplicate cert enabled for client auth is deployed to these systems as well as some others.

    ConfigMgr uses client auth certs for identity and thus duplicate cert = duplicate identity. Each time one of the systems with a duplicate cert sends a DDR, the resource in ConfigMgr is renamed.

    You can validate by finding the ConfigMgr UUID/GUID of these systems (in the ConfigMgr control panel) and then searching for that GUID in the console after they "disappear". The GUID/UUID is directly generated from the client auth cert.

    In the case of Exchange CAS servers, the certs should not have client auth enabled -- the yonly need server auth. Duplicate server auth certs are acceptable and generally standard practice; duplicate client auth certs are not acceptable. Just to clarify, a cert can be enabled for both but it is bad practice to include client auth when not needed or when including the cert on multiple systems. Unfortunately, most walk-throughs for creating server auth certs neglect this detail.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thank you for taking the time to explain this Jason.

    I will review and update where an explanation is found.

    Monday, April 10, 2017 11:47 AM
  • Hi Jason

    Definitely a duplicate UUID issue. It seems the 4 servers are in pairs. They are ADFS servers. So if one checks in the other checks out.

    I have tried resetting the key information, deleting the SMSCFG.ini, reinstalling the SCCM client.

    Did you ever find a common solution for this issue? I have seen a couple threads pointing to checking the db.

    Thanks again
    NN

    Monday, April 10, 2017 4:29 PM
  • As noted, if they have duplicate certs enabled for client auth, this is exactly what will happen. There is no reason for the certs for these systems to have client auth enabled.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Frank Dong Friday, May 5, 2017 8:19 AM
    Monday, April 10, 2017 8:36 PM
  • As noted, if they have duplicate certs enabled for client auth, this is exactly what will happen. There is no reason for the certs for these systems to have client auth enabled.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Jason, I see exactly what you mean now, thanks for re-clarifying and taking the time. I did not expect the client to pick up the certificate as it has so was looking at this all wrong.

    I believe the proxy servers at least require Client Auth. So at least there is an option to prevent dup certs.

    I will update this once known, but thanks again.

    NN

    Monday, April 10, 2017 11:17 PM
  • Hi, any update on this issue yet? If you got the solution, could you share us? Thanks in advance.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 17, 2017 10:27 AM